feat(dev,html-app): add support for Elastic Cloud tokens to JWT HTML app

azasypkin · azasypkin · commit 11244d780001 · 2026-05-28T22:09:52.000+02:00
diff --git a/dev/tools/jwt-debugger.html b/dev/tools/jwt-debugger.html
@@ -564,10 +564,23 @@ <h2 id="creditsDialogTitle">Credits</h2>
         } catch (e) { return false; }
     };
 
-    const tryBase64Decode = (str) => {
+    const tryBase64DecodeBytes = (str) => {
         let padded = str.replace(/-/g, '+').replace(/_/g, '/');
         while (padded.length % 4) padded += '=';
-        try { return atob(padded); } catch (e) { return null; }
+        try {
+            const decoded = atob(padded);
+            const bytes = new Uint8Array(decoded.length);
+            for (let i = 0; i < decoded.length; i++) bytes[i] = decoded.charCodeAt(i);
+            return bytes;
+        } catch (e) { return null; }
+    };
+
+    const tryBase64Decode = (str) => {
+        const bytes = tryBase64DecodeBytes(str);
+        if (!bytes) return null;
+        let decoded = '';
+        for (let i = 0; i < bytes.length; i++) decoded += String.fromCharCode(bytes[i]);
+        return decoded;
     };
 
     const findJWTInString = (str) => {
@@ -579,28 +592,157 @@ <h2 id="creditsDialogTitle">Credits</h2>
         return null;
     };
 
+    const escapeHtml = (value) => value.replace(/[&<>"']/g, (ch) => ({
+        '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;'
+    })[ch]);
+
+    const bytesToUtf8 = (bytes) => {
+        try { return new TextDecoder('utf-8', { fatal: true }).decode(bytes); } catch (e) { return null; }
+    };
+
+    const readUint32BE = (bytes, offset) => (
+        ((bytes[offset] << 24) >>> 0) + (bytes[offset + 1] << 16) + (bytes[offset + 2] << 8) + bytes[offset + 3]
+    ) >>> 0;
+
+    const CRC32_TABLE = (() => {
+        const table = new Uint32Array(256);
+        for (let n = 0; n < table.length; n++) {
+            let c = n;
+            for (let k = 0; k < 8; k++) c = (c & 1) ? (0xedb88320 ^ (c >>> 1)) : (c >>> 1);
+            table[n] = c >>> 0;
+        }
+        return table;
+    })();
+
+    const crc32 = (bytes) => {
+        let crc = 0xffffffff;
+        for (let i = 0; i < bytes.length; i++) crc = CRC32_TABLE[(crc ^ bytes[i]) & 0xff] ^ (crc >>> 8);
+        return (crc ^ 0xffffffff) >>> 0;
+    };
+
+    const unwrapElasticChecksum = (bytes) => {
+        if (bytes.length < 8) return null;
+        const separatorOffset = bytes.length - 8;
+        if (
+            bytes[separatorOffset] !== 0 || bytes[separatorOffset + 1] !== 0 ||
+            bytes[separatorOffset + 2] !== 0 || bytes[separatorOffset + 3] !== 0
+        ) {
+            return null;
+        }
+
+        const payload = bytes.subarray(0, separatorOffset);
+        return crc32(payload) === readUint32BE(bytes, bytes.length - 4) ? payload : null;
+    };
+
+    const readLz4Length = (bytes, state, initialLength) => {
+        let length = initialLength;
+        if (length !== 15) return length;
+
+        let next;
+        do {
+            if (state.offset >= bytes.length) throw new Error('Invalid LZ4 length');
+            next = bytes[state.offset++];
+            length += next;
+        } while (next === 255);
+        return length;
+    };
+
+    const decompressLz4BlockWithLength = (bytes) => {
+        if (bytes.length < 4) return null;
+
+        const outputLength = readUint32BE(bytes, 0);
+        if (outputLength === 0 || outputLength > 1024 * 1024) return null;
+
+        const output = new Uint8Array(outputLength);
+        const state = { offset: 4 };
+        let outputOffset = 0;
+
+        try {
+            while (state.offset < bytes.length) {
+                const token = bytes[state.offset++];
+                const literalLength = readLz4Length(bytes, state, token >> 4);
+                if (state.offset + literalLength > bytes.length || outputOffset + literalLength > outputLength) return null;
+
+                output.set(bytes.subarray(state.offset, state.offset + literalLength), outputOffset);
+                state.offset += literalLength;
+                outputOffset += literalLength;
+
+                if (state.offset >= bytes.length) break;
+                if (state.offset + 2 > bytes.length) return null;
+
+                const matchOffset = bytes[state.offset] | (bytes[state.offset + 1] << 8);
+                state.offset += 2;
+                if (matchOffset === 0 || matchOffset > outputOffset) return null;
+
+                const matchLength = readLz4Length(bytes, state, token & 0x0f) + 4;
+                if (outputOffset + matchLength > outputLength) return null;
+
+                for (let i = 0; i < matchLength; i++) {
+                    output[outputOffset + i] = output[outputOffset - matchOffset + i];
+                }
+                outputOffset += matchLength;
+            }
+        } catch (e) {
+            return null;
+        }
+
+        return outputOffset === outputLength ? output : null;
+    };
+
+    const decodeElasticWrappedJWT = (encoded) => {
+        const bytes = tryBase64DecodeBytes(encoded);
+        if (!bytes) return null;
+
+        const checksumPayload = unwrapElasticChecksum(bytes);
+        if (!checksumPayload) return null;
+
+        const decompressed = decompressLz4BlockWithLength(checksumPayload);
+        const decodedPayload = decompressed ? bytesToUtf8(decompressed) : bytesToUtf8(checksumPayload);
+        if (!decodedPayload) return null;
+
+        const jwt = findJWTInString(decodedPayload);
+        if (!jwt) return null;
+
+        const transforms = ['Base64-decoded', 'Verified Elastic checksum'];
+        if (decompressed) transforms.push('LZ4-decompressed');
+        transforms.push('Extracted JWT from Elastic token');
+        return { jwt, transforms };
+    };
+
     // Unwraps Bearer prefixes, opaque session tokens, and base64-wrapped envelopes
     // around a real JWT, so users can paste whatever their HTTP tooling shows.
     const extractJWT = (input) => {
         input = input.trim();
         if (!input) return null;
 
