From 8c9f3b666be30ef5ec554a9f2f3b095145a1b767 Mon Sep 17 00:00:00 2001
From: Koen Sengers <koen.sengers@drieam.com>
Date: Thu, 14 Dec 2023 15:21:14 +0100
Subject: [PATCH] feat: Remove nonce from jwt encode payload

---
 lib/keypair.rb              |  6 +-----
 spec/models/keypair_spec.rb | 10 ++--------
 2 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/lib/keypair.rb b/lib/keypair.rb
index f80a4c3..03867ad 100644
--- a/lib/keypair.rb
+++ b/lib/keypair.rb
@@ -145,11 +145,7 @@ def jwt_encode(payload, headers = {})
 
       # Expiration time on or after which the tool MUST NOT accept the ID Token for
       # processing (epoch). This is mostly used to allow some clock skew.
-      exp: Time.now.to_i + 5.minutes.to_i,
-
-      # String value used to associate a tool session with an ID Token, and to mitigate replay
-      # attacks. The nonce value is a case-sensitive string.
-      nonce: SecureRandom.uuid
+      exp: Time.now.to_i + 5.minutes.to_i
     )
 
     # Add additional info into the headers
diff --git a/spec/models/keypair_spec.rb b/spec/models/keypair_spec.rb
index 0fd0b91..ff480a0 100644
--- a/spec/models/keypair_spec.rb
+++ b/spec/models/keypair_spec.rb
@@ -312,7 +312,7 @@
           expect(decoded).to include payload
         end
         it 'adds security payloads' do
-          expect(decoded.keys).to match_array %i[hex nested iat exp nonce]
+          expect(decoded.keys).to match_array %i[hex nested iat exp]
         end
         it 'sets iat to now', timecop: :freeze do
           expect(decoded[:iat]).to eq Time.current.to_i
@@ -320,10 +320,6 @@
         it 'sets exp to 5 minutes from now', timecop: :freeze do
           expect(decoded[:exp]).to eq 5.minutes.from_now.to_i
         end
-        it 'sets a generated nonce' do
-          allow(SecureRandom).to receive(:uuid).and_return 'my-nonce'
-          expect(decoded[:nonce]).to eq 'my-nonce'
-        end
         it 'is encoded with the keypair and correct algorithm' do
           expect do
             JWT.decode(subject, keypair.public_key, true, algorithm: described_class::ALGORITHM)
@@ -340,12 +336,10 @@
         let(:payload) { { foo: 'bar', exp: 1.minute.ago.to_i } }
 
         it 'returns a JWT with the correct payload' do
-          allow(SecureRandom).to receive(:uuid).and_return 'my-nonce'
           expect(decoded).to eq(
             foo: 'bar',
             iat: Time.current.to_i,
-            exp: 1.minute.ago.to_i,
-            nonce: 'my-nonce'
+            exp: 1.minute.ago.to_i
           )
         end
         it 'is cannot be decoded' do