Skip to content

Validate JSON web tokens (JWT)

Extract the JWT token from a header, decode it, and implement validation checks to verify it.

export default {
async fetch(request) {
// Extract JWT token from "Authorization: Bearer" header
function getJWTToken(request) {
const authorizationHeader = request.headers.get("Authorization");
if (authorizationHeader && authorizationHeader.startsWith("Bearer ")) {
return authorizationHeader.substring(7, authorizationHeader.length);
}
return null;
}
// Validate that JWT token has correct format: header.payload.signature (for example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjE2MjI1MDAwMDB9.TldRGokRHJvG69SefbxIqAlQ6nnco6aLa3y7jsYXHMI")
function validateJWT(token) {
const [header, payload, signature] = token.split(".");
if (!header || !payload || !signature) {
throw new Error("Invalid JWT format");
}
// Decode the JWT payload and header to JSON
const decodedHeader = JSON.parse(atob(header));
const decodedPayload = JSON.parse(atob(payload));
// Here you would implement the logic to verify the JWT signature.
// This example assumes a simple validation that just checks the payload.
// Replace the following lines with your actual validation logic.
// Ensure that JWT token hasn't expired (to test, try sending a request with an expired token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjE2MjI1MDAwMDB9.TldRGokRHJvG69SefbxIqAlQ6nnco6aLa3y7jsYXHMI")
if (decodedPayload.exp < Math.floor(Date.now() / 1000)) {
throw new Error("JWT has expired");
}
// Optionally, you could add more validation checks here (issuer, audience, etc.).
// Also, implement actual signature validation with a custom function.
return true;
}
// Execute the function to extract JWT token
const jwtToken = getJWTToken(request);
// If the token is not provided, serve 401 Forbidden
if (!jwtToken) {
return new Response("Missing JWT token", { status: 401 });
}
// Execute the function to validate the token
try {
const validToken = await validateJWT(jwtToken);
if (validToken) {
// If the token is valid, serve actual response
// An example of a valid token that will expire in 2033 is "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNjI0OTkyMDAwLCJleHAiOjIwMDExMjAwMDB9._qgQ_TMrGfYgOoA8HtTZwEGoj8zAPWxsz8CT1jEAGzo"
return fetch(request);
} else {
return new Response("Invalid JWT token", { status: 401 });
}
} catch (error) {
return new Response("Error validating token: " + error.message, {
status: 500,
});
}
},
};