isJWT bug

[jsnoble]

There is a problem with the method isJWT in that it returns true for incorrect values

const validator = require('validator');
const jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM';

validator.isJWT(jwt);  => true as expected

// The problem is here
validator.isJWT("56.234"); => true, should return false

[Vengarioth]

the problem here is that the example 56.234 contains only valid JWT characters, which i suspect is the scope of this library. To further validate (and use) JWTs i suggest using one of the libraries around, like jsonwebtoken.

[profnandaa]

Sure, I see, our test for isJWT is quite basic... 🤔

[profnandaa]

@jsnoble - PR is welcome! 👍

[ezkemboi]

I am doing some research on this issue. Though based on issue #609, the user requested for functionality not to decode JWT but just verify string received.
#885 added the functionality, which was also modified on #906 as it was said signature may not be necessary for this case.
I have done research to get the minimum length for header, payload, and signature, but there is no set minimum or maximum set up.
But, when I will have some points to consider, we can surely make a discussion.
Or, if I see where I can make a better validator for the same, i.e improve it, I will surely do that.

Cc. @jsnoble, @Vengarioth and @profnandaa.

[parasg1999]

The test cases for isJWT are not correct. JWT is either 2 (in case of no signature) or 3 [dot] separated base64 strings. The test cases include symbols like _ and - which are not valid base64 characters.

The OP has given an example for which the result should be opposite in this case.

const jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM';

validator.isJWT(jwt);  => true as expected  // **should be false**

@profnandaa

[parasg1999]

@profnandaa
Okay, so after reading a bit. I found out that JWT is url safe base64. RFC7519, section 3
So, the symbols + and / in normal implementation are replaced by - and _

If the PR #1277 is merged, we can solve this issue. The PR has merge conflicts so I'll be happy to make a new PR if the author isn't active.

[profnandaa]

@parasg1999 -- let's wait on @mum-never-proud or if okays you to pick up the PR.

[profnandaa]

@parasg1999 -- merged, could you please check if this is solved now?

[leosuncin]

isJWT pass with string with valid base64 characters, by example, 'A.A.A'. See my fix http://runkit.com/suncin/isjwt-fail-to-detect-valid-jwt-string

[profnandaa]

@parasg1999 -- can check this one?

[ItalyPaleAle]

I implemented #906.

Right now, isJWT just checks if the string is in the correct format, with 2 or 3 sequences of (URL-encoded) base64 sequences, separated by a dot. To further validate if the string is an actual JWT, we would need to decode the base64 sequences and then decode the JSON.

I want to point out that while implementing that is possible, it's a slippery slope, as then someone else will ask why the library doesn't also check the signature of the JWT, etc. At that point, we may as well just re-implement the entire JWT standard :)