Basic token validation.

Author: rkistner

tools/diagnostics-app/src/library/powersync/TokenConnector.ts

@@ -23,6 +23,7 @@ export class TokenConnector implements PowerSyncBackendConnector {
 
   async signIn(credentials: Credentials) {
     validateSecureContext(credentials.endpoint);
+    checkJWT(credentials.token);
     try {
       localStorage.setItem('powersync_credentials', JSON.stringify(credentials));
       await connect();
@@ -56,3 +57,21 @@ function validateSecureContext(url: string) {
 Run either the PowerSync endpoint on http://localhost, or the diagnostics app on http://localhost.`);
   }
 }
+
+function checkJWT(token: string) {
+  // Split the token into parts by "."
+  const parts = token.split('.');
+
+  // Check that it has exactly three parts (header, payload, signature)
+  if (parts.length !== 3) {
+    throw new Error(`Token must be a JWT: Expected 3 parts, got ${parts.length}`);
+  }
+
+  // Check that each part is base64 or base64url encoded
+  const base64UrlRegex = /^[A-Za-z0-9-_]+$/;
+
+  const isBase64 = parts.every((part) => base64UrlRegex.test(part));
+  if (!isBase64) {
+    throw new Error(`Token must be a JWT: Not all parts are base64 encoded`);
+  }
+}