Issue #952 fixed rename decode function unsafe_decode to highlight th…

…e risk #952 I have made the changes as per above mentioned in the above comment.
auth0 · Dec 30, 2023 · 60fa6b8 · 60fa6b8
1 parent bc28861
commit 60fa6b8
Show file tree

Hide file tree

Showing 13 changed files with 27 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -243,7 +243,7 @@ jwt.verify(token, getKey, options, function(err, decoded) {
 <details>
 <summary><em></em>Need to peek into a JWT without verifying it? (Click to expand)</summary>
 
-### jwt.decode(token [, options])
+### jwt.unsafe_decode(token [, options])
 
 (Synchronous) Returns the decoded payload without verifying if the signature is valid.
 
@@ -263,10 +263,10 @@ Example
 
 ```js
 // get the decoded payload ignoring signature, no secretOrPrivateKey needed
-var decoded = jwt.decode(token);
+var decoded = jwt.unsafe_decode(token);
 
 // get the decoded payload and header
-var decoded = jwt.decode(token, {complete: true});
+var decoded = jwt.unsafe_decode(token, {complete: true});
 console.log(decoded.header);
 console.log(decoded.payload)
 ```

diff --git a/decode.js b/decode.js
@@ -2,7 +2,7 @@ var jws = require('jws');
 
 module.exports = function (jwt, options) {
   options = options || {};
-  var decoded = jws.decode(jwt, options);
+  var decoded = jws.unsafe_decode(jwt, options);
   if (!decoded) { return null; }
   var payload = decoded.payload;
 

diff --git a/test/async_sign.tests.js b/test/async_sign.tests.js
@@ -104,7 +104,7 @@ describe('signing a token asynchronously', function() {
     it('should not stringify the payload', function (done) {
       jwt.sign('string', 'secret', {}, function (err, token) {
         if (err) { return done(err); }
-        expect(jws.decode(token).payload).to.equal('string');
+        expect(jws.unsafe_decode(token).payload).to.equal('string');
         done();
       });
     });

diff --git a/test/buffer.tests.js b/test/buffer.tests.js
@@ -5,6 +5,6 @@ describe('buffer payload', function () {
   it('should work', function () {
     var payload = new Buffer('TkJyotZe8NFpgdfnmgINqg==', 'base64');
     var token = jwt.sign(payload, "signing key");
-    assert.equal(jwt.decode(token), payload.toString());
+    assert.equal(jwt.unsafe_decode(token), payload.toString());
   });
 });
diff --git a/test/claim-exp.test.js b/test/claim-exp.test.js
@@ -234,7 +234,7 @@ describe('expires', function() {
     // TODO an exp of -Infinity should fail validation
     it('should set null "exp" when given -Infinity', function (done) {
       signWithExpiresIn(undefined, {exp: -Infinity}, (err, token) => {
-        const decoded = jwt.decode(token);
+        const decoded = jwt.unsafe_decode(token);
         testUtils.asyncCheck(done, () => {
           expect(err).to.be.null;
           expect(decoded).to.have.property('exp', null);
@@ -245,7 +245,7 @@ describe('expires', function() {
     // TODO an exp of Infinity should fail validation
     it('should set null "exp" when given value Infinity', function (done) {
       signWithExpiresIn(undefined, {exp: Infinity}, (err, token) => {
-        const decoded = jwt.decode(token);
+        const decoded = jwt.unsafe_decode(token);
         testUtils.asyncCheck(done, () => {
           expect(err).to.be.null;
           expect(decoded).to.have.property('exp', null);
@@ -256,7 +256,7 @@ describe('expires', function() {
     // TODO an exp of NaN should fail validation
     it('should set null "exp" when given value NaN', function (done) {
       signWithExpiresIn(undefined, {exp: NaN}, (err, token) => {
-        const decoded = jwt.decode(token);
+        const decoded = jwt.unsafe_decode(token);
         testUtils.asyncCheck(done, () => {
           expect(err).to.be.null;
           expect(decoded).to.have.property('exp', null);

