Add support for Apple's nonce_supported claim

Apple's authentication identity token can contain a non-standard
nonce_supported claim.  As specified, when this is set to false
skip the nonce check.

https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple

Author: dspinellis

test/option-nonce-supported.test.js

@@ -0,0 +1,41 @@
+'use strict';
+
+const jwt = require('../');
+const expect = require('chai').expect;
+const testUtils = require('./test-utils')
+
+describe('nonce and nonce_supported option', function () {
+
+  [
+    {
+      description: 'should succeed without nonce and without nonce support',
+      signParam: { nonce_supported: false },
+      verifyParam: { },
+    },
+    {
+      description: 'should succeed without nonce but with nonce support',
+      signParam: { nonce_supported: true },
+      verifyParam: { },
+    },
+    {
+      description: 'should succeed with nonce but without nonce support',
+      signParam: { nonce_supported: false },
+      verifyParam: { nonce: 'abcde' },
+    },
+    {
+      description: 'should succeed with nonce and nonce support',
+      signParam: { nonce: 'abcde', nonce_supported: true },
+      verifyParam: { nonce: 'abcde' },
+    },
+  ].forEach((testCase) => {
+    it(testCase.description, function (done) {
+      var token = jwt.sign(testCase.signParam, undefined, { algorithm: 'none' });
+      testUtils.verifyJWTHelper(token, undefined, testCase.verifyParam, (err) => {
+        testUtils.asyncCheck(done, () => {
+          expect(err).to.be.null;
+        });
+      });
+    });
+  });
+
+});

verify.js

@@ -191,7 +191,7 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
     }
 
     if (options.nonce) {
-      if (payload.nonce !== options.nonce) {
+      if (payload.nonce !== options.nonce && payload.nonce_supported !== false) {
         return done(new JsonWebTokenError('jwt nonce invalid. expected: ' + options.nonce));
       }
     }