Bump jsonwebtoken from 8.5.1 to 9.0.0 (#5410)

* Bump jsonwebtoken from 8.5.1 to 9.0.0

Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0.
- [Release notes](https://github.com/auth0/node-jsonwebtoken/releases)
- [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.0)

---
updated-dependencies:
- dependency-name: jsonwebtoken
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Use fake secret for jwt.sign() and fix tests

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Lisa Jian <lisajian@google.com>

package.json

@@ -120,7 +120,7 @@
     "google-auth-library": "^7.11.0",
     "inquirer": "^8.2.0",
     "js-yaml": "^3.13.1",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "leven": "^3.1.0",
     "libsodium-wrappers": "^0.7.10",
     "lodash": "^4.17.21",

src/emulator/auth/operations.ts

@@ -669,7 +669,7 @@ function createSessionCookie(
       exp: expiresAt,
       iss: `https://session.firebase.google.com/${payload.aud}`,
     },
-    "",
+    "fake-secret",
     {
       // Generate a unsigned (insecure) JWT. Admin SDKs should treat this like
       // a real token (if in emulator mode). This won't work in production.
@@ -2391,18 +2391,26 @@ function generateJwt(
     },
   };
 
-  const jwtStr = signJwt(customPayloadFields, "", {
-    // Generate a unsigned (insecure) JWT. This is accepted by many other
-    // emulators (e.g. Cloud Firestore Emulator) but will not work in
-    // production of course. This removes the need to sign / verify tokens.
-    algorithm: "none",
-    expiresIn: expiresInSeconds,
+  const jwtStr = signJwt(
+    customPayloadFields,
+    // secretOrPrivateKey is required for jsonwebtoken v9, see
+    // https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9
+    // Tokens generated by the auth emulator are intentionally insecure and are
+    // not meant to be used in production. Thus, a fake secret is used here.
+    "fake-secret",
+    {
+      // Generate a unsigned (insecure) JWT. This is accepted by many other
+      // emulators (e.g. Cloud Firestore Emulator) but will not work in
+      // production of course. This removes the need to sign / verify tokens.
+      algorithm: "none",
+      expiresIn: expiresInSeconds,
 
-    subject: user.localId,
-    // TODO: Should this point to an emulator URL?
-    issuer: `https://securetoken.google.com/${projectId}`,
-    audience: projectId,
-  });
+      subject: user.localId,
+      // TODO: Should this point to an emulator URL?
+      issuer: `https://securetoken.google.com/${projectId}`,
+      audience: projectId,
+    }
+  );
   return jwtStr;
 }
 
@@ -3245,7 +3253,7 @@ function generateBlockingFunctionJwt(
     jwt.oauth_refresh_token = oauthTokens.oauthRefreshToken;
   }
 
-  const jwtStr = signJwt(jwt, "", {
+  const jwtStr = signJwt(jwt, "fake-secret", {
     algorithm: "none",
   });
 

src/test/emulators/auth/customToken.spec.ts

@@ -15,7 +15,7 @@ describeAuthEmulator("sign-in with custom token", ({ authApi }) => {
   it("should create new account from custom token (unsigned)", async () => {
     const uid = "someuid";
     const claims = { abc: "def", ultimate: { answer: 42 } };
-    const token = signJwt({ uid, claims }, "", {
+    const token = signJwt({ uid, claims }, "fake-secret", {
       algorithm: "none",
       expiresIn: 3600,
 
@@ -149,7 +149,7 @@ describeAuthEmulator("sign-in with custom token", ({ authApi }) => {
   });
 
   it("should error if custom token addresses the wrong audience", async () => {
-    const token = signJwt({ uid: "foo" }, "", {
+    const token = signJwt({ uid: "foo" }, "fake-secret", {
       algorithm: "none",
       expiresIn: 3600,
 
@@ -173,7 +173,7 @@ describeAuthEmulator("sign-in with custom token", ({ authApi }) => {
       {
         /* no uid */
       },
-      "",
+      "fake-secret",
       {
         algorithm: "none",
         expiresIn: 3600,
@@ -252,7 +252,7 @@ describeAuthEmulator("sign-in with custom token", ({ authApi }) => {
     const tenant = await registerTenant(authApi(), PROJECT_ID, { disableAuth: false });
     const uid = "someuid";
     const claims = { abc: "def", ultimate: { answer: 42 } };
-    const token = signJwt({ uid, claims, tenant_id: "not-matching-tenant-id" }, "", {
+    const token = signJwt({ uid, claims, tenant_id: "not-matching-tenant-id" }, "fake-secret", {
       algorithm: "none",
       expiresIn: 3600,
 
@@ -275,7 +275,7 @@ describeAuthEmulator("sign-in with custom token", ({ authApi }) => {
     const tenant = await registerTenant(authApi(), PROJECT_ID, { disableAuth: false });
     const uid = "someuid";
     const claims = { abc: "def", ultimate: { answer: 42 } };
-    const token = signJwt({ uid, claims, tenant_id: tenant.tenantId }, "", {
+    const token = signJwt({ uid, claims, tenant_id: tenant.tenantId }, "fake-secret", {
       algorithm: "none",
       expiresIn: 3600,