Skip to content

feat: add validateDecoded option to validate JWT payload#378

Closed
williamfds wants to merge 2 commits intofastify:mainfrom
williamfds:feat/validate-decoded
Closed

feat: add validateDecoded option to validate JWT payload#378
williamfds wants to merge 2 commits intofastify:mainfrom
williamfds:feat/validate-decoded

Conversation

@williamfds
Copy link

@williamfds williamfds commented May 29, 2025
edited
Loading

This PR introduces a new validateDecoded option to the @fastify/jwt plugin.

It allows developers to define custom validation logic that runs after the JWT is decoded and verified, but before assigning request.user.
This enables scenarios where claims alone are insufficient, such as:

  • Checking flags (e.g., isVerified)

  • Validating roles or permissions

  • Applying business rules or JSON Schema validation

  • Performing async checks (e.g., database lookups)

Example: synchronous usage

fastify.register(jwt, {
  secret: 'supersecret',
  validateDecoded: (payload) => {
    if (!payload.admin) {
      throw new Error('Not authorized')
    }
  }
})

Example: asynchronous usage

fastify.register(jwt, {
 secret: 'supersecret',
 validateDecoded: async (payload) => {
   const isAllowed = await someCheck(payload.userId)
   if (!isAllowed) {
     throw new Error('Blocked by validation')
   }
 }
})

Implementation notes

This change includes the following:

  • Adds validateDecoded(payload) support to plugin options

  • Executed after token verification in request.jwtVerify()

  • If validation fails, responds with 400 Bad Request

  • Includes test coverage for both sync and async cases

  • Type definitions updated (types/jwt.d.ts)

  • Documentation updated in README.md

Related

Checklist

@williamfds
Copy link
Author

williamfds commented May 29, 2025

Hello again @jsumners

Following up on your feedback in #377, I’ve created this new PR after renaming the branch;

This new PR:

  • Implements the validation as validateDecoded, not validate
  • Returns 400 Bad Request on validation failure, as suggested
  • Respects decode.complete = false by maintaining correct flow
  • Includes documentation and TypeScript support
  • Covers sync and async usage
  • Addresses all points from Add 'validate' option to allow token claim validation #316

Thanks again for your previous review! Would love your input here to move this forward 🙏

@jsumners
Copy link
Member

jsumners commented May 30, 2025

Please don't open new PRs for the same work. The context of the conversation around the work gets lost. Update the original PR.

@WilliamFdaSilva
Copy link

WilliamFdaSilva commented May 30, 2025

Please don't open new PRs for the same work. The context of the conversation around the work gets lost. Update the original PR.

Hi!
Apologies for the confusion — I had to create a new PR to align the branch name with the naming conventions, changing it from validate to validateDecoded. As a result, the original PR was closed.

This won't happen again. Thanks for your understanding!

@jsumners
Copy link
Member

jsumners commented May 30, 2025

The source branch name is really inconsequential. Please keep the work in the original PR.

@williamfds
Copy link
Author

williamfds commented May 30, 2025

The source branch name is really inconsequential. Please keep the work in the original PR.

All changes from this PR have been consolidated into PR #377, which now includes the validateDecoded functionality.
Closing this one in favor of #377.

@williamfds williamfds closed this May 30, 2025
@jsumners
Copy link
Member

jsumners commented May 30, 2025

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@williamfds @jsumners @WilliamFdaSilva