![Introducing Enhanced Alert Actions and Triage Functionality](https://cdn.sanity.io/images/cgdhsj6q/production/fe71306d515f85de6139b46745ea7180362324f0-2530x946.png?w=800&fit=max&auto=format)
Product
Introducing Enhanced Alert Actions and Triage Functionality
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.
@curity/jwt-validation
Advanced tools
Readme
Simple JWT validation library without any external dependencies.
NOTE: if you plan to use the library in an environment without the browser you will need to use at least node version 15.0.0.
Add to your project using npm
npm install @curity/jwt-validation
or yarn
yarn add @curity/jwt-validation
Initialize the JWT Validator.
import JWTValidator from "@curity/jwt-validation";
// OR using require
// const JWTValidator = require("@curity/jwt-validation");
const allowed_jwt_algorithms= ['RS256', 'ES384'];
const jwt_sig_public_key= { // allowed formats are jwk | jwks_uri | pem | issuer | metadata_url | raw
format: 'issuer', // in case of issuer, the issuer value will be taken from jwt payload
value: null
};
const jwtValidator = new JWTValidator(
issuer,
audience, // audience is the client_id
allowed_jwt_algorithms,
jwt_sig_public_key,
);
Verify JWT using jwtValidator instance that you initialized as described above.
const options= {
accessToken : accessTokenValue, // optional, pass it if you want to validate at_hash
state : stateValue, // optional, pass it if you want to validate s_hash
nonce : nonceValue, // optional, pass it if you want to validate nonce
ignoreExpiration: true, // optional, default false
ignoreNotBefore : true, // optional, default false
clockTolerance : 0, // optional, default 0 seconds
subject : 'test', // optional, if provided, then jwt.sub should match it
jti : 'jti-value', // optional, if provided, then jwt.jti should match it
code : 'authorize-code' // optional, pass it if you want to validate c_hash
};
jwtValidator.verifyJWT(jwtString, options)
.then((payload) => {
// validation is successful, payload is parsed json payload of jwt.
// do the stuff here to save or use jwt.
}).catch(err => {
// validation failed, err.message contain the reason for failure
})
jwk
A jwk can directly be passed as an object (and not a string), when format specified is jwk
.
jwks_uri
A list of jwks can be retrieved from a specified jwks_uri
.
pem
A pem key string can be provided using public key format pem
.
issuer
If the format specified is issuer
, then jwt issuer is used to retrieve metadata which in turn, is resolved to retrieve jwk from corresponding jwks_uri.
metadata_url
If the format specified is metadata_url
, then jwk is retrieved from corresponding jwks_uri of resolved metadata.
raw
You can also provide the raw public key using format raw
e.g: HMAC secret.
Following is the list of supported algorithms.
HS256: {name: 'HMAC', hash: 'SHA-256'},
HS384: {name: 'HMAC', hash: 'SHA-384'},
HS512: {name: 'HMAC', hash: 'SHA-512'},
RS256: {name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256'},
RS384: {name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-384'},
RS512: {name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-512'},
ES256: {name: 'ECDSA', namedCurve: "P-256", hash: 'SHA-256'},
ES384: {name: 'ECDSA', namedCurve: "P-384", hash: 'SHA-384'},
ES512: {name: 'ECDSA', namedCurve: "P-521", hash: 'SHA-512'},
PS256: {name: 'RSA-PSS', saltLength: 256 / 8, hash: 'SHA-256'},
PS384: {name: 'RSA-PSS', saltLength: 384 / 8, hash: 'SHA-384'},
PS512: {name: 'RSA-PSS', saltLength: 512 / 8, hash: 'SHA-512'}
FAQs
Curity JWT Validation library
We found that @curity/jwt-validation demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.
Security News
Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.
Security News
OpenSSF is warning open source maintainers to stay vigilant against reputation farming on GitHub, where users artificially inflate their status by manipulating interactions on closed issues and PRs.