Skip to content

fix(jwt): validate token format in decode and decodeHeader functions#4752

Merged
yusukebe merged 2 commits intohonojs:mainfrom
otoneko1102:fix/jwt-decode-validate-token-format
Mar 4, 2026
Merged

fix(jwt): validate token format in decode and decodeHeader functions#4752
yusukebe merged 2 commits intohonojs:mainfrom
otoneko1102:fix/jwt-decode-validate-token-format

Conversation

@otoneko1102
Copy link
Copy Markdown
Contributor

@otoneko1102 otoneko1102 commented Feb 22, 2026
edited
Loading

The author should do the following, if applicable

  • Add tests
  • Run tests
  • bun run format:fix && bun run lint:fix to format the code
  • Add TSDoc/JSDoc to document the code

decode() and decodeHeader() do not validate that the token has exactly 3 parts (header.payload.signature), while verify() does. This inconsistency allows malformed tokens to be silently accepted by decode().

  • Added 3-part validation to decode() and decodeHeader(), consistent with verify()
  • Re-throw JwtTokenInvalid instead of catching and wrapping it
  • Added tests for malformed tokens (1, 2, 4 parts, empty string)

@codecov
Copy link
Copy Markdown

codecov bot commented Feb 27, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.45%. Comparing base (2de30d7) to head (c4502d9).
⚠️ Report is 19 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4752      +/-   ##
==========================================
- Coverage   91.48%   91.45%   -0.03%     
==========================================
  Files         177      177              
  Lines       11556    11569      +13     
  Branches     3357     3363       +6     
==========================================
+ Hits        10572    10581       +9     
- Misses        983      987       +4     
  Partials        1        1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@yusukebe
Copy link
Copy Markdown
Member

yusukebe commented Mar 4, 2026

Hey @otoneko1102

I refactored the code to simplify nesting by myself. Looks good. I'll merge this now. Thank you for your contribution!

@yusukebe yusukebe merged commit 8c4d7f3 into honojs:main Mar 4, 2026
20 checks passed
@otoneko1102
Copy link
Copy Markdown
Contributor Author

otoneko1102 commented Mar 4, 2026

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@otoneko1102 @yusukebe