Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/lestrrat-go/jwx
Various libraries implementing various JWx technologies. Please click on the package names in the table below to find the synopsis/description for each package.
If you are using this module in your product or your company, please add your product and/or company name in the Wiki! It really helps keeping up our motivation.
Package name | Notes |
---|---|
jwt | RFC 7519 |
jwk | RFC 7517 + RFC 7638 |
jwa | RFC 7518 |
jws | RFC 7515 + RFC 7797 |
jwe | RFC 7516 |
My goal was to write a server that heavily uses JWK and JWT. At first glance the libraries that already exist seemed sufficient, but soon I realized that
For example, a certain library looks like it had most of JWS, JWE, JWK covered, but then it lacked the ability to include private claims in its JWT responses. Another library had support of all the private claims, but completely lacked in its flexibility to generate various different response formats.
Because I was writing the server side (and the client side for testing), I needed the entire JOSE toolset to properly implement my server, and they needed to be flexible enough to fulfill the entire spec that I was writing.
So here's github.com/lestrrat-go/jwx
. This library is extensible, customizable, and hopefully well organized to the point that it is easy for you to slice and dice it.
There are several other major Go modules that handle JWT and related data formats, so why should you use this library?
From a purely functional perspective, the only major difference is this: Whereas most other projects only deal with what they seem necessary to handle JWTs, this module handles the entire spectrum of JWS, JWE, JWK, and JWT.
That is, if you need to not only parse JWTs, but also to control JWKs, or if you need to handle payloads that are NOT JWTs, you should probably consider using this module. You should also note that JWT is built on top of those other technologies. You simply cannot have a complete JWT package without implementing the entirety of JWS/JWS/JWK, which this library does.
Next, from an implementation perspective, this module differs significantly from others in that it tries very hard to expose only the APIs, and not the internal data. For example, individual JWT claims are not accessible through struct field lookups. You need to use one of the getter methods.
This is because this library takes the stance that the end user is fully capable and even willing to shoot themselves on the foot when presented with a lax API. By making sure that users do not have access to open structs, we can protect users from doing silly things like creating incomplete structs, or access the structs concurrently without any protection. This structure also allows us to put extra smarts in the structs, such as doing the right thing when you want to parse / write custom fields (this module does not require the user to specify alternate structs to parse objects with custom fields)
In the end I think it comes down to your usage pattern, and priorities. Some general guidelines that come to mind are:
Otherwise, feel free to choose something else.
Since v1.1.1 we have a command line tool jwx
(*). With jwx
you can create JWKs (from PEM files, even), sign and verify JWS message, encrypt and decrypt JWE messages, etc.
(*) Okay, it existed since a long time ago, but it was never useful.
go install github.com/lestrrat-go/jwx/cmd/jwx
Uh, why are you using such an ancient version? You know that repository is archived for a reason, yeah? Please use the new version.
The API has been reworked quite substantially between pre- and post 1.0.0 releases. Please check out the Changes file (or the diff, if you are into that sort of thing)
The API has gone under some changes for v1.1.0. If you are upgrading, you might want to read the relevant parts in the Changes file.
For bug reports and feature requests, please try to follow the issue templates as much as possible. For either bug reports or feature requests, failing tests are even better.
Please make sure to include tests that excercise the changes you made.
If you are editing auto-generated files (those files with the _gen.go
suffix, please make sure that you do the following:
make generate
(or go generate
) to generate the new codePlease try discussions first.
crypto.Signer
crypto.Signer
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.