Added support for JWT alg: 'none'.

js/common/modules/org/arangodb/crypto.js

@@ -163,18 +163,23 @@ function jwtUrlEncode(str) {
 
 exports.jwtEncode = function (key, message, algorithm) {
   'use strict';
-  if (algorithm) {
+  if (!algorithm) {
-    algorithm = algorithm.toUpperCase();
-  } else {
     algorithm = 'HS256';
-  }
+  } else if (algorithm.toLowerCase() === 'none') {
-  if (algorithm !== 'HS256') {
+    algorithm = 'none';
-    throw new Error('Only HS256 is supported at this time!');
+  } else if (algorithm.toUpperCase() === 'HS256') {
+    algorithm = 'HS256';
+  } else {
+    throw new Error('Only HS256 and none are supported at this time!');
   }
   var header = {typ: 'JWT', alg: algorithm}, segments = [];
   segments.push(jwtUrlEncode(new Buffer(JSON.stringify(header)).toString('base64')));
   segments.push(jwtUrlEncode(new Buffer(JSON.stringify(message)).toString('base64')));
-  segments.push(jwtUrlEncode(new Buffer(exports.hmac(key, segments.join('.'), 'sha256'), 'hex').toString('base64')));
+  if (algorithm === 'HS256') {
+    segments.push(jwtUrlEncode(new Buffer(exports.hmac(key, segments.join('.'), 'sha256'), 'hex').toString('base64')));
+  } else if (algorithm === 'none') {
+    segments.push('');
+  }
   return segments.join('.');
 };
 
@@ -201,14 +206,15 @@ exports.jwtDecode = function (key, token, noVerify) {
 
   if (!noVerify) {
     var header = JSON.parse(headerSeg);
-    if (header.alg !== 'HS256') {
+    if (header.alg.toUpperCase() === 'HS256') {
-      throw new Error('Only HS256 is supported at this time!');
+      if (!exports.constantEquals(
-    }
+        exports.hmac(key, segments.slice(0, 2).join('.'), 'sha256'),
-    if (!exports.constantEquals(
+          segments[2]
-      exports.hmac(key, segments.slice(0, 2).join('.'), 'sha256'),
+      )) {
-        segments[2]
+        throw new Error('Signature verification failed!');
-    )) {
+      }
-      throw new Error('Signature verification failed!');
+    } else if (header.alg.toLowerCase() !== 'none') {
+      throw new Error('Only HS256 and none are supported at this time!');
     }
   }
 

js/common/tests/shell-crypto.js

@@ -237,7 +237,9 @@ function CryptoSuite () {
         [ "secret", "arangodb", "hs256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ImFyYW5nb2RiIg.pyWsjffR5WfVkRxtckXKwh-emE2kmKH0ZJRCCllqIYc" ],
         [ "secret", "Arangodb", "hs256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.IkFyYW5nb2RiIg.BjQqhHpWiGqi2RBeAjV1V0gkUBPNZHtKCu5rgeu9eno" ],
         [ "secret", {foxx: "roxx"}, "HS256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb3h4Ijoicm94eCJ9.tCZwaqnZ7Wj9BljBndyDtINYWmmvr0eLsq8bkmtXhg0" ],
-        [ "SECRET", {foxx: "roxx"}, "HS256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb3h4Ijoicm94eCJ9.oXcCBnmuv9GzqFc0_N2qFXLWKDjCKEmN015CccDAgfw" ]
+        [ "SECRET", {foxx: "roxx"}, "HS256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb3h4Ijoicm94eCJ9.oXcCBnmuv9GzqFc0_N2qFXLWKDjCKEmN015CccDAgfw" ],
+        [ "secret", {foxx: "roxx"}, "none", "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJmb3h4Ijoicm94eCJ9." ],
+        [ "SECRET", {foxx: "roxx"}, "none", "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJmb3h4Ijoicm94eCJ9." ]
       ];
 
       data.forEach(function (value) {