feat: Remove nonce from jwt encode payload

Drieam · Dec 14, 2023 · 8c9f3b6 · 8c9f3b6
1 parent 477a748
commit 8c9f3b6
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 13 deletions.
diff --git a/lib/keypair.rb b/lib/keypair.rb
@@ -145,11 +145,7 @@ def jwt_encode(payload, headers = {})
 
  # Expiration time on or after which the tool MUST NOT accept the ID Token for
  # processing (epoch). This is mostly used to allow some clock skew.
- exp: Time.now.to_i + 5.minutes.to_i,
-
- # String value used to associate a tool session with an ID Token, and to mitigate replay
- # attacks. The nonce value is a case-sensitive string.
- nonce: SecureRandom.uuid
+ exp: Time.now.to_i + 5.minutes.to_i
  )
 
  # Add additional info into the headers

diff --git a/spec/models/keypair_spec.rb b/spec/models/keypair_spec.rb
@@ -312,18 +312,14 @@
  expect(decoded).to include payload
  end
  it 'adds security payloads' do
- expect(decoded.keys).to match_array %i[hex nested iat exp nonce]
+ expect(decoded.keys).to match_array %i[hex nested iat exp]
  end
  it 'sets iat to now', timecop: :freeze do
  expect(decoded[:iat]).to eq Time.current.to_i
  end
  it 'sets exp to 5 minutes from now', timecop: :freeze do
  expect(decoded[:exp]).to eq 5.minutes.from_now.to_i
  end
- it 'sets a generated nonce' do
- allow(SecureRandom).to receive(:uuid).and_return 'my-nonce'
- expect(decoded[:nonce]).to eq 'my-nonce'
- end
  it 'is encoded with the keypair and correct algorithm' do
  expect do
  JWT.decode(subject, keypair.public_key, true, algorithm: described_class::ALGORITHM)
@@ -340,12 +336,10 @@
  let(:payload) { { foo: 'bar', exp: 1.minute.ago.to_i } }
 
  it 'returns a JWT with the correct payload' do
- allow(SecureRandom).to receive(:uuid).and_return 'my-nonce'
  expect(decoded).to eq(
  foo: 'bar',
  iat: Time.current.to_i,
- exp: 1.minute.ago.to_i,
- nonce: 'my-nonce'
+ exp: 1.minute.ago.to_i
  )
  end
  it 'is cannot be decoded' do