Potential fix for code scanning alert no. 13: JWT missing secret or public key verification

[Tanker187]

Potential fix for https://github.com/Tanker187/firebase-admin-node/security/code-scanning/13

In general, to fix this issue you must not call jwt.verify with a falsy secret/key. Instead, either (a) provide a real cryptographic secret/public key that matches how the token was signed, or (b) if you are dealing with intentionally unsigned tokens (algorithm none), avoid verify and only use jwt.decode for structural checks, understanding that no integrity is guaranteed.

For this specific test, the goal is only to ensure that createCustomToken with an EmulatedSigner produces an unsigned token and that its header/payload are as expected. There is no need to invoke jwt.verify with alg: 'none'. We can safely remove that call and rely solely on jwt.decode (already used below) to validate the token structure and claims. This preserves existing test behavior while eliminating the insecure pattern.

Concrete change in test/unit/auth/token-generator.spec.ts:

• Inside the "Emulator" describe block, in the test 'should generate a valid unsigned token', delete the block that calls jwt.verify(token, undefined as any, { algorithms: ['none'] }); and the preceding comment that refers to it.
• No new imports or helpers are required; the rest of the test (which decodes the token and asserts header/payload/signature) remains unchanged.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.