diff --git a/README.md b/README.md index 4e20dd9..11d4818 100644 --- a/README.md +++ b/README.md @@ -243,7 +243,7 @@ jwt.verify(token, getKey, options, function(err, decoded) {
Need to peek into a JWT without verifying it? (Click to expand) -### jwt.decode(token [, options]) +### jwt.unsafe_decode(token [, options]) (Synchronous) Returns the decoded payload without verifying if the signature is valid. @@ -263,10 +263,10 @@ Example ```js // get the decoded payload ignoring signature, no secretOrPrivateKey needed -var decoded = jwt.decode(token); +var decoded = jwt.unsafe_decode(token); // get the decoded payload and header -var decoded = jwt.decode(token, {complete: true}); +var decoded = jwt.unsafe_decode(token, {complete: true}); console.log(decoded.header); console.log(decoded.payload) ``` diff --git a/decode.js b/decode.js index 8fe1adc..5708d28 100644 --- a/decode.js +++ b/decode.js @@ -2,7 +2,7 @@ var jws = require('jws'); module.exports = function (jwt, options) { options = options || {}; - var decoded = jws.decode(jwt, options); + var decoded = jws.unsafe_decode(jwt, options); if (!decoded) { return null; } var payload = decoded.payload; diff --git a/test/async_sign.tests.js b/test/async_sign.tests.js index eb31174..534121a 100644 --- a/test/async_sign.tests.js +++ b/test/async_sign.tests.js @@ -104,7 +104,7 @@ describe('signing a token asynchronously', function() { it('should not stringify the payload', function (done) { jwt.sign('string', 'secret', {}, function (err, token) { if (err) { return done(err); } - expect(jws.decode(token).payload).to.equal('string'); + expect(jws.unsafe_decode(token).payload).to.equal('string'); done(); }); }); diff --git a/test/buffer.tests.js b/test/buffer.tests.js index 612d171..a85d8dd 100644 --- a/test/buffer.tests.js +++ b/test/buffer.tests.js @@ -5,6 +5,6 @@ describe('buffer payload', function () { it('should work', function () { var payload = new Buffer('TkJyotZe8NFpgdfnmgINqg==', 'base64'); var token = jwt.sign(payload, "signing key"); - assert.equal(jwt.decode(token), payload.toString()); + assert.equal(jwt.unsafe_decode(token), payload.toString()); }); }); diff --git a/test/claim-exp.test.js b/test/claim-exp.test.js index fbdbc52..8bcdfbd 100644 --- a/test/claim-exp.test.js +++ b/test/claim-exp.test.js @@ -234,7 +234,7 @@ describe('expires', function() { // TODO an exp of -Infinity should fail validation it('should set null "exp" when given -Infinity', function (done) { signWithExpiresIn(undefined, {exp: -Infinity}, (err, token) => { - const decoded = jwt.decode(token); + const decoded = jwt.unsafe_decode(token); testUtils.asyncCheck(done, () => { expect(err).to.be.null; expect(decoded).to.have.property('exp', null); @@ -245,7 +245,7 @@ describe('expires', function() { // TODO an exp of Infinity should fail validation it('should set null "exp" when given value Infinity', function (done) { signWithExpiresIn(undefined, {exp: Infinity}, (err, token) => { - const decoded = jwt.decode(token); + const decoded = jwt.unsafe_decode(token); testUtils.asyncCheck(done, () => { expect(err).to.be.null; expect(decoded).to.have.property('exp', null); @@ -256,7 +256,7 @@ describe('expires', function() { // TODO an exp of NaN should fail validation it('should set null "exp" when given value NaN', function (done) { signWithExpiresIn(undefined, {exp: NaN}, (err, token) => { - const decoded = jwt.decode(token); + const decoded = jwt.unsafe_decode(token); testUtils.asyncCheck(done, () => { expect(err).to.be.null; expect(decoded).to.have.property('exp', null); diff --git a/test/claim-iat.test.js b/test/claim-iat.test.js index a3dd474..7974ed7 100644 --- a/test/claim-iat.test.js +++ b/test/claim-iat.test.js @@ -148,7 +148,7 @@ describe('issue