Optimise TokenUtils parsing (#611)

* Optimise parsing of token for well-defined JWT format

* Update error message in test to match new code

* Fixing checkstyle issues

* Added missing test case for no parts

* Return new JWTDecodeException

Return a new JWTDecodeException from private utility method `wrongNumberOfParts`, instead of throwing, since we throw from `splitToken()`.

Co-authored-by: Jim Anderson <[email protected]>
Co-authored-by: Jim Anderson <[email protected]>

Author: noetro

lib/src/main/java/com/auth0/jwt/TokenUtils.java

@@ -15,15 +15,33 @@ static String[] splitToken(String token) throws JWTDecodeException {
         if (token == null) {
             throw new JWTDecodeException("The token is null.");
         }
-        String[] parts = token.split("\\.");
-        if (parts.length == 2 && token.endsWith(".")) {
-            //Tokens with alg='none' have empty String as Signature.
-            parts = new String[]{parts[0], parts[1], ""};
+
+        char delimiter = '.';
+
+        int firstPeriodIndex = token.indexOf(delimiter);
+        if (firstPeriodIndex == -1) {
+            throw wrongNumberOfParts(0);
         }
-        if (parts.length != 3) {
-            throw new JWTDecodeException(
-                    String.format("The token was expected to have 3 parts, but got %s.", parts.length));
+
+        int secondPeriodIndex = token.indexOf(delimiter, firstPeriodIndex + 1);
+        if (secondPeriodIndex == -1) {
+            throw wrongNumberOfParts(2);
+        }
+
+        // too many ?
+        if (token.indexOf(delimiter, secondPeriodIndex + 1) != -1) {
+            throw wrongNumberOfParts("> 3");
         }
+
+        String[] parts = new String[3];
+        parts[0] = token.substring(0, firstPeriodIndex);
+        parts[1] = token.substring(firstPeriodIndex + 1, secondPeriodIndex);
+        parts[2] = token.substring(secondPeriodIndex + 1);
+
         return parts;
     }
+
+    private static JWTDecodeException wrongNumberOfParts(Object partCount) {
+        return new JWTDecodeException(String.format("The token was expected to have 3 parts, but got %s.", partCount));
+    }
 }

lib/src/test/java/com/auth0/jwt/JWTDecoderTest.java

@@ -50,7 +50,7 @@ public void shouldThrowIfLessThan3Parts() {
     @Test
     public void shouldThrowIfMoreThan3Parts() {
         exception.expect(JWTDecodeException.class);
-        exception.expectMessage("The token was expected to have 3 parts, but got 4.");
+        exception.expectMessage("The token was expected to have 3 parts, but got > 3.");
         JWT.decode("this.has.four.parts");
     }
 

lib/src/test/java/com/auth0/jwt/TokenUtilsTest.java

@@ -13,6 +13,30 @@ public class TokenUtilsTest {
     @Rule
     public ExpectedException exception = ExpectedException.none();
 
+    @Test
+    public void toleratesEmptyFirstPart() {
+        String token = ".eyJpc3MiOiJhdXRoMCJ9.W1mx_Y0hbAMbPmfW9whT605AAcxB7REFuJiDAHk2Sdc";
+        String[] parts = TokenUtils.splitToken(token);
+
+        assertThat(parts, is(notNullValue()));
+        assertThat(parts, is(arrayWithSize(3)));
+        assertThat(parts[0], is(""));
+        assertThat(parts[1], is("eyJpc3MiOiJhdXRoMCJ9"));
+        assertThat(parts[2], is("W1mx_Y0hbAMbPmfW9whT605AAcxB7REFuJiDAHk2Sdc"));
+    }
+
+    @Test
+    public void toleratesEmptySecondPart() {
+        String token = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0..W1mx_Y0hbAMbPmfW9whT605AAcxB7REFuJiDAHk2Sdc";
+        String[] parts = TokenUtils.splitToken(token);
+
+        assertThat(parts, is(notNullValue()));
+        assertThat(parts, is(arrayWithSize(3)));
+        assertThat(parts[0], is("eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0"));
+        assertThat(parts[1], is(""));
+        assertThat(parts[2], is("W1mx_Y0hbAMbPmfW9whT605AAcxB7REFuJiDAHk2Sdc"));
+    }
+
     @Test
     public void shouldSplitToken() {
         String token = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc3MiOiJhdXRoMCJ9.W1mx_Y0hbAMbPmfW9whT605AAcxB7REFuJiDAHk2Sdc";
@@ -34,19 +58,27 @@ public void shouldSplitTokenWithEmptySignature() {
         assertThat(parts, is(arrayWithSize(3)));
         assertThat(parts[0], is("eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0"));
         assertThat(parts[1], is("eyJpc3MiOiJhdXRoMCJ9"));
-        assertThat(parts[2], is(isEmptyString()));
+        assertThat(parts[2], is(emptyString()));
     }
 
     @Test
     public void shouldThrowOnSplitTokenWithMoreThan3Parts() {
         exception.expect(JWTDecodeException.class);
-        exception.expectMessage("The token was expected to have 3 parts, but got 4.");
+        exception.expectMessage("The token was expected to have 3 parts, but got > 3.");
         String token = "this.has.four.parts";
         TokenUtils.splitToken(token);
     }
 
     @Test
-    public void shouldThrowOnSplitTokenWithLessThan3Parts() {
+    public void shouldThrowOnSplitTokenWithNoParts() {
+        exception.expect(JWTDecodeException.class);
+        exception.expectMessage("The token was expected to have 3 parts, but got 0.");
+        String token = "notajwt";
+        TokenUtils.splitToken(token);
+    }
+
+    @Test
+    public void shouldThrowOnSplitTokenWith2Parts() {
         exception.expect(JWTDecodeException.class);
         exception.expectMessage("The token was expected to have 3 parts, but got 2.");
         String token = "two.parts";