Allow token validation without signature

[micahmo]

Pull request type

Please check the type of change your PR introduces:

• Bugfix
• New feature or enhancement
• UI change (please include screenshot!)
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no api changes)
• Build related changes
• Documentation content changes
• Internationalization and localization
• Other (please describe):

What is the current behavior?

It is impossible to "validate" various parts of a JWT without providing the signature / signing key.

What is the new behavior?

This PR separates signing key validation as a separate step from overall token validation. As a result, I can choose to validate only the expiration, for example, without providing a key, which is much more convenient.

DevToys-JWT-Validate.mp4

Other information

If we were starting from scratch, I think it would make sense for the overall validation operation to be called something like ValidateToken, and then it could have an option like ValidateSignature. However, the latter term is already used for the whole operation (and refers to a persistent setting), so I didn't want to change that. Instead I introduded a new option, ValidateIssuerSigningKey (which does align with the TokenValidationParameters), and as a result, ValidateSignature now has a slightly different meaning. I did update the UI strings to reflect this. Hopefully it's ok!

Quality check

Before creating this PR:

• Did you follow the code style guideline as described in CONTRIBUTING.md
• Did you build the app and test your changes?
• Did you check for accessibility? On Windows, you can use Accessibility Insights for this.
• Did you verify that the change work in Release build configuration
• Did you verify that all unit tests pass
• If necessary and if possible, did you verify your changes on:
  • Windows
  • macOS (DevToys 2.0)
  • Linux (DevToys 2.0)

[micahmo]

@veler Please tell me if I'm creating too much burden with my recent PRs! I know you're pushing towards 2.0 and a lot of this will have to be rewritten anyway.

[btiteux]

Hello, @micahmo thank you for this improvement, no worries for the pull requests.
The changes are good for me.

[veler]

If signingCredentials is null, this will crash.

[micahmo]

I believe this is ok for two reasons.

1. The same could be said for old code too, so I have not introduced a new problem.
2. It won't "crash"; instead, the exception will get caught and propagated to the UI. In this case, it will tell the user that the key is null, so they must enter a key if they want to validate the token. Again, that is the same as the existing behavior.

(Technically the error is from GetValidationCredentials, which should either throw or return a non-nullable. So I guess we could remove the nullable here to alleviate your concern. But again I was mostly refactoring the existing code.)

[veler]

Would it be possible to add unit tests for the changes in this PR? :)

[micahmo]

Would it be possible to add unit tests for the changes in this PR? :)

Of course! d1740e4

[veler]

Awesome! Thank you so much ! :D
Looks like we have a small merge conflict now 😅 Should be good to go once resolved.

[micahmo]

Looks like we have a small merge conflict now 😅 Should be good to go once resolved.

Should be all set now! Thanks!

[veler]

Thank you so much! :D