From 6a7b98f177d40125a9c888953d33105ef4b03678 Mon Sep 17 00:00:00 2001
From: Diomidis Spinellis <dds@aueb.gr>
Date: Fri, 19 Aug 2022 16:06:16 +0300
Subject: [PATCH] Add support for Apple's nonce_supported claim

Apple's authentication identity token can contain a non-standard
nonce_supported claim.  As specified, when this is set to false
skip the nonce check.

https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
---
 test/option-nonce-supported.test.js | 41 +++++++++++++++++++++++++++++
 verify.js                           |  2 +-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 test/option-nonce-supported.test.js

diff --git a/test/option-nonce-supported.test.js b/test/option-nonce-supported.test.js
new file mode 100644
index 0000000..9471a09
--- /dev/null
+++ b/test/option-nonce-supported.test.js
@@ -0,0 +1,41 @@
+'use strict';
+
+const jwt = require('../');
+const expect = require('chai').expect;
+const testUtils = require('./test-utils')
+
+describe('nonce and nonce_supported option', function () {
+
+  [
+    {
+      description: 'should succeed without nonce and without nonce support',
+      signParam: { nonce_supported: false },
+      verifyParam: { },
+    },
+    {
+      description: 'should succeed without nonce but with nonce support',
+      signParam: { nonce_supported: true },
+      verifyParam: { },
+    },
+    {
+      description: 'should succeed with nonce but without nonce support',
+      signParam: { nonce_supported: false },
+      verifyParam: { nonce: 'abcde' },
+    },
+    {
+      description: 'should succeed with nonce and nonce support',
+      signParam: { nonce: 'abcde', nonce_supported: true },
+      verifyParam: { nonce: 'abcde' },
+    },
+  ].forEach((testCase) => {
+    it(testCase.description, function (done) {
+      var token = jwt.sign(testCase.signParam, undefined, { algorithm: 'none' });
+      testUtils.verifyJWTHelper(token, undefined, testCase.verifyParam, (err) => {
+        testUtils.asyncCheck(done, () => {
+          expect(err).to.be.null;
+        });
+      });
+    });
+  });
+
+});
diff --git a/verify.js b/verify.js
index 8687eb5..20b0666 100644
--- a/verify.js
+++ b/verify.js
@@ -191,7 +191,7 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
     }
 
     if (options.nonce) {
-      if (payload.nonce !== options.nonce) {
+      if (payload.nonce !== options.nonce && payload.nonce_supported !== false) {
         return done(new JsonWebTokenError('jwt nonce invalid. expected: ' + options.nonce));
       }
     }