Remove the need to verify the token per request

[IamFlowZ]

Description

This small change enables the user to optionally set the JWT_SECRET environment variable.

Related Issue

Support for federated services

Motivation

I'm working on a project that leverage's AWS Cognito for user identities, and so I don't have access to the original key that is used to generate the token. It would be nice if there was functionality that allowed for tokens to be accepted even if they are unverified within this instance.

[IamFlowZ]

Any chances of this getting merged in soon?

[johnymontana]

@IamFlowZ Thanks for the PR!

I like the idea but I'm a little concerned that with this approach a user could mistakenly forget to set the JWT_SECRET environment variable and then would be susceptible to vulnerabilities where the jwt would not be verified.

How about if we required another environment variable to be set, like JWT_NO_VERIFY or something to explicitly indicate the JWT will not be verified? Then the logic would be something like

 if (!JWT_SECRET && JWT_NO_VERIFY) {
      return jwt.decode(id_token)
    } else if (!JWT_SECRET) {
      throw new Error(	 
        "No JWT secret set. Set environment variable JWT_SECRET to decode token."	 
      ); 
    }
   else {
      return jwt.verify(id_token, JWT_SECRET, {
        algorithms: ["HS256", "RS256"]
      });
    }

[mohamedGamalAbuGalala]

@johnymontana
I don't like that we need to provide another secret to handle this issue instead, we check the type of the JWT_SECRET

if (typeof JWT_SECRET === 'boolean') {
  // check the value if false return jwt.decode(id_token)
} else {
  // normal stuff like
  if (!JWT_SECRET) {
    throw new Error(
      'No JWT secret set. Set environment variable JWT_SECRET to decode token.'
    );
  }
}

This way if we want to ignore the decoding we just set the same env variable to false.
And it's a must to put the JWT_SECRET.

[IamFlowZ]

I agree that a flag plus the value is the better way to go. I think the typeof would be more negotiable, if we were working with pure javascript values. In node, unset environment variables return undefined. While undefined is still falsy it's probably better design to provide an explicit switch rather than an implicit type check. I will try to add this thought in this weekend. Thanks for the feedback :D

[IamFlowZ]

@johnymontana I've added that environment variable as well as a bit at the end of the readme about how to run the tests locally so as not to eat up circleci credits. If there's any other changes you'd like to set let me know. Thanks!!

[mohamedGamalAbuGalala]

👏 👏

[johnymontana]

Great - thanks!