admin0911 1.0.3 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/admin0911-1.0.5.tgz +0 -0
- package/index.js +18 -4
- package/package.json +1 -1
- package/admin0911-1.0.3.tgz +0 -0
|
Binary file
|
package/index.js
CHANGED
|
@@ -23,11 +23,25 @@ function base64UrlDecode(input) {
|
|
|
23
23
|
function isValidJWT(token) {
|
|
24
24
|
const parts = token.split('.');
|
|
25
25
|
if (parts.length !== 3) return false;
|
|
26
|
-
|
|
26
|
+
|
|
27
|
+
// Enforce minimum length to avoid short false positives like 'os.path.join' or semantic versions '1.0.1'
|
|
28
|
+
if (parts[0].length < 20 || parts[1].length < 30) return false;
|
|
29
|
+
|
|
30
|
+
// A real JWT parts must look like valid Base64URL
|
|
31
|
+
if (!/^[A-Za-z0-9_-]+$/.test(parts[0]) || !/^[A-Za-z0-9_-]+$/.test(parts[1])) return false;
|
|
32
|
+
|
|
27
33
|
try {
|
|
28
|
-
const
|
|
29
|
-
const
|
|
30
|
-
|
|
34
|
+
const headerStr = base64UrlDecode(parts[0]);
|
|
35
|
+
const payloadStr = base64UrlDecode(parts[1]);
|
|
36
|
+
|
|
37
|
+
// Quick sanity check before parsing - headers must contain {"alg"
|
|
38
|
+
if (!headerStr.includes('"alg"')) return false;
|
|
39
|
+
|
|
40
|
+
const header = JSON.parse(headerStr);
|
|
41
|
+
const payload = JSON.parse(payloadStr);
|
|
42
|
+
|
|
43
|
+
// Must look like a real JWT header and contain some payload keys
|
|
44
|
+
return !!(header && header.alg && Object.keys(payload).length > 0);
|
|
31
45
|
} catch {
|
|
32
46
|
return false;
|
|
33
47
|
}
|
package/package.json
CHANGED
package/admin0911-1.0.3.tgz
DELETED
|
Binary file
|