trustpub: Implement UnverifiedClaims::decode() fn

This fn can be used to decode a JSON web token without verifying it's signature or claims. Only the `iss` claim will actually be decoded, since we use that to find the correct decoding key for the JWT issuer.

Author: Turbo87

crates/crates_io_trustpub/src/unverified.rs

@@ -0,0 +1,34 @@
+use jsonwebtoken::errors::Error;
+use jsonwebtoken::{DecodingKey, TokenData, Validation};
+use serde::Deserialize;
+use std::sync::LazyLock;
+
+/// [`Validation`] configuration for decoding JWTs without any
+/// signature validation.
+///
+/// This must only be used to extract the `iss` claim from the JWT, which
+/// is then used to look up the corresponding OIDC key set.
+static NO_VALIDATION: LazyLock<Validation> = LazyLock::new(|| {
+    let mut no_validation = Validation::default();
+    no_validation.validate_aud = false;
+    no_validation.validate_exp = false;
+    no_validation.insecure_disable_signature_validation();
+    no_validation
+});
+
+/// Empty [`DecodingKey`] used for decoding JWTs without any signature
+/// validation.
+///
+/// See [`NO_VALIDATION`] for more details.
+static EMPTY_KEY: LazyLock<DecodingKey> = LazyLock::new(|| DecodingKey::from_secret(b""));
+
+#[derive(Debug, Deserialize)]
+pub struct UnverifiedClaims {
+    pub iss: String,
+}
+
+impl UnverifiedClaims {
+    pub fn decode(token: &str) -> Result<TokenData<Self>, Error> {
+        jsonwebtoken::decode(token, &EMPTY_KEY, &NO_VALIDATION)
+    }
+}