don't throw an error when decode a bad token or header

Author: joaquimserafim

.travis.yml

@@ -2,6 +2,7 @@
  node_js:
    - 4
    - 5
+   - 6
  branches:
  only:
   - master

index.js

@@ -3,6 +3,7 @@
 const crypto    = require('crypto')
 const b64url    = require('base64-url')
 const inherits  = require('util').inherits
+const parse     = require('json-parse-safe')
 
 //
 // supported algorithms
@@ -70,8 +71,8 @@ function decode (key, token, cb) {
   }
 
   // base64 decode and parse JSON
-  var header = JSON.parse(b64url.decode(parts[0]))
-  var payload = JSON.parse(b64url.decode(parts[1]))
+  var header = JSONParse(b64url.decode(parts[0]))
+  var payload = JSONParse(b64url.decode(parts[1]))
 
   // get algorithm hash and type and check if is valid
   var algorithm = algorithms[header.alg]
@@ -150,3 +151,9 @@ function paramsAreFalsy (param1, param2) {
   return !param1 || !param2
 }
 
+function JSONParse (str) {
+  var res = parse(str)
+
+  return res.error && '' || res.value
+}
+

package.json

@@ -1,6 +1,6 @@
 {
   "name": "json-web-token",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "description": "JSON Web Token (JWT) is a compact token format intended for space constrained environments such as HTTP Authorization headers and URI query parameters.",
   "main": "index.js",
   "scripts": {
@@ -9,7 +9,7 @@
     "style": "jscs -p google index.js test/test.js",
     "coverage": "istanbul cover tape test/test.js && istanbul check-coverage",
     "coverage:open": "open reports/coverage/index.html",
-    "complexity": "plato -r -t 'jenkins-client code report' -l .jshintrc -x 'node_modules|reports|test' -d reports/plato .",
+    "complexity": "plato -r -t 'jenkins-client code report' -l .jshintrc -x 'node_modules|reports|test|bench' -d reports/plato .",
     "complexity:open": "open reports/plato/index.html",
     "security": "nsp check",
     "bench": "echo 'installing dependencies first ...' && sleep 1 && npm i --save-dev benchmark microtime && echo '' && node bench && npm uninstall --save-dev benchmark microtime"
@@ -38,15 +38,16 @@
   },
   "homepage": "https://github.com/joaquimserafim/json-web-token",
   "dependencies": {
-    "base64-url": "^1.2.2"
+    "base64-url": "^1.2.2",
+    "json-parse-safe": "^1.0.3"
   },
   "devDependencies": {
     "istanbul": "^0.4.3",
     "jscs": "^2.11.0",
-    "jshint": "^2.9.1",
-    "nsp": "^2.3.0",
+    "jshint": "^2.9.2",
+    "nsp": "^2.4.0",
     "plato": "^1.5.0",
-    "pre-commit": "^1.1.2",
+    "pre-commit": "^1.1.3",
     "tap-spec": "^4.1.1",
     "tape": "^4.5.1"
   },

test/test.js

@@ -92,6 +92,16 @@ test('jwt - decode with callback / bad algorithm', function(assert) {
   })
 })
 
+test('jwt - decode with callback / bad token', function(assert) {
+  var badToken = theToken.split('.')
+  badToken[1] = 'bad token hash'
+  jwt.decode(secret, badToken.join('.'), function(err) {
+    assert.equal(err.name, 'JWTError')
+    assert.equal(err.message, 'Invalid key!')
+    assert.end()
+  })
+})
+
 test('jwt - decode with callback / invalid key', function(assert) {
   jwt.decode('wow', theToken, function(err) {
     assert.equal(err.name, 'JWTError')