fix: Use jwtDecode to parse the token

Vitor-Avila · Vitor-Avila · commit 0f43741a64f7 · 2025-09-12T16:10:02.000-03:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -35,7 +35,8 @@
     "last 3 edge versions"
   ],
   "dependencies": {
-    "@superset-ui/switchboard": "^0.20.3"
+    "@superset-ui/switchboard": "^0.20.3",
+    "jwt-decode": "^4.0.0"
   },
   "devDependencies": {
     "@babel/cli": "^7.16.8",
diff --git a/src/guestTokenRefresh.ts b/src/guestTokenRefresh.ts
@@ -1,11 +1,12 @@
+import { jwtDecode } from "jwt-decode";
+
 export const REFRESH_TIMING_BUFFER_MS = 5000 // refresh guest token early to avoid failed superset requests
 export const MIN_REFRESH_WAIT_MS = 10000 // avoid blasting requests as fast as the cpu can handle
 export const DEFAULT_TOKEN_EXP_MS = 300000 // (5 min) used only when parsing guest token exp fails
 
 // when do we refresh the guest token?
 export function getGuestTokenRefreshTiming(currentGuestToken: string) {
-  // atob converts a string from base64 https://developer.mozilla.org/en-US/docs/Web/API/atob
-  const parsedJwt = JSON.parse(atob(currentGuestToken.split('.')[1]).toString());
+  const parsedJwt = jwtDecode<Record<string, any>>(currentGuestToken);
   // if exp is int, it is in seconds, but Date() takes milliseconds
   const exp = new Date(/[^0-9\.]/g.test(parsedJwt.exp) ? parsedJwt.exp : parseFloat(parsedJwt.exp) * 1000);
   const isValidDate = exp.toString() !== 'Invalid Date';
