There is a problem with the method isJWT in that it returns true for incorrect values
const validator = require('validator');
const jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM';
validator.isJWT(jwt); => true as expected
// The problem is here
validator.isJWT("56.234"); => true, should return false
jsnoble
All 10 comments
the problem here is that the example 56.234 contains only valid JWT characters, which i suspect is the scope of this library. To further validate (and use) JWTs i suggest using one of the libraries around, like jsonwebtoken.
Vengarioth
on 22 Jan 2019
Sure, I see, our test for isJWT is quite basic... 馃
profnandaa
on 15 Apr 2019
@jsnoble - PR is welcome! 馃憤
profnandaa
on 15 Apr 2019
I am doing some research on this issue. Though based on issue #609, the user requested for functionality not to decode JWT but just verify string received.
885 added the functionality, which was also modified on #906 as it was said signature may not be necessary for this case.
I have done research to get the minimum length for header, payload, and signature, but there is no set minimum or maximum set up.
But, when I will have some points to consider, we can surely make a discussion.
Or, if I see where I can make a better validator for the same, i.e improve it, I will surely do that.
Cc. @jsnoble, @Vengarioth and @profnandaa.
ezkemboi
on 11 Aug 2019
The test cases for isJWT are not correct. JWT is either 2 (in case of no signature) or 3 [dot] separated base64 strings. The test cases include symbols like _ and - which are not valid base64 characters.
The OP has given an example for which the result should be opposite in this case.
const jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM';
validator.isJWT(jwt); => true as expected // **should be false**
@profnandaa
parasg1999
on 25 May 2020
@profnandaa
Okay, so after reading a bit. I found out that JWT is url safe base64. RFC7519, section 3
So, the symbols + and / in normal implementation are replaced by - and _
If the PR #1277 is merged, we can solve this issue. The PR has merge conflicts so I'll be happy to make a new PR if the author isn't active.
parasg1999
on 26 May 2020
@parasg1999 -- let's wait on @mum-never-proud or if okays you to pick up the PR.
profnandaa
on 26 May 2020
@parasg1999 -- merged, could you please check if this is solved now?
profnandaa
on 27 May 2020
isJWT pass with string with valid base64 characters, by example, 'A.A.A'. See my fix http://runkit.com/suncin/isjwt-fail-to-detect-valid-jwt-string
leosuncin
on 14 Jun 2020
@parasg1999 -- can check this one?
profnandaa
on 14 Jun 2020
Related issues
Maxreglez
路
3Comments
woverton
路
4Comments
zilahir
路
3Comments
rubiin
路
3Comments
malkhuzayyim
路
4Comments
Most helpful comment
I am doing some research on this issue. Though based on issue #609, the user requested for functionality not to decode JWT but just verify string received.
885 added the functionality, which was also modified on #906 as it was said signature may not be necessary for this case.
I have done research to get the minimum length for header, payload, and signature, but there is no set minimum or maximum set up.
But, when I will have some points to consider, we can surely make a discussion.
Or, if I see where I can make a better validator for the same, i.e improve it, I will surely do that.
Cc. @jsnoble, @Vengarioth and @profnandaa.