Joi: Validation schema for JSONWebToken

The token is a string but you're writing schemas for objects (Joi.object()) with a token property. What are you actually passing?

What's your input to the schema?

For this validation works, you must to send validate an object like this:

{
    token: 'YOUR-JWT-COMES-HERE'
}

Then, validate with your first schema, but if your input is just a string, your validation schema needs to be like this:

var schema = Joi.string().alphanum().min(3).max(200).required();

A JWT has a bit of structure you can use to further lightly validate. Namely, it is in three parts, separated by periods.

Joi.string().regex(/^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_.+/=]*$/)

BTW, there is no defined max length to a JWT token, unless there is one imposed by your own system. It'd be easy enough to add .min().max() that makes sense for your token, if they are constrained to an expected set.

You could also add .empty([null,'']).

Generally JWT frameworks like hapi-auth-jwt2 will take care of that for you. Are you using an existing JWT framework?

He mentioned express in his OP so he's in hostile territory. I see nothing actionable here for me to reproduce your problem.

Looks like the question changed after my answer. @thebergamo is right? We need more info about your system and if you are actually passing something like { token : <token> }.

@serganus You might want to try express-jwt

@paulxtiseo I not sure about what you mean. Unless @serganus show the input, will be very difficult to help about the validations.

Input I was passing, when i do console.log(req.body)

{ AccessId: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjU1NDczMjU0NTIzNTM1NjQ1MzI3NDkiLCJpYXQiOjE0NzUwMzg2OTcsImV4cCI6MTQ3NTA4MTg5N30.LqsfH9QZUj9kmy9Cs8-j-gqxybWOZ-GkqT4B_SSdoYc'
}

I'm lost here, this has nothing to do with the schema you gave. Please, provide a minimal way to reproduce your problem, otherwise I'll just close this issue.

@Marsup

The req.body.AccessID is as follows : (Building a remote auth client that consumes JWT)

'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjU1NDczMjU0NTIzNTM1NjQ1MzI3NDkiLCJpYXQiOjE0NzUwMzg2OTcsImV4cCI6MTQ3NTA4MTg5N30.LqsfH9QZUj9kmy9Cs8-j-gqxybWOZ-GkqT4B_SSdoYc'

In Controller, I try to validate this by using the schema using joi.validate()

    var schema = Joi.object().keys({
        AccessID: Joi.string().alphanum().min(3).max(200).required()
    });

    Joi.validate(req.body, schema, function(err, value) {
        if (err) {
             //Handle error
            };
        } else {
            next();
        }
    });

I get the error

• I use this token library - https://github.com/auth0/node-jsonwebtoken

As already stated by @mtharrison your body is not an object, it's directly the JWT string.

@serganus if your example are right, the only problem you will have are alphanum()

https://runkit.com/57f158a5f5fa9d14008320c7/57f158a5f5fa9d14008320c8

Just check your body before send to the function.

• Changing from object() to string worked for me.

Thanks for the swift feedback. Cheers @Marsup @thebergamo @kamronbatman @paulxtiseo @mtharrison

I would like to add that Joi validation of an encoded JWT is worthless. You should be decoding the token and validating its contents (granted it even decodes) against Joi.

@kamronbatman yes that's exactly what i did. I decode the token and look for value of typ in the decoded header. If its JWT then do some validation else next()

{
'algo':'H256',
'typ':'JWT'
}