+        const bearerMatch = input.match(/^Bearer\s+(.+)$/i);
+        if (bearerMatch) {
+            const result = extractJWT(bearerMatch[1]);
+            if (result) return { jwt: result.jwt, transforms: ['Stripped <code>Bearer</code> prefix', ...result.transforms] };
+        }
+
         if (isValidJWT(input)) return { jwt: input, transforms: [] };
 
         const segments = input.split('_');
         for (let i = 1; i < segments.length && i <= 5; i++) {
             const remainder = segments.slice(i).join('_');
             const prefix = segments.slice(0, i).join('_') + '_';
+            const prefixLabel = `<code>${escapeHtml(prefix)}</code>`;
 
             if (isValidJWT(remainder)) {
-                return { jwt: remainder, transforms: [`Stripped prefix <code>${prefix}</code>`] };
+                return { jwt: remainder, transforms: [`Stripped prefix ${prefixLabel}`] };
+            }
+
+            const elasticWrapped = decodeElasticWrappedJWT(remainder);
+            if (elasticWrapped) {
+                return { jwt: elasticWrapped.jwt, transforms: [`Stripped prefix ${prefixLabel}`, ...elasticWrapped.transforms] };
             }
 
             const decoded = tryBase64Decode(remainder);
             if (decoded) {
                 const jwt = findJWTInString(decoded);
                 if (jwt) {
-                    return { jwt, transforms: [`Stripped prefix <code>${prefix}</code>`, 'Base64-decoded', 'Extracted JWT from decoded payload'] };
+                    return { jwt, transforms: [`Stripped prefix ${prefixLabel}`, 'Base64-decoded', 'Extracted JWT from decoded payload'] };
                 }
             }
         }
diff --git a/dev/tools/jwt-debugger.skill.md b/dev/tools/jwt-debugger.skill.md
@@ -19,10 +19,10 @@ library and report results in chat.
 
 ## Inputs
 
-| Field    | Type   | Default  | Notes                                                                                 |
-|----------|--------|----------|---------------------------------------------------------------------------------------|
-| `jwt`    | string | required | The compact-form token: `header.payload.signature`. Strip any `Bearer ` prefix first. |
-| `secret` | string | `""`     | Optional HMAC secret used for verification or re-signing. Empty string when unknown.  |
+| Field    | Type   | Default  | Notes                                                                                                                                  |
+|----------|--------|----------|----------------------------------------------------------------------------------------------------------------------------------------|
+| `jwt`    | string | required | The compact-form token: `header.payload.signature`. The UI also accepts `Bearer ...`, base64-wrapped JWTs, and Elastic `essu_` tokens. |
+| `secret` | string | `""`     | Optional HMAC secret used for verification or re-signing. Empty string when unknown.                                                   |
 
 State object shape (keys are exactly `j`, `s`):
 
