Support decoding byte slice

Keats · Keats · commit 14f1ef4bc4df · 2025-09-29T21:32:22.000+02:00
Taken from #387 by @kvc0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 - BREAKING: now using traits for crypto backends, you have to choose between `aws_lc_rs` and `rust_crypto`
 - Add `Clone` bound to `decode`
+- Support decoding byte slices
 
 ## 9.3.1 (2024-02-06)
 
diff --git a/examples/custom_header.rs b/examples/custom_header.rs
@@ -4,7 +4,7 @@ use std::collections::HashMap;
 use jsonwebtoken::errors::ErrorKind;
 use jsonwebtoken::{decode, encode, Algorithm, DecodingKey, EncodingKey, Header, Validation};
 
-#[derive(Debug, Serialize, Deserialize)]
+#[derive(Debug, Serialize, Deserialize, Clone)]
 struct Claims {
     sub: String,
     company: String,
diff --git a/examples/custom_time.rs b/examples/custom_time.rs
@@ -5,7 +5,7 @@ use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation};
 
 const SECRET: &str = "some-secret";
 
-#[derive(Debug, PartialEq, Serialize, Deserialize)]
+#[derive(Debug, PartialEq, Serialize, Deserialize, Clone)]
 struct Claims {
     sub: String,
     #[serde(with = "jwt_numeric_date")]
diff --git a/examples/ed25519.rs b/examples/ed25519.rs
@@ -7,7 +7,7 @@ use jsonwebtoken::{
     decode, encode, get_current_timestamp, Algorithm, DecodingKey, EncodingKey, Validation,
 };
 
-#[derive(Debug, Serialize, Deserialize)]
+#[derive(Debug, Serialize, Deserialize, Clone)]
 pub struct Claims {
     sub: String,
     exp: u64,
diff --git a/examples/validation.rs b/examples/validation.rs
@@ -3,7 +3,7 @@ use serde::{Deserialize, Serialize};
 use jsonwebtoken::errors::ErrorKind;
 use jsonwebtoken::{decode, encode, Algorithm, DecodingKey, EncodingKey, Header, Validation};
 
-#[derive(Debug, Serialize, Deserialize)]
+#[derive(Debug, Serialize, Deserialize, Clone)]
 struct Claims {
     aud: String,
     sub: String,
diff --git a/src/algorithms.rs b/src/algorithms.rs
@@ -31,8 +31,6 @@ impl AlgorithmFamily {
     }
 }
 
-
-
 /// The algorithms supported for signing/verifying JWTs
 #[allow(clippy::upper_case_acronyms)]
 #[derive(Debug, Default, PartialEq, Eq, Hash, Copy, Clone, Serialize, Deserialize)]
diff --git a/src/decoding.rs b/src/decoding.rs
@@ -97,7 +97,7 @@ impl DecodingKey {
     pub fn family(&self) -> AlgorithmFamily {
         self.family
     }
-    
+
     /// If you're using HMAC, use this.
     pub fn from_secret(secret: &[u8]) -> Self {
         DecodingKey {
@@ -270,10 +270,11 @@ impl DecodingKey {
 /// let token_message = decode::<Claims>(&token, &DecodingKey::from_secret("secret".as_ref()), &Validation::new(Algorithm::HS256));
 /// ```
 pub fn decode<T: DeserializeOwned + Clone>(
-    token: &str,
+    token: impl AsRef<[u8]>,
     key: &DecodingKey,
     validation: &Validation,
 ) -> Result<TokenData<T>> {
+    let token = token.as_ref();
     let header = decode_header(token)?;
 
     if validation.validate_signature && !validation.algorithms.contains(&header.alg) {
@@ -324,20 +325,21 @@ pub fn jwt_verifier_factory(
 /// let token = "a.jwt.token".to_string();
 /// let header = decode_header(&token);
 /// ```
-pub fn decode_header(token: &str) -> Result<Header> {
-    let (_, message) = expect_two!(token.rsplitn(2, '.'));
-    let (_, header) = expect_two!(message.rsplitn(2, '.'));
+pub fn decode_header(token: impl AsRef<[u8]>) -> Result<Header> {
+    let token = token.as_ref();
+    let (_, message) = expect_two!(token.rsplitn(2, |b| *b == b'.'));
+    let (_, header) = expect_two!(message.rsplitn(2, |b| *b == b'.'));
     Header::from_encoded(header)
 }
 
 /// Verify the signature of a JWT, and return a header object and raw payload.
 ///
 /// If the token or its signature is invalid, it will return an error.
 fn verify_signature<'a>(
-    token: &'a str,
+    token: &'a [u8],
     validation: &Validation,
     verifying_provider: Box<dyn JwtVerifier>,
-) -> Result<(Header, &'a str)> {
+) -> Result<(Header, &'a [u8])> {
     if validation.validate_signature && validation.algorithms.is_empty() {
         return Err(new_error(ErrorKind::MissingAlgorithm));
     }
@@ -350,16 +352,16 @@ fn verify_signature<'a>(
         }
     }
 
-    let (signature, message) = expect_two!(token.rsplitn(2, '.'));
-    let (payload, header) = expect_two!(message.rsplitn(2, '.'));
+    let (signature, message) = expect_two!(token.rsplitn(2, |b| *b == b'.'));
+    let (payload, header) = expect_two!(message.rsplitn(2, |b| *b == b'.'));
     let header = Header::from_encoded(header)?;
 
     if validation.validate_signature && !validation.algorithms.contains(&header.alg) {
         return Err(new_error(ErrorKind::InvalidAlgorithm));
     }
 
     if validation.validate_signature
-        && verifying_provider.verify(message.as_bytes(), &b64_decode(signature)?).is_err()
+        && verifying_provider.verify(message, &b64_decode(signature)?).is_err()
     {
         return Err(new_error(ErrorKind::InvalidSignature));
     }
diff --git a/src/encoding.rs b/src/encoding.rs
@@ -44,7 +44,7 @@ impl EncodingKey {
     pub fn family(&self) -> AlgorithmFamily {
         self.family
     }
-    
+
     /// If you're using a HMAC secret that is not base64, use that.
     pub fn from_secret(secret: &[u8]) -> Self {
         EncodingKey { family: AlgorithmFamily::Hmac, content: secret.to_vec() }

Original file line number	Diff line number	Diff line change
`@@ -31,8 +31,6 @@ impl AlgorithmFamily {`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`
`34`		`-`
`35`		`-`
`36`	`34`	`/// The algorithms supported for signing/verifying JWTs`
`37`	`35`	`#[allow(clippy::upper_case_acronyms)]`
`38`	`36`	`#[derive(Debug, Default, PartialEq, Eq, Hash, Copy, Clone, Serialize, Deserialize)]`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ impl EncodingKey {`
`44`	`44`	`pub fn family(&self) -> AlgorithmFamily {`
`45`	`45`	`self.family`
`46`	`46`	`}`
`47`		`-`
	`47`	`+`
`48`	`48`	`/// If you're using a HMAC secret that is not base64, use that.`
`49`	`49`	`pub fn from_secret(secret: &[u8]) -> Self {`
`50`	`50`	`EncodingKey { family: AlgorithmFamily::Hmac, content: secret.to_vec() }`