diff --git a/test/claim-iat.test.js b/test/claim-iat.test.js
@@ -148,7 +148,7 @@ describe('issue at', function() {
         signWithIssueAt(testCase.iat, testCase.options, (err, token) => {
           testUtils.asyncCheck(done, () => {
             expect(err).to.be.null;
-            expect(jwt.decode(token).iat).to.equal(testCase.expectedIssueAt);
+            expect(jwt.unsafe_decode(token).iat).to.equal(testCase.expectedIssueAt);
           });
         });
       });
@@ -253,7 +253,7 @@ describe('issue at', function() {
       const payload = 'string payload';
       const options = {algorithm: 'HS256'};
       testUtils.signJWTHelper(payload, 'secret', options, (err, token) => {
-        const decoded = jwt.decode(token);
+        const decoded = jwt.unsafe_decode(token);
         testUtils.asyncCheck(done, () => {
           expect(err).to.be.null;
           expect(decoded).to.equal(payload);
@@ -265,7 +265,7 @@ describe('issue at', function() {
       const payload = '{}';
       const options = {algorithm: 'HS256', header: {typ: 'JWT'}};
       testUtils.signJWTHelper(payload, 'secret', options, (err, token) => {
-        const decoded = jwt.decode(token);
+        const decoded = jwt.unsafe_decode(token);
         testUtils.asyncCheck(done, () => {
           expect(err).to.equal(null);
           expect(JSON.stringify(decoded)).to.equal(payload);

diff --git a/test/claim-nbf.test.js b/test/claim-nbf.test.js
@@ -231,7 +231,7 @@ describe('not before', function() {
     // TODO an nbf of -Infinity should fail validation
     it('should set null "nbf" when given -Infinity', function (done) {
       signWithNotBefore(undefined, {nbf: -Infinity}, (err, token) => {
-        const decoded = jwt.decode(token);
+        const decoded = jwt.unsafe_decode(token);
         testUtils.asyncCheck(done, () => {
           expect(err).to.be.null;
           expect(decoded).to.have.property('nbf', null);
@@ -242,7 +242,7 @@ describe('not before', function() {
     // TODO an nbf of Infinity should fail validation
     it('should set null "nbf" when given value Infinity', function (done) {
       signWithNotBefore(undefined, {nbf: Infinity}, (err, token) => {
-        const decoded = jwt.decode(token);
+        const decoded = jwt.unsafe_decode(token);
         testUtils.asyncCheck(done, () => {
           expect(err).to.be.null;
           expect(decoded).to.have.property('nbf', null);
@@ -253,7 +253,7 @@ describe('not before', function() {
     // TODO an nbf of NaN should fail validation
     it('should set null "nbf" when given value NaN', function (done) {
       signWithNotBefore(undefined, {nbf: NaN}, (err, token) => {
-        const decoded = jwt.decode(token);
+        const decoded = jwt.unsafe_decode(token);
         testUtils.asyncCheck(done, () => {
           expect(err).to.be.null;
           expect(decoded).to.have.property('nbf', null);

diff --git a/test/decoding.tests.js b/test/decoding.tests.js
@@ -4,7 +4,7 @@ var expect = require('chai').expect;
 describe('decoding', function() {
 
   it('should not crash when decoding a null token', function () {
-    var decoded = jwt.decode("null");
+    var decoded = jwt.unsafe_decode("null");
     expect(decoded).to.equal(null);
   });
 

