improved isJWT.js to decode base64 strings and verify them

aryanlmfaoo · aryanlmfaoo · commit 0acd502dcfc8 · 2025-10-01T14:13:56.000+05:30
diff --git a/.gitignore b/.gitignore
@@ -10,4 +10,5 @@ yarn.lock
 /index.js
 validator.js
 validator.min.js
+.idea
 
diff --git a/src/lib/isJWT.js b/src/lib/isJWT.js
@@ -1,15 +1,37 @@
-import assertString from './util/assertString';
-import isBase64 from './isBase64';
+import assertString from './util/assertString'
 
-export default function isJWT(str) {
-  assertString(str);
+function decodeBase64Url (str) {
+  str = str.replace(/-/g, '+').replace(/_/g, '/')
+  const pad = str.length % 4
+  if (pad) str += '='.repeat(4 - pad)
 
-  const dotSplit = str.split('.');
-  const len = dotSplit.length;
+  if (typeof Buffer !== 'undefined') {
+    // Node.js
+    return Buffer.from(str, 'base64').toString('utf8')
+  } else if (typeof atob !== 'undefined') {
+    // Browser
+    return atob(str)
+  } else {
+    throw new Error('No base64 decoder available')
+  }
+}
+
+export default function isJWT (str) {
+  assertString(str)
+
+  const parts = str.split('.')
+  if (parts.length !== 3) return false
+  try {
+    const header = JSON.parse(decodeBase64Url(parts[0]))
+    const payload = JSON.parse(decodeBase64Url(parts[1]))
+
+    if (typeof header !== 'object' || header === null) return false
+    if (typeof payload !== 'object' || payload === null) return false
+    if (typeof header.alg !== 'string') return false
 
-  if (len !== 3) {
-    return false;
+    return true
+  } catch (e) {
+    return false
   }
 
-  return dotSplit.reduce((acc, currElem) => acc && isBase64(currElem, { urlSafe: true }), true);
 }
