Decoding JWTs in the terminal

These past few days, I have been working on integrating IBM App ID into our Java backend and Android frontend codebases. Because of this, I would find myself going back and forth between the terminal and JWT.io whenever I need to inspect a JWT's payload. I don't want to call it a "JWT token" because that would be a bad case of RAS and I'm pedantic like that, but I digress.

Instead of relying on a website to do that for me, I figured why not just do it from the terminal. I did some reading and it turns out that JWTs are relatively easy to parse :

  • Split the token using the dot character as a delimiter
  • Base 64 decode the first portion to get the header
  • Base 64 decode the second portion to get the payload

The third portion serves as a signing mechanism for the token. I chose to ignore the signing logic for the script I intended to write because it was irrelevant for my use case.

I ended up writing a command line tool in D to help me inspect JWTs. The main requirement was for it to let me feed it a token and have it not only decode it, but also inject two extra fields called "issued_at" and "expires_at". Since the "iat" and "exp" claims are Unix timestamps, I deemed it reasonable to present them in a human readable format. D's standard library already supports base 64 decoding and JSON parsing out of the box and as a consequence, I did not need to reach out to external dependencies :

import std;
alias decode = Base64URLNoPadding.decode;

void main(string[] args)
{
    string jwt = args.length > 1 ? args[1] : readln();
    string[] parts = jwt.split(".");
    writeln("Header :");
    parts[0]
        .decode
        .map!(to!dchar)
        .parseJSON()
        .toPrettyString()
        .writeln();

    auto payload = parts[1]
        .decode
        .map!(to!dchar)
        .parseJSON();

    if("iat" in payload)
    {
        payload.object["issued_at"] = JSONValue(SysTime.fromUnixTime(payload["iat"].integer).toSimpleString());
    }
    if("exp" in payload)
    {
        payload.object["expires_at"] = JSONValue(SysTime.fromUnixTime(payload["exp"].integer).toSimpleString());
    }

    writeln("Payload :");
    payload
        .toPrettyString()
        .writeln();
}

Notice how the code neither has error checking nor input validation. Since this is just a glorified bash script for productivity, I didn't really mind if it blew up in my face. I proceeded by compiling the code above to a binary called "jwt" that I aliased in my .zshrc file for easier access :

alias jwt='~/code/jwt'

And here's what it looks like with a random token :

jwt decoding output

Having used this tool for a while, I realized that nine times out of ten, the tokens I feed it come straight from the clipboard. In light of these new circumstances, I decided to further simplify the process by using xclip instead of manually pasting tokens on the terminal :

xclip -sel clipboard -o | jwt

Since I'm a naturally lazy person, I included clipboard retrieval support in the code itself, making sure to add a -c (optionally --clipboard) flag to enable this behavior :

import std;
alias decode = Base64URLNoPadding.decode;

void main(string[] args)
{
    string jwt;
    if(args.canFind("--clipboard") || args.canFind("-c"))
    {
        auto xclip = executeShell("xclip -sel clipboard -o");
        if(xclip.status != 0)
        {
            writeln("Unable to retrieve a JWT from the clipboard");
            return;
        }
        jwt = xclip.output;
    }
    else
    {
        jwt = args.length > 1 ? args[1] : readln();
    }

    immutable parts = jwt.split(".");
    writeln("Header :");
    parts[0]
        .decode
        .map!(to!dchar)
        .parseJSON()
        .toPrettyString()
        .writeln();


    auto payload = parts[1]
        .decode
        .map!(to!char)
        .parseJSON();

    if("iat" in payload)
    {
        payload.object["issued_at"] = JSONValue(SysTime.fromUnixTime(payload["iat"].integer).toSimpleString());
    }
    if("exp" in payload)
    {
        payload.object["expires_at"] = JSONValue(SysTime.fromUnixTime(payload["exp"].integer).toSimpleString());
    }

    writeln("Payload :");
    payload
        .toPrettyString()
        .writeln();
}

While this violates the "do one thing and do it well" Unix principle, doing things this way allowed me to acquaint myself with the std.process package of Phobos. A good compromise if you ask me.

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

Writing a fast(er) youtube downloader

Image
As a millenial, I never managed to embrace the streaming culture that's so prevalent nowadays. Having grown up in an era where being offline was the norm, I developed an unhealthy habit of just-in-case data hoarding that I can't seem to shake off. When youtube-dl suddenly started complaining about an "uploader id" error , I decided to take things into my own hands. Understanding the streaming process The recon step consisted of inspecting the HTTP traffic to see what I could find. Sure enough, the network tab showed some interesting requests when filtering by "medias": Opening one of these in a new tab shows a MIME type error. The browser can't play it for some reason and neither could mpv. I downloaded it and ran the file command on it, but it shows up as a data blob: $ file videoplayback.mp4 videoplayback.mp4: data I suspected that there was some encryption going on and that maybe the Youtube video player knows how to decrypt this file. B
Lire la suite

My experience with Win by Inwi

Image
In my previous post, I mentioned how I was using a data plan that amounts to 10 DH per gigabyte. Being a relatively light streamer, I can usually get by with 10 gigabytes per month. These days however, I often find myself abusing my data plan for calls and screen sharing and whatnot. This month for example, I spent 250 DH on internet alone. With a monthly spending like that, I realized that I might as well get ADSL or a cheap optical fiber subscription. So why didn't I ? Well, for one, I don't want to get tied down by a monthly subscription. Secondly, I don't want something that requires a heavy installation with all the fees and the time that it implies. And finally, I want to have the option of carrying it with me wherever I want. When I was searching for alternatives, a friend of mine suggested Win by Inwi . I looked into it and it seemed to satisfy my needs of portability and ease of use. In short, you can customize your plan as you wish , handle the paperwork onlin
Lire la suite

Porting a Golang and Rust CLI tool to D

Image
A few days ago, in the programming subreddit, Paulo Henrique Cuchi shared his experience writing a command line tool in both Rust and Go . The tool in question is a client for his side project, Hashtrack. Hashtrack exposes a GraphQL API with which the clients can track certain twitter hashtags and get a real time list of relevant tweets. Prompted by this comment , I decided to write a D port to demonstrate how D can be used to achieve a similar goal. I'll try to keep the same structure as the one he used in his blog post. Source code on Github How did I end up using D? The main reason is that the original blog post compared statically typed languages like Go and Rust, and made honorable mentions to Nim and Crystal, but didn't mention D. D falls under this category, so I think this will make for an interesting comparison I also like D as a language and I have mentioned it in various other blog posts. Local environment The manual has a lengthy page on how to downlo
Lire la suite