troyharvey / jwt-cli Goto Github PK

An npm package for decoding JSON Web Tokens (JWT)

License: MIT License

JavaScript 100.00%

jwt-cli's Introduction

jwt-cli

npm install -g jwt-cli

What is this?

jwt is an npm CLI program for decoding JSON Web Tokens (JWT) and the Unix timestamps within their bowels.

Usage

There are two ways to parse a jwt. Copy the jwt to your clipboard and pipe it into the jwt command, or paste it as an argument.

pbpaste | jwt
jwt <encoded token> --secret=<optional signing secret> --output=json

$ jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9leGFtcGxlLm9yZyIsImF1ZCI6Imh0dHA6XC9cL2V4YW1wbGUuY29tIiwiaWF0IjoxMzU2OTk5NTI0LCJuYmYiOjEzNTcwMDAwMDAsImV4cCI6MTQwNzAxOTYyOSwianRpIjoiaWQxMjM0NTYiLCJ0eXAiOiJodHRwczpcL1wvZXhhbXBsZS5jb21cL3JlZ2lzdGVyIiwidGVzdC10eXBlIjoiZm9vIn0.UGLFIRACaHpGGIDEEv-4IIdLfCGXT62X1vYx7keNMyc

✻ Header
{
  "typ": "JWT",
  "alg": "HS256"
}

✻ Payload
{
  "iss": "http://example.org",
  "aud": "http://example.com",
  "iat": 1356999524,
  "nbf": 1357000000,
  "exp": 1407019629,
  "jti": "id123456",
  "typ": "https://example.com/register",
  "test-type": "foo"
}
   iat: 1356999524 Mon Dec 31 2012 19:18:44 GMT-0500 (EST)
   nbf: 1357000000 Mon Dec 31 2012 19:26:40 GMT-0500 (EST)
   exp: 1407019629 Sat Aug 02 2014 18:47:09 GMT-0400 (EDT)

✻ Signature UGLFIRACaHpGGIDEEv-4IIdLfCGXT62X1vYx7keNMyc

jwt-cli's People

Contributors

Stargazers

Watchers

Forkers

hafizh rue oldpatricka bradparks ashokws davidbiesack bharkreader qmacro dkuerner douglasnaphas kleinron hancockks matsrvc alexanderankin

jwt-cli's Issues

[FR] support pure json output

Motivation: when we only want to parse the raw token, and then query its contents using jq utility.
For instance, extracting iat element from the payload part.

Add ability to encode a token using a secret key

This feature is implemented in jwt-encoder-cli. Would be nice to have as part of the jwt-cli.

use https

I don't agree with shipping tokens to a 3rd party to decode, BUT if you're gonna do it at least use https.

Hide jwt.io link

As best practise posting jwt online is probably something we don't want to recommend to new users, how can we make this a toggle for the users who do want to use it

I see two options

dotfile for this tool, which allows you to enable/disable the feature
environment variable, which turns on/off the feature

Thoughts?

jwt-cli broken by `colors` repo

jwt-cli uses

  "dependencies": {
    "colors": "1.x",

which when installing via

npm i -g jwt-cli

causes the repo to download and use the latest corrupted colors repo

jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9leGFtcGxlLm9yZyIsImF1ZCI6Imh0dHA6XC9cL2V4YW1wbGUuY29tIiwiaWF0IjoxMzU2OTk5NTI0LCJuYmYiOjEzNTcwMDAwMDAsImV4cCI6MTQwNzAxOTYyOSwianRpIjoiaWQxMjM0NTYiLCJ0eXAiOiJodHRwczpcL1wvZXhhbXBsZS5jb21cL3JlZ2lzdGVyIiwidGVzdC10eXBlIjoiZm9vIn0.UGLFIRACaHpGGIDEEv-4IIdLfCGXT62X1vYx7keNMyc
undefined
undefined
undefined
                                   !             H|H|H|H|H           H__________________________________             H|§|§|§|H           H|* * * * * *|---------------------|             H|§|∞|§|H           H| * * * * * |---------------------|             H|§|§|§|H           H|* * * * * *|---------------------|             H|H|H|H|H           H| * * * * * |---------------------|             H|H|H|H|H           H|---------------------------------|          ===============        H|---------------------------------|            /| _   _ |          H|---------------------------------|            (| O   O |)          H|---------------------------------|            /|   U   |          H-----------------------------------             |  =/  |           H              _..._/            H              _|I/|_            H      _______/| H |/_______    H     /           / /          H    |          | | /         |  H    |          ||o||          |  H    |    |     ||o||     |    |  H    |    |     ||o||     |    |  H   Carl Pilcher  
... more binary garbage ...

The fix is to change the dependency to 1.4.0

AFAICT, I can insert arbitrary letters into signature part, and the tool gives no indication signature is now wrong.
Well, I suppose this'd require options to provide the jwks (data or url) to validate against?

P.S. thanks for the very handly tool! 💚

Please add license

Please add a license file to this repo