JWT Decoding Challenge

Understanding the Problem

JSON Web Tokens (JWTs) are like digital passports - they contain encoded information about the user. In this exercise, we need to:

Split a JWT into its three components
Decode the header and payload sections
Extract specific information (algorithm and email)

Devising a Plan

Identify the JWT structure (three parts separated by periods)
Split the string using the period as a delimiter
Decode the base64 encoded header and payload
Parse the JSON to read the values
Extract the required information

Basic Solution

File Location: index.js

// Given JWT string
const sampleJwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im15c2VsZkBhcHBhY2FkZW15LmlvIn0.EqRikwoGyAlfvblF_FdbnQlbAQGvWZlccFnmHOVdaLg";

// Step 1: Split the JWT into parts
const [header, payload, signature] = sampleJwt.split('.');
console.log('Parts:', { header, payload, signature });

// Step 2: Decode header and payload
const decodedHeader = Buffer.from(header, 'base64').toString();
const decodedPayload = Buffer.from(payload, 'base64').toString();

// Step 3: Parse the JSON
const headerObj = JSON.parse(decodedHeader);
const payloadObj = JSON.parse(decodedPayload);

console.log('Decoded Header:', headerObj);
console.log('Decoded Payload:', payloadObj);

// Extract required information
console.log('Algorithm:', headerObj.alg);
console.log('Email:', payloadObj.email);

Advanced Solution

Here's a more robust solution with error handling:

function decodeJWT(token) {
    try {
        // Validate input
        if (typeof token !== 'string') {
            throw new Error('JWT must be a string');
        }

        // Split and validate parts
        const parts = token.split('.');
        if (parts.length !== 3) {
            throw new Error('Invalid JWT format');
        }

        const [header, payload, signature] = parts;

        // Decode and parse parts
        const decoded = {
            header: JSON.parse(Buffer.from(header, 'base64').toString()),
            payload: JSON.parse(Buffer.from(payload, 'base64').toString()),
            signature
        };

        return {
            ...decoded,
            algorithm: decoded.header.alg,
            email: decoded.payload.email
        };
    } catch (error) {
        console.error('Error decoding JWT:', error.message);
        return null;
    }
}

const result = decodeJWT(sampleJwt);
console.log(result);

Expected Input/Output

Input:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im15c2VsZkBhcHBhY2FkZW15LmlvIn0.EqRikwoGyAlfvblF_FdbnQlbAQGvWZlccFnmHOVdaLg

Expected Output:

Algorithm: HS256
Email: myself@appacademy.io

Step by Step Explanation

JWT Structure:
- A JWT is made up of three parts separated by dots (.)
- Each part serves a specific purpose:
  - Header: Contains metadata about the token type and algorithm
  - Payload: Contains the actual data (claims)
  - Signature: Verifies the token hasn't been tampered with
Splitting the Token:
- Use JavaScript's split() method with '.' as delimiter
- Destructure the result into three variables
Decoding:
- Use Buffer.from() to convert from base64
- Convert the buffer to a string
- Parse the string as JSON

Real World Applications

Understanding JWT structure and decoding is crucial for:

Authentication systems
API development
Single Sign-On (SSO) implementations
Security auditing
Debugging authentication issues

Common Mistakes to Avoid

Forgetting to handle base64 padding issues
Not validating the JWT format
Assuming all JWTs are URL-safe
Forgetting to catch JSON.parse errors

Additional Tips

Always validate JWT format before processing
Remember that the signature is meant to stay encoded
Use try-catch blocks for robust error handling
Consider using established JWT libraries in production

Further Learning

To deepen your understanding of JWTs:

Study the JWT specification (RFC 7519)
Learn about different JWT signing algorithms
Practice implementing JWT authentication
Explore common JWT security vulnerabilities