Potential fix for code scanning alert no. 12: JWT missing secret or public key verification

[Tanker187]

Potential fix for https://github.com/Tanker187/firebase-admin-node/security/code-scanning/12

In general, to fix this class of problem you must always pass a real cryptographic secret or public key to jwt.verify (or an appropriate key-resolving callback), never undefined, null, false, or an empty string. You should also avoid using the none algorithm in verification except in very constrained, non-security-critical scenarios, and then only in ways that don’t encourage insecure patterns.

In this test, we do not actually need to verify the token cryptographically; we just want to ensure that calling jwt.verify does not throw when presented with an unsigned token produced by createCustomToken() in emulator mode. We can achieve that without disabling integrity checks by avoiding jwt.verify entirely and instead using jwt.decode, which does not perform signature verification but suffices to ensure the token is structurally valid and decodable. The test already uses jwt.decode earlier to check the header and payload. Therefore, the minimal change is to remove the dangerous jwt.verify call and replace it with a harmless decode (or simply rely on the existing decode) to assert that no exception is thrown. Concretely, in test/unit/auth/auth.spec.ts, in the it('createCustomToken() generates an unsigned token', ...) block, replace line 3899 with a safe operation, such as another jwt.decode call, or simply remove it and, if desired, wrap the original decode in a try/catch-based expectation to show no error is thrown. No new imports or helpers are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.