diff --git a/test/header-kid.test.js b/test/header-kid.test.js
@@ -57,7 +57,7 @@ describe('keyid', function() {
     it('should not add "kid" header when "keyid" option not provided', function(done) {
       signWithKeyId(undefined, {}, (err, token) => {
         testUtils.asyncCheck(done, () => {
-          const decoded = jwt.decode(token, {complete: true});
+          const decoded = jwt.unsafe_decode(token, {complete: true});
           expect(err).to.be.null;
           expect(decoded.header).to.not.have.property('kid');
         });
@@ -67,7 +67,7 @@ describe('keyid', function() {
     it('should add "kid" header when "keyid" option is provided and an object payload', function(done) {
       signWithKeyId('foo', {}, (err, token) => {
         testUtils.asyncCheck(done, () => {
-          const decoded = jwt.decode(token, {complete: true});
+          const decoded = jwt.unsafe_decode(token, {complete: true});
           expect(err).to.be.null;
           expect(decoded.header).to.have.property('kid', 'foo');
         });
@@ -77,7 +77,7 @@ describe('keyid', function() {
     it('should add "kid" header when "keyid" option is provided and a Buffer payload', function(done) {
       signWithKeyId('foo', new Buffer('a Buffer payload'), (err, token) => {
         testUtils.asyncCheck(done, () => {
-          const decoded = jwt.decode(token, {complete: true});
+          const decoded = jwt.unsafe_decode(token, {complete: true});
           expect(err).to.be.null;
           expect(decoded.header).to.have.property('kid', 'foo');
         });
@@ -87,7 +87,7 @@ describe('keyid', function() {
     it('should add "kid" header when "keyid" option is provided and a string payload', function(done) {
       signWithKeyId('foo', 'a string payload', (err, token) => {
         testUtils.asyncCheck(done, () => {
-          const decoded = jwt.decode(token, {complete: true});
+          const decoded = jwt.unsafe_decode(token, {complete: true});
           expect(err).to.be.null;
           expect(decoded.header).to.have.property('kid', 'foo');
         });

diff --git a/test/jwt.asymmetric_signing.tests.js b/test/jwt.asymmetric_signing.tests.js
@@ -145,7 +145,7 @@ describe('Asymmetric Algorithms', function() {
 
       describe('when decoding a invalid jwt token', function () {
         it('should return null', function (done) {
-          const payload = jwt.decode('whatever.token');
+          const payload = jwt.unsafe_decode('whatever.token');
           assert.isNull(payload);
           done();
         });
@@ -155,14 +155,14 @@ describe('Asymmetric Algorithms', function() {
         it('should return the payload', function (done) {
           const obj = { foo: 'bar' };
           const token = jwt.sign(obj, priv, { algorithm: algorithm });
-          const payload = jwt.decode(token);
+          const payload = jwt.unsafe_decode(token);
           assert.equal(payload.foo, obj.foo);
           done();
         });
         it('should return the header and payload and signature if complete option is set', function (done) {
           const obj = { foo: 'bar' };
           const token = jwt.sign(obj, priv, { algorithm: algorithm });
-          const decoded = jwt.decode(token, { complete: true });
+          const decoded = jwt.unsafe_decode(token, { complete: true });
           assert.equal(decoded.payload.foo, obj.foo);
           assert.deepEqual(decoded.header, { typ: 'JWT', alg: algorithm });
           assert.ok(typeof decoded.signature == 'string');

diff --git a/test/option-complete.test.js b/test/option-complete.test.js
@@ -13,7 +13,7 @@ describe('complete option', function () {
   const header = { alg: 'RS256' };
   const payload = { iat: Math.floor(Date.now() / 1000 ) };
   const signed = jws.sign({ header, payload, secret, encoding: 'utf8' });
-  const signature = jws.decode(signed).signature;
+  const signature = jws.unsafe_decode(signed).signature;
 
   [
     {

diff --git a/test/set_headers.tests.js b/test/set_headers.tests.js
@@ -5,13 +5,13 @@ describe('set header', function() {
 
   it('should add the header', function () {
     var token = jwt.sign({foo: 123}, '123', { header: { foo: 'bar' } });
-    var decoded = jwt.decode(token, {complete: true});
+    var decoded = jwt.unsafe_decode(token, {complete: true});
     expect(decoded.header.foo).to.equal('bar');
   });
 
   it('should allow overriding header', function () {
     var token = jwt.sign({foo: 123}, '123', { header: { alg: 'HS512' } });
-    var decoded = jwt.decode(token, {complete: true});
+    var decoded = jwt.unsafe_decode(token, {complete: true});
     expect(decoded.header.alg).to.equal('HS512');
   });
 

diff --git a/verify.js b/verify.js
@@ -73,7 +73,7 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) {
   let decodedToken;
 
   try {
-    decodedToken = decode(jwtString, { complete: true });
+    decodedToken = unsafe_decode(jwtString, { complete: true });
   } catch(err) {
     return done(err);
   }