@@ -82,8 +82,9 @@ sentence; don't paraphrase the payload contents.
   Secutils server but is fully visible to anyone with the link. Never paste
   high-value production secrets into a share URL - generate or rotate the
   secret first.
-- Strip `Bearer ` (and any surrounding whitespace) from the JWT before
-  encoding; the tool expects the raw three-segment token.
+- Prefer encoding the raw three-segment JWT. The tool can unwrap `Bearer `,
+  base64-wrapped JWTs, and Elastic `essu_` tokens pasted directly into the UI, but
+  share URLs are smallest when they store the compact JWT itself.
 - Asymmetric algorithms (RS*, ES*, PS*) are not supported by this tool. If
   the header `alg` is one of those, decode in chat and tell the user to use a
   server-side library for verification.
diff --git a/e2e/tools/jwt.spec.ts b/e2e/tools/jwt.spec.ts
@@ -10,6 +10,8 @@ const tool = getTool('jwt');
 const SAMPLE_JWT =
   'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
 const SAMPLE_SECRET = 'your-256-bit-secret';
+const ELASTIC_REFRESH_TOKEN =
+  'essu_AAABc/AIZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2MQAPAySVV6STFOaUo5LmV5SnpkV0lpT2lJek9URXlORFExTWpJeUlpd2libUptSWpveE56YzVPREE1TkRZeUxDSnBjM01FAPBHbGJHRnpkR2xqTFdOc2IzVmtJaXdpZEhsd0lqb2ljbVZtY21WemFDMTBiMnRsYmlJc0luTmxjM05wYjI1ZlkzSmxZWFJsWkNJNk1UYzNPVGd3T1RVeU14ADAybGtEAPIGTVRNeE56STBNREUzT1NJc0ltVjRjMACBNE1EQTJPRGMwAEBjMnAwMABQZFhObGNoAEJtbGhkKAAJWABAYW5ScCgA8EtNR1F6TnpFeU5qUXdZVGRrTkRnNVlXRmhPR1pqTURreU9ETXhPVEV3TUdJaWZRLlM1SWdvZXlQSFNYOGIxU0hoZmdGT2EtRUV4ZDk0dl9YdmtIT09lZ1RkX1UAAAAAtnky3g==';
 
 test.describe(`${tool.name} (${tool.path})`, () => {
   test('SEO head block matches the AGENTS.md SEO budget', async ({ page }) => {
@@ -27,8 +29,19 @@ test.describe(`${tool.name} (${tool.path})`, () => {
     const encoded = page.locator('#encoded-output');
     await expect(encoded).toBeVisible();
     await encoded.fill(SAMPLE_JWT);
-    await expect(page.locator('#header-output')).toContainText('HS256');
-    await expect(page.locator('#payload-output')).toContainText('John Doe');
+    await expect(page.locator('#decoded-header')).toHaveValue(/"alg": "HS256"/);
+    await expect(page.locator('#decoded-payload')).toHaveValue(/"name": "John Doe"/);
+  });
+
+  test('unwraps an Elastic essu-prefixed LZ4 token', async ({ page }) => {
+    await page.goto(tool.path);
+    const encoded = page.locator('#encoded-output');
+    await expect(encoded).toBeVisible();
+    await encoded.fill(ELASTIC_REFRESH_TOKEN);
+    await expect(page.locator('#transform-info')).toContainText('LZ4-decompressed');
+    await expect(encoded).toContainText(/^eyJ/);
+    await expect(page.locator('#decoded-header')).toHaveValue(/"alg": "HS256"/);
+    await expect(page.locator('#decoded-payload')).toHaveValue(/"typ": "refresh-token"/);
   });
 
   test('verifies the signature once the secret is provided', async ({ page }) => {
@@ -40,8 +53,10 @@ test.describe(`${tool.name} (${tool.path})`, () => {
 
   test('Share button produces a shareable URL with state in the fragment', async ({ page }) => {
     await page.goto(tool.path);
-    await page.locator('#encoded-output').fill(SAMPLE_JWT);
+    const encoded = page.locator('#encoded-output');
+    await encoded.fill(SAMPLE_JWT);
     await page.locator('#secret-input').fill(SAMPLE_SECRET);
+    const sharedJwt = await encoded.innerText();
 
     // Capture the URL the page wants to share by stubbing the clipboard.
     let copied = '';
@@ -61,7 +76,7 @@ test.describe(`${tool.name} (${tool.path})`, () => {
 
     const fragment = new URL(copied).hash;
     await page.goto(`${tool.path}${fragment}`);
-    await expect(page.locator('#encoded-output')).toHaveValue(SAMPLE_JWT);
+    await expect(page.locator('#encoded-output')).toContainText(sharedJwt);
     await expect(page.locator('#secret-input')).toHaveValue(SAMPLE_SECRET);
   });
 });
