Can't use @ in payload - Githubissues

tsndr / cloudflare-worker-jwt

A lightweight JWT implementation with ZERO dependencies for Cloudflare Workers.

MIT License

649 stars 51 forks source link

Can't use @ in payload #48

Closed iosdeveloper closed 10 months ago

iosdeveloper commented 10 months ago

I found out the hard way that you can't use the @ character in the payload. The sign function will generate a valid token, but the decode function will return null and the valid function will be false (or throw PARSE_ERROR). Using encodeURIComponent or %40 instead will fix it, but it doesn't seem that one should have to encode every payload before passing it to sign.

edit: Using secret string, e.g. 423e72ec59e3735d6e0cd5ed16707ba87659ff9aa0b938228fbeda5594c82867.

tsndr commented 10 months ago

Tried to reproduce using this Worker: https://github.com/tsndr/jwt-test

Which resulted in this response:

{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0IiwibW9yZSI6IkB0ZXN0IiwiaWF0IjoxNzAwMTM3MzUzfQ._yucoh2EkUExiPmI5ugUfxs-BAPpoyKmJ-MrHZdGq8Q",
  "decoded": {
    "header": null,
    "payload": {
      "sub": "test",
      "more": "@test",
      "iat": 1700137353
    }
  },
  "verified": true
}

tsndr commented 10 months ago

Related to #49, and fixed with v2.3.0.