skip signing signature if nonce is not provided

n-hass · n-hass · commit de188b52a01f · 2025-09-12T23:59:08.000+09:30
replaces behaviour that required a nonce to be issued by the server if the client is configured to use an authentication method
diff --git a/Sources/Nats/NatsConnection.swift b/Sources/Nats/NatsConnection.swift
@@ -476,7 +476,7 @@ class ConnectionHandler: ChannelInboundHandler {
         if self.auth?.nkey != nil && self.auth?.nkeyPath != nil {
             throw NatsError.ConnectError.invalidConfig("cannot use both nkey and nkeyPath")
         }
-        if let auth = self.auth, let credentialsPath = auth.credentialsPath {
+        if let auth = self.auth, let credentialsPath = auth.credentialsPath, let nonce = self.serverInfo?.nonce {
             let credentials = try await URLSession.shared.data(from: credentialsPath).0
             guard let jwt = JwtUtils.parseDecoratedJWT(contents: credentials) else {
                 throw NatsError.ConnectError.invalidConfig(
@@ -486,17 +486,15 @@ class ConnectionHandler: ChannelInboundHandler {
                 throw NatsError.ConnectError.invalidConfig(
                     "failed to extract NKEY from credentials file")
             }
-            guard let nonce = self.serverInfo?.nonce else {
-                throw NatsError.ConnectError.invalidConfig("missing nonce")
-            }
+            initialConnect.userJwt = String(data: jwt, encoding: .utf8)!
+            
             let keypair = try KeyPair(seed: String(data: nkey, encoding: .utf8)!)
             let nonceData = nonce.data(using: .utf8)!
             let sig = try keypair.sign(input: nonceData)
             let base64sig = sig.base64EncodedURLSafeNotPadded()
             initialConnect.signature = base64sig
-            initialConnect.userJwt = String(data: jwt, encoding: .utf8)!
         }
-        if let nkey = self.auth?.nkeyPath {
+        if let nkey = self.auth?.nkeyPath, let nonce = self.serverInfo?.nonce {
             let nkeyData = try await URLSession.shared.data(from: nkey).0
 
             guard let nkeyContent = String(data: nkeyData, encoding: .utf8) else {
@@ -505,20 +503,14 @@ class ConnectionHandler: ChannelInboundHandler {
             let keypair = try KeyPair(
                 seed: nkeyContent.trimmingCharacters(in: .whitespacesAndNewlines)
             )
-
-            guard let nonce = self.serverInfo?.nonce else {
-                throw NatsError.ConnectError.invalidConfig("missing nonce")
-            }
+            initialConnect.nkey = keypair.publicKeyEncoded
+            
             let sig = try keypair.sign(input: nonce.data(using: .utf8)!)
             let base64sig = sig.base64EncodedURLSafeNotPadded()
             initialConnect.signature = base64sig
-            initialConnect.nkey = keypair.publicKeyEncoded
         }
-        if let nkey = self.auth?.nkey {
+        if let nkey = self.auth?.nkey, let nonce = self.serverInfo?.nonce {
             let keypair = try KeyPair(seed: nkey)
-            guard let nonce = self.serverInfo?.nonce else {
-                throw NatsError.ConnectError.invalidConfig("missing nonce")
-            }
             let nonceData = nonce.data(using: .utf8)!
             let sig = try keypair.sign(input: nonceData)
             let base64sig = sig.base64EncodedURLSafeNotPadded()
diff --git a/Tests/NatsTests/Integration/ConnectionTests.swift b/Tests/NatsTests/Integration/ConnectionTests.swift
@@ -38,6 +38,7 @@ class CoreNatsTests: XCTestCase {
         ("testUsernameAndPassword", testUsernameAndPassword),
         ("testTokenAuth", testTokenAuth),
         ("testCredentialsAuth", testCredentialsAuth),
+        ("testCredentialsAuthWithoutNonce", testCredentialsAuthWithoutNonce),
         ("testNkeyAuth", testNkeyAuth),
         ("testNkeyAuthFile", testNkeyAuthFile),
         ("testMutualTls", testMutualTls),
@@ -589,6 +590,22 @@ class CoreNatsTests: XCTestCase {
         try await client.publish("data".data(using: .utf8)!, subject: "foo")
         _ = try await subscribe.next()
     }
+    
+    func testCredentialsAuthWithoutNonce() async throws {
+        logger.logLevel = .critical
+        let bundle = Bundle.module
+        natsServer.start()
+
+        let creds = bundle.url(forResource: "TestUser", withExtension: "creds")!
+
+        let client = NatsClientOptions().url(URL(string: natsServer.clientURL)!).credentialsFile(
+            creds
+        ).build()
+        try await client.connect()
+        let subscribe = try await client.subscribe(subject: "foo").makeAsyncIterator()
+        try await client.publish("data".data(using: .utf8)!, subject: "foo")
+        _ = try await subscribe.next()
+    }
 
     func testNkeyAuth() async throws {
         logger.logLevel = .critical
