From 42900caa79799eb10bfaf2ef86ee2baa145e11b9 Mon Sep 17 00:00:00 2001
From: Louca Dufault <40028187+loucadufault@users.noreply.github.com>
Date: Sun, 29 Jan 2023 20:10:54 -0800
Subject: [PATCH] Expose and document existing 'json' option in jws.decode and
 jws.createVerify APIs

---
 lib/verify-stream.js |  3 +-
 readme.md            |  9 ++++--
 test/jws.test.js     | 69 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 78 insertions(+), 3 deletions(-)

diff --git a/lib/verify-stream.js b/lib/verify-stream.js
index 39f7c73..a97fee2 100644
--- a/lib/verify-stream.js
+++ b/lib/verify-stream.js
@@ -83,6 +83,7 @@ function VerifyStream(opts) {
   var secretStream = new DataStream(secretOrKey);
   this.readable = true;
   this.algorithm = opts.algorithm;
+  this.json = opts.json;
   this.encoding = opts.encoding;
   this.secret = this.publicKey = this.key = secretStream;
   this.signature = new DataStream(opts.signature);
@@ -100,7 +101,7 @@ util.inherits(VerifyStream, Stream);
 VerifyStream.prototype.verify = function verify() {
   try {
     var valid = jwsVerify(this.signature.buffer, this.algorithm, this.key.buffer);
-    var obj = jwsDecode(this.signature.buffer, this.encoding);
+    var obj = jwsDecode(this.signature.buffer, {json: this.json, encoding: this.encoding});
     this.emit('done', valid, obj);
     this.emit('data', valid);
     this.emit('end');
diff --git a/readme.md b/readme.md
index 2f32dca..c36897d 100644
--- a/readme.md
+++ b/readme.md
@@ -83,6 +83,10 @@ Note that the `"alg"` value from the signature header is ignored.
 (Synchronous) Returns the decoded header, decoded payload, and signature
 parts of the JWS Signature.
 
+Options:
+
+* `json` (Optional, defaults to `false`)
+
 Returns an object with three properties, e.g.
 ```js
 { header: { alg: 'HS256' },
@@ -141,9 +145,10 @@ Options:
 * `algorithm`
 * `key` || `publicKey` || `secret`
 * `encoding` (Optional, defaults to 'utf8')
+* `json` (Optional, defaults to `false`)
 
-All options expect a string or a buffer when the value is known ahead of
-time, or a stream for convenience.
+All options (except `encoding` and `json`) expect a string or a buffer 
+when the value is known ahead of time, or a stream for convenience.
 
 Example:
 
diff --git a/test/jws.test.js b/test/jws.test.js
index aa11bdd..f4eed33 100644
--- a/test/jws.test.js
+++ b/test/jws.test.js
@@ -301,6 +301,75 @@ test('jws.decode: with invalid json in body', function (t) {
   t.end();
 });
 
+test('jws.decode: with typ of \'JWT\' in header', function (t) {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const encoding = 'utf8';
+  const jwsObj = jws.sign({
+    header: header,
+    payload: payload,
+    secret: 'sup',
+    encoding: encoding,
+  });
+  const parts = jws.decode(jwsObj);
+  t.same(parts.payload, payload, 'should match JSON-parsed payload');
+  t.end();
+});
+
+test('jws.decode: with missing typ in header', function (t) {
+  const header = { alg: 'HS256' };
+  const jwsObj = jws.sign({
+    header: header,
+    payload: payload,
+    secret: 'sup',
+    encoding: 'utf8',
+  });
+  const parts = jws.decode(jwsObj);
+  t.same(parts.payload, JSON.stringify(payload), 'should match encoded payload');
+  t.not(parts.payload, payload, 'should not match JSON-parsed payload');
+  t.end();
+});
+
+test('jws.decode: with invalid typ in header', function (t) {
+  const header = { alg: 'HS256', typ: 'not a typ' };
+  const jwsObj = jws.sign({
+    header: header,
+    payload: payload,
+    secret: 'sup',
+    encoding: 'utf8',
+  });
+  const parts = jws.decode(jwsObj);
+  t.same(parts.payload, JSON.stringify(payload), 'should match encoded payload');
+  t.not(parts.payload, payload, 'should not match JSON-parsed payload');
+  t.end();
+});
+
+test('jws.decode: with missing typ in header, and json option set', function (t) {
+  const header = { alg: 'HS256' };
+  const jwsObj = jws.sign({
+    header: header,
+    payload: payload,
+    secret: 'sup',
+    encoding: 'utf8',
+  });
+  const parts = jws.decode(jwsObj, {json: true});
+  t.same(parts.payload, payload, 'should match JSON-parsed payload');
+  t.end();
+});
+
+test('jws.decode: with missing typ in header, and json option set to null', function (t) {
+  const header = { alg: 'HS256' };
+  const jwsObj = jws.sign({
+    header: header,
+    payload: payload,
+    secret: 'sup',
+    encoding: 'utf8',
+  });
+  const parts = jws.decode(jwsObj, {json: null});
+  t.same(parts.payload, JSON.stringify(payload), 'should match encoded payload');
+  t.not(parts.payload, payload, 'should not match JSON-parsed payload');
+  t.end();
+});
+
 test('jws.verify: missing or invalid algorithm', function (t) {
   const header = Buffer.from('{"something":"not an algo"}').toString('base64');
   const payload = Buffer.from('sup').toString('base64');