at', function() { signWithIssueAt(testCase.iat, testCase.options, (err, token) => { testUtils.asyncCheck(done, () => { expect(err).to.be.null; - expect(jwt.decode(token).iat).to.equal(testCase.expectedIssueAt); + expect(jwt.unsafe_decode(token).iat).to.equal(testCase.expectedIssueAt); }); }); }); @@ -253,7 +253,7 @@ describe('issue at', function() { const payload = 'string payload'; const options = {algorithm: 'HS256'}; testUtils.signJWTHelper(payload, 'secret', options, (err, token) => { - const decoded = jwt.decode(token); + const decoded = jwt.unsafe_decode(token); testUtils.asyncCheck(done, () => { expect(err).to.be.null; expect(decoded).to.equal(payload); @@ -265,7 +265,7 @@ describe('issue at', function() { const payload = '{}'; const options = {algorithm: 'HS256', header: {typ: 'JWT'}}; testUtils.signJWTHelper(payload, 'secret', options, (err, token) => { - const decoded = jwt.decode(token); + const decoded = jwt.unsafe_decode(token); testUtils.asyncCheck(done, () => { expect(err).to.equal(null); expect(JSON.stringify(decoded)).to.equal(payload); diff --git a/test/claim-nbf.test.js b/test/claim-nbf.test.js index 72397de..3fe0c70 100644 --- a/test/claim-nbf.test.js +++ b/test/claim-nbf.test.js @@ -231,7 +231,7 @@ describe('not before', function() { // TODO an nbf of -Infinity should fail validation it('should set null "nbf" when given -Infinity', function (done) { signWithNotBefore(undefined, {nbf: -Infinity}, (err, token) => { - const decoded = jwt.decode(token); + const decoded = jwt.unsafe_decode(token); testUtils.asyncCheck(done, () => { expect(err).to.be.null; expect(decoded).to.have.property('nbf', null); @@ -242,7 +242,7 @@ describe('not before', function() { // TODO an nbf of Infinity should fail validation it('should set null "nbf" when given value Infinity', function (done) { signWithNotBefore(undefined, {nbf: Infinity}, (err, token) => { - const decoded = jwt.decode(token); + const decoded = jwt.unsafe_decode(token); testUtils.asyncCheck(done, () => { expect(err).to.be.null; expect(decoded).to.have.property('nbf', null); @@ -253,7 +253,7 @@ describe('not before', function() { // TODO an nbf of NaN should fail validation it('should set null "nbf" when given value NaN', function (done) { signWithNotBefore(undefined, {nbf: NaN}, (err, token) => { - const decoded = jwt.decode(token); + const decoded = jwt.unsafe_decode(token); testUtils.asyncCheck(done, () => { expect(err).to.be.null; expect(decoded).to.have.property('nbf', null); diff --git a/test/decoding.tests.js b/test/decoding.tests.js index 3bd8c13..69cbc03 100644 --- a/test/decoding.tests.js +++ b/test/decoding.tests.js @@ -4,7 +4,7 @@ var expect = require('chai').expect; describe('decoding', function() { it('should not crash when decoding a null token', function () { - var decoded = jwt.decode("null"); + var decoded = jwt.unsafe_decode("null"); expect(decoded).to.equal(null); }); diff --git a/test/header-kid.test.js b/test/header-kid.test.js index e419067..37323ab 100644 --- a/test/header-kid.test.js +++ b/test/header-kid.test.js @@ -57,7 +57,7 @@ describe('keyid', function() { it('should not add "kid" header when "keyid" option not provided', function(done) { signWithKeyId(undefined, {}, (err, token) => { testUtils.asyncCheck(done, () => { - const decoded = jwt.decode(token, {complete: true}); + const decoded = jwt.unsafe_decode(token, {complete: true}); expect(err).to.be.null; expect(decoded.header).to.not.have.property('kid'); }); @@ -67,7 +67,7 @@ describe('keyid', function() { it('should add "kid" header when "keyid" option is provided and an object payload', function(done) { signWithKeyId('foo', {}, (err, token) => { testUtils.asyncCheck(done, () => { - const decoded = jwt.decode(token, {complete: true}); + const decoded = jwt.unsafe_decode(token, {complete: true}); expect(err).to.be.null; expect(decoded.header).to.have.property('kid', 'foo'); }); @@ -77,7 +77,7 @@ describe('keyid', function() { it('should add "kid" header when "keyid" option is provided and a Buffer payload', function(done) { signWithKeyId('foo', new Buffer('a Buffer payload'), (err, token) => { testUtils.asyncCheck(done, () => { - const decoded = jwt.decode(token, {complete: true}); + const decoded = jwt.unsafe_decode(token, {complete: true}); expect(err).to.be.null; expect(decoded.header).to.have.property('kid', 'foo'); }); @@ -87,7 +87,7 @@ describe('keyid', function() { it('should add "kid" header when "keyid" option is provided and a string payload', function(done) { signWithKeyId('foo', 'a string payload', (err, token) => { testUtils.asyncCheck(done, () => { - const decoded = jwt.decode(token, {complete: true}); + const decoded = jwt.unsafe_decode(token, {complete: true}); expect(err).to.be.null; expect(decoded.header).to.have.property('kid', 'foo'); }); diff --git a/test/jwt.asymmetric_signing.tests.js b/test/jwt.asymmetric_signing.tests.js index a8472d5..f98c343 100644 --- a/test/jwt.asymmetric_signing.tests.js +++ b/test/jwt.asymmetric_signing.tests.js @@ -145,7 +145,7 @@ describe('Asymmetric Algorithms', function() { describe('when decoding a invalid jwt token', function () { it('should return null', function (done) { - const payload = jwt.decode('whatever.token'); + const payload = jwt.unsafe_decode('whatever.token'); assert.isNull(payload); done(); }); @@ -155,14 +155,14 @@ describe('Asymmetric Algorithms', function() { it('should return the payload', function (done) { const obj = { foo: 'bar' }; const token = jwt.sign(obj, priv, { algorithm: algorithm }); - const payload = jwt.decode(token); + const payload = jwt.unsafe_decode(token); assert.equal(payload.foo, obj.foo); done(); }); it('should return the header and payload and signature if complete option is set', function (done) { const obj = { foo: 'bar' }; const token = jwt.sign(obj, priv, { algorithm: algorithm }); - const decoded = jwt.decode(token, { complete: true }); + const decoded = jwt.unsafe_decode(token, { complete: true }); assert.equal(decoded.payload.foo, obj.foo); assert.deepEqual(decoded.header, { typ: 'JWT', alg: algorithm }); assert.ok(typeof decoded.signature == 'string'); diff --git a/test/option-complete.test.js b/test/option-complete.test.js index 29320e8..1afa805 100644 --- a/test/option-complete.test.js +++ b/test/option-complete.test.js @@ -13,7 +13,7 @@ describe('complete option', function () { const header = { alg: 'RS256' }; const payload = { iat: Math.floor(Date.now() / 1000 ) }; const signed = jws.sign({ header, payload, secret, encoding: 'utf8' }); - const signature = jws.decode(signed).signature; + const signature = jws.unsafe_decode(signed).signature; [ { diff --git a/test/set_headers.tests.js b/test/set_headers.tests.js index 75e8a02..dd9f3af 100644 --- a/test/set_headers.tests.js +++ b/test/set_headers.tests.js @@ -5,13 +5,13 @@ describe('set header', function() { it('should add the header', function () { var token = jwt.sign({foo: 123}, '123', { header: { foo: 'bar' } }); - var decoded = jwt.decode(token, {complete: true}); + var decoded = jwt.unsafe_decode(token, {complete: true}); expect(decoded.header.foo).to.equal('bar'); }); it('should allow overriding header', function () { var token = jwt.sign({foo: 123}, '123', { header: { alg: 'HS512' } }); - var decoded = jwt.decode(token, {complete: true}); + var decoded = jwt.unsafe_decode(token, {complete: true}); expect(decoded.header.alg).to.equal('HS512'); }); diff --git a/verify.js b/verify.js index cdbfdc4..8eac492 100644 --- a/verify.js +++ b/verify.js @@ -73,7 +73,7 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) { let decodedToken; try { - decodedToken = decode(jwtString, { complete: true }); + decodedToken = unsafe_decode(jwtString, { complete: true }); } catch(err) { return done(err); }