Skip to content

When decoding, if JWT payload is not valid it returns null #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dschenkelman wants to merge 1 commit into
base: master
Choose a base branch
from
Open

When decoding, if JWT payload is not valid it returns null #24

dschenkelman wants to merge 1 commit into from

Conversation

@dschenkelman
Copy link
Member

@dschenkelman dschenkelman commented Jun 2, 2015

No description provided.

@dschenkelman dschenkelman mentioned this pull request Jun 2, 2015
Open
@hsablonniere
Copy link

hsablonniere commented Sep 21, 2015

Hey, BTW, there's already a "safe" JSON parse : https://github.com/brianloveswords/node-jws/blob/master/lib/verify-stream.js#L14

I have the same problem so I would really like to see this PR merged.

@forivall forivall mentioned this pull request Jul 19, 2016
Merged
@dschenkelman
Copy link
Member Author

dschenkelman commented Sep 6, 2016

Wow, had forgotten about this PR! @hsablonniere thanks for the suggestion, updated the code.

Just updated to master in case this could still get in. I know it changes behaviors compared to the old one, but is seems more consistent.

Thoughts?

@hsablonniere
Copy link

hsablonniere commented Nov 25, 2016

Hey Damian,

Long time no see :-)
I don't have any ongoing projects using this. I just took a bit of time to read it and it seems legit.

loucadufault
loucadufault reviewed Jan 30, 2023
View reviewed changes
lib/verify-stream.js
function safeJsonParse(thing, encoding) {
if (isObject(thing))
return thing;
try { return JSON.parse(thing); }
Copy link

@loucadufault loucadufault Jan 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not supported by the JSON.parse API, see comment here: #86 (comment)

Ref: reviver in https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse

Copy link

@loucadufault loucadufault Jan 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO only the if (!payload) { return null; } check should be added by this CR, encoding support is addressed in newer CR #86

@papandreou
Copy link

papandreou commented Jun 2, 2025

I also just ran into this due to a security researcher sending malformed JSON in the base64-encoded payload.

@shane-tomlinson, please consider merging this 🤗

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@loucadufault loucadufault loucadufault left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dschenkelman @hsablonniere @papandreou @loucadufault