From 51ea92d7c70502d737b3e1da986a0fcea9021e28 Mon Sep 17 00:00:00 2001
From: "R.I.Pienaar" <rip@devco.net>
Date: Wed, 17 Nov 2021 15:19:00 +0100
Subject: [PATCH] support always presenting a nonce to clients

The nonce feature is useful to custom authentication plugins
but at present there is no way to enable a nonce to be presented
other than by setting nkey accounts etc.

This enables the nonce to always be presented in those situations.
Since its primarily useful to embedded scenarios there is no corresponding
configuration file behavior for this flag.

Signed-off-by: R.I.Pienaar <rip@devco.net>
---
 server/nkey.go      |  2 +-
 server/nkey_test.go | 22 ++++++++++++++++++++++
 server/opts.go      |  5 +++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/server/nkey.go b/server/nkey.go
index 87b20a4f..61eac1af 100644
--- a/server/nkey.go
+++ b/server/nkey.go
@@ -33,7 +33,7 @@ func (s *Server) NonceRequired() bool {
 // nonceRequired tells us if we should send a nonce.
 // Lock should be held on entry.
 func (s *Server) nonceRequired() bool {
-	return len(s.nkeys) > 0 || s.trustedKeys != nil
+	return s.opts.AlwaysEnableNonce || len(s.nkeys) > 0 || s.trustedKeys != nil
 }
 
 // Generate a nonce for INFO challenge.
diff --git a/server/nkey_test.go b/server/nkey_test.go
index b11954a0..2a5a7cc1 100644
--- a/server/nkey_test.go
+++ b/server/nkey_test.go
@@ -54,6 +54,28 @@ func mixedSetup() (*Server, *testAsyncClient, *bufio.Reader, string) {
 	return rawSetup(opts)
 }
 
+func TestServerInfoNonceAlwaysEnabled(t *testing.T) {
+	opts := defaultServerOptions
+	opts.AlwaysEnableNonce = true
+	s, c, _, l := rawSetup(opts)
+	defer s.WaitForShutdown()
+	defer s.Shutdown()
+	defer c.close()
+
+	if !strings.HasPrefix(l, "INFO ") {
+		t.Fatalf("INFO response incorrect: %s\n", l)
+	}
+
+	var info nonceInfo
+	err := json.Unmarshal([]byte(l[5:]), &info)
+	if err != nil {
+		t.Fatalf("Could not parse INFO json: %v\n", err)
+	}
+	if info.Nonce == "" {
+		t.Fatalf("Expected a non-empty nonce with AlwaysEnableNonce set")
+	}
+}
+
 func TestServerInfoNonce(t *testing.T) {
 	c, l := setUpClientWithResponse()
 	defer c.close()
diff --git a/server/opts.go b/server/opts.go
index 6a3e37a8..0d82f14d 100644
--- a/server/opts.go
+++ b/server/opts.go
@@ -262,6 +262,11 @@ type Options struct {
 	AccountResolver          AccountResolver       `json:"-"`
 	AccountResolverTLSConfig *tls.Config           `json:"-"`
 
+	// AlwaysEnableNonce will always present a nonce to new connections
+	// typically used by custom Authentication implementations who embeds
+	// the server and so not presented as a configuration option
+	AlwaysEnableNonce bool
+
 	CustomClientAuthentication Authentication `json:"-"`
 	CustomRouterAuthentication Authentication `json:"-"`