From 64f276c814524ff5a66e2499d5d1141f17847a5d Mon Sep 17 00:00:00 2001
From: Craig Colegrove <34786857+giarc3@users.noreply.github.com>
Date: Tue, 30 Jun 2020 12:03:53 -0600
Subject: [PATCH] Add new function and tests (#138)

Co-authored-by: Vincent Prouillet <balthek@gmail.com>
---
 src/decoding.rs | 39 +++++++++++++++++++++++++++++++++++++++
 src/lib.rs      |  2 +-
 tests/hmac.rs   | 31 +++++++++++++++++++++++++++++++
 3 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/src/decoding.rs b/src/decoding.rs
index 3b149cb..1292646 100644
--- a/src/decoding.rs
+++ b/src/decoding.rs
@@ -206,12 +206,51 @@ pub fn dangerous_insecure_decode<T: DeserializeOwned>(token: &str) -> Result<Tok
     Ok(TokenData { header, claims: decoded_claims })
 }
 
+/// Decode and validate a JWT without any signature verification.
+///
+/// If the token is invalid or the claims fail validation, it will return an error.
+///
+/// NOTE: Do not use this unless you know what you are doing! If the token's signature is invalid, it will *not* return an error.
+///
+/// ```rust
+/// use serde::{Deserialize, Serialize};
+/// use jsonwebtoken::{dangerous_insecure_decode_with_validation, Validation, Algorithm};
+///
+/// #[derive(Debug, Serialize, Deserialize)]
+/// struct Claims {
+///    sub: String,
+///    company: String
+/// }
+///
+/// let token = "a.jwt.token";
+/// // Claims is a struct that implements Deserialize
+/// let token_message = dangerous_insecure_decode_with_validation::<Claims>(&token, &Validation::new(Algorithm::HS256));
+/// ```
+pub fn dangerous_insecure_decode_with_validation<T: DeserializeOwned>(
+    token: &str,
+    validation: &Validation,
+) -> Result<TokenData<T>> {
+    let (_, message) = expect_two!(token.rsplitn(2, '.'));
+    let (claims, header) = expect_two!(message.rsplitn(2, '.'));
+    let header = Header::from_encoded(header)?;
+
+    if !validation.algorithms.contains(&header.alg) {
+        return Err(new_error(ErrorKind::InvalidAlgorithm));
+    }
+
+    let (decoded_claims, claims_map): (T, _) = from_jwt_part_claims(claims)?;
+    validate(&claims_map, validation)?;
+
+    Ok(TokenData { header, claims: decoded_claims })
+}
+
 /// Decode a JWT without any signature verification/validations. DEPRECATED.
 #[deprecated(
     note = "This function has been renamed to `dangerous_insecure_decode` and will be removed in a later version."
 )]
 pub fn dangerous_unsafe_decode<T: DeserializeOwned>(token: &str) -> Result<TokenData<T>> {
     dangerous_insecure_decode(token)
+
 }
 
 /// Decode a JWT without any signature verification/validations and return its [Header](struct.Header.html).
diff --git a/src/lib.rs b/src/lib.rs
index 7c8cc0c..f92452e 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -17,7 +17,7 @@ mod validation;
 
 pub use algorithms::Algorithm;
 pub use decoding::{
-    dangerous_insecure_decode, dangerous_unsafe_decode, decode, decode_header, DecodingKey,
+    dangerous_insecure_decode_with_validation, dangerous_insecure_decode, dangerous_unsafe_decode, decode, decode_header, DecodingKey,
     TokenData,
 };
 pub use encoding::{encode, EncodingKey};
diff --git a/tests/hmac.rs b/tests/hmac.rs
index 3e206b3..aba469d 100644
--- a/tests/hmac.rs
+++ b/tests/hmac.rs
@@ -1,4 +1,5 @@
 use chrono::Utc;
+use jsonwebtoken::dangerous_insecure_decode_with_validation;
 use jsonwebtoken::{
     crypto::{sign, verify},
     dangerous_insecure_decode, decode, decode_header, encode, Algorithm, DecodingKey, EncodingKey,
@@ -158,3 +159,33 @@ fn dangerous_insecure_decode_token_wrong_algorithm() {
     let claims = dangerous_insecure_decode::<Claims>(token);
     claims.unwrap();
 }
+
+#[test]
+fn dangerous_insecure_decode_token_with_validation() {
+    let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.9r56oF7ZliOBlOAyiOFperTGxBtPykRQiWNFxhDCW98";
+    let claims = dangerous_insecure_decode_with_validation::<Claims>(token, &Validation::default());
+    claims.unwrap();
+}
+
+#[test]
+#[should_panic(expected = "InvalidToken")]
+fn dangerous_insecure_decode_token_with_validation_missing_parts() {
+    let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
+    let claims = dangerous_insecure_decode_with_validation::<Claims>(token, &Validation::default());
+    claims.unwrap();
+}
+
+#[test]
+fn dangerous_insecure_decode_token_with_validation_invalid_signature() {
+    let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.wrong";
+    let claims = dangerous_insecure_decode_with_validation::<Claims>(token, &Validation::default());
+    claims.unwrap();
+}
+
+#[test]
+#[should_panic(expected = "InvalidAlgorithm")]
+fn dangerous_insecure_decode_token_with_validation_wrong_algorithm() {
+    let token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUiLCJleHAiOjI1MzI1MjQ4OTF9.fLxey-hxAKX5rNHHIx1_Ch0KmrbiuoakDVbsJjLWrx8fbjKjrPuWMYEJzTU3SBnYgnZokC-wqSdqckXUOunC-g";
+    let claims = dangerous_insecure_decode_with_validation::<Claims>(token, &Validation::default());
+    claims.unwrap();
+}