Allow pre-compiled binaries to be installed directly from brew:

e.g.

brew install lmammino/repo/jwtinfo

Guides:

• https://docs.brew.sh/How-to-Create-and-Maintain-a-Tap
• https://docs.brew.sh/Taps
• https://docs.brew.sh/Bottles (precompiled binaries)

Sys info:

Ubuntu 23.04 x86_64
Kernel: 6.2.0-36-generic
Shell: bash 5.2.15
jwtinfo 0.4.2

Bug

RUST_BACKTRACE=1 jwtinfo

thread 'main' panicked at /home/edoardottt/.cargo/registry/src/index.crates.io-6f17d22bba15001f/jwtinfo-0.4.2/src/cli.rs:32:56:
called `Option::unwrap()` on a `None` value
stack backtrace:
   0: rust_begin_unwind
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:595:5
   1: core::panicking::panic_fmt
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/panicking.rs:67:14
   2: core::panicking::panic
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/core/src/panicking.rs:117:5
   3: jwtinfo::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Make it possible to get the token from stdin if the argument is not provided

(suggested by ESBD on Reddit)

Not an issue actually, but seems like one can have the following bash one-liner.

jwtinfo () 
{ 
    echo "$1" | cut -d'.' -f 2 | base64 -di 2> /dev/null
}

https://ideone.com/wlST3C

I'd like to add a feature to jwtinfo that allows dumping both the header and the body simultaneously, perhaps a --full flag? @lmammino would you accept a PR for this?

Output:

{
  "header": {
    "kid": "24378254378"
  },
  "claims": {
    "iat": 12345,
    ...,
  }
}

jwtinfo currently fails with encrypted tokens. It should instead print a nicer message mentioning that the token is encrypted and therefore it is not possible to read the body.

An example of this kind of token is what's generated by AWS Cognito as a refresh token.

The header part looks like the following:

{
  "cty": "JWT",
  "enc": "A256GCM",
  "alg": "RSA-OAEP"
}

On possible solution is that the CLI should not try to parse the body as JSON if there is an enc field in the header.

As suggested on Reddit by Doddzilla7, there's an opportunity to do better error management and get rid of nested matched by using a specific Enum type error that wraps more generic errors as in the following example:

pub enum JWTDecodeError {
  MissingSection(String),
  InvalidUtf8(str::Utf8Error),
  InvalidBase64(base64::DecodeError),
  InvalidJSON(serde_json::error::Error)
}

This will allow to use the ? operator in many places and get rid of nested matches.

At the moment we are only testing the happy path. It would be great to test the rest of the codebase as well and to have a way to track and record code coverage (maybe with integration with coveralls).

Thanks for the great work. How would you feel about adding the aforementioned options for automatic pretty printing?

I'd like to add a feature to jwtinfo that allows specifying an optional JWKS URL to verify the token against.

Here's my thought about what it might look like: jwtinfo --jwks=https://mydomain.us.auth0.com/ <token>

There are a couple different ways you could handle output/validation errors:

• no stdout, print error to stderr and exit with a non-zero code
• print data to stdout even if the token is invalid, print error to stderr, exit with non-zero code
• In combination with #37, extend the output format of the "full" output to include extra keys including valid: bool and validationErrors: str[]

@lmammino interested in your thoughts about whether you'd accept a PR, and suggestions for shaping a reasonable CLI surface.

On linux. Specifically:

cat /etc/os-release 
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

Full error

RUST_BACKTRACE=1 jwtinfo $TOKEN
thread 'main' panicked at 'Mismatch between definition and access of `pretty`. Could not downcast to TypeId { t: 324675245860759320943513204350442872190 }, need to downcast to TypeId { t: 7428646492878894209665195255548636123 }
', /home/luciano.mammino/.cargo/registry/src/index.crates.io-6f17d22bba15001f/clap_builder-4.4.5/src/parser/error.rs:32:9
stack backtrace:
   0: rust_begin_unwind
             at /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/std/src/panicking.rs:593:5
   1: core::panicking::panic_fmt
             at /rustc/d5c2e9c342b358556da91d61ed4133f6f50fc0c3/library/core/src/panicking.rs:67:14
   2: clap_builder::parser::matches::arg_matches::ArgMatches::get_flag
   3: jwtinfo::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

in rust unit tests are in the module tested not outside.

@mardiros on Reddit

More comments by mardiros:

Unit tests:

https://doc.rust-lang.org/rust-by-example/testing/unit_testing.html

Most unit tests go into a tests mod with the #[cfg(test)] attribute. Test functions are marked with the #[test] attribute.

#[cfg(test)]
mod tests {
    // Note this useful idiom: importing names from outer (for mod tests) scope.
    use super::*;
}

Integration tests:

https://doc.rust-lang.org/rust-by-example/testing/integration_testing.html

Cargo looks for integration tests in tests directory next to src.

(e.g. not in src).

jwtinfo prints the body of the token. Sometimes it is convenient to have a look at the header as well (e.g. in openID tokens can have attributes like jti - token id - or jki - token key id - embedded in the header part).

When this feature is implemented, running the following command:

jwtinfo --header "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNvbWUta2V5In0.eyJoZWxsbyI6ImZyb20gSldUIn0._tBIgntQFTeCCNbTbHnNONfXTDAfuu77DtkkD0RE0I0"

Should print:

{"alg": "HS256","typ": "JWT","kid": "some-key"}

In the stdout

Always shows 0.1.0

It would be great to be able to expose the internal JWT parsing library so that other projects can leverage it if needed.

Right now we expose only the binary application.

Some documentation on how this might be achieved:

• Rust package with both a library and a binary?
• Publishing a crate containing both lib.rs and main.rs files
  
• Packages, Crates, and Modules
• Cargo, Crates and Basic Project Structure

If we do this, we should also make sure that the crate documentation is generated and published correctly. This document might help with this task

Make it possible to install pre-compiled binaries through npm install -g.

Possible guides:

• https://blog.woubuc.be/post/publishing-rust-binary-on-npm/