@fastify/jwt - npm Package Compare versions

Comparing version 7.0.0 to 7.1.0

jwt.d.ts

@@ -105,8 +105,10 @@ import {
   export interface FastifyJWTOptions {
-    secret: Secret | { public: Secret; private: Secret }
+    secret: Secret | {public: Secret; private?: Secret}
     decode?: Partial<DecoderOptions>
     sign?: Partial<SignOptions>
-    verify?: Partial<VerifyOptions> & { extractToken?: (request: FastifyRequest) => string | void }
+    verify?: Partial<VerifyOptions> & {
+      extractToken?: (request: FastifyRequest) => string | void
+    }
     cookie?: {
-      cookieName: string,
+      cookieName: string
       signed: boolean
@@ -124,4 +126,7 @@ }
     }
-    trusted?: (request: FastifyRequest, decodedToken: { [k: string]: any }) => boolean | Promise<boolean> | SignPayloadType | Promise<SignPayloadType>
-    formatUser?: (payload: SignPayloadType) => UserType,
+    trusted?: (
+      request: FastifyRequest,
+      decodedToken: {[k: string]: any}
+    ) => boolean | Promise<boolean> | SignPayloadType | Promise<SignPayloadType>
+    formatUser?: (payload: SignPayloadType) => UserType
     jwtDecode?: boolean | string
@@ -128,0 +133,0 @@ namespace?: string

jwt.js

@@ -87,4 +87,4 @@ 'use strict'
   if (typeof secret === 'object' && !Buffer.isBuffer(secret)) {
-    if (!secret.private || !secret.public) {
-      return next(new Error('missing private key and/or public key'))
+    if (!secret.public) {
+      return next(new Error('missing public key'))
     }
@@ -190,3 +190,6 @@ secretOrPrivateKey = secret.private
   const signerConfig = checkAndMergeSignOptions()
-  const signer = createSigner(signerConfig.options)
+  // no signer when configured in verify-mode
+  const signer = signerConfig.options.key
+    ? createSigner(signerConfig.options)
+    : null
   const decoder = createDecoder(decodeOptions)
@@ -294,2 +297,5 @@ const verifierConfig = checkAndMergeVerifyOptions()
     assert(payload, 'missing payload')
+    // if a global signer was not created, sign mode is not supported
+    assert(signer, 'unable to sign: secret is configured in verify mode')
+
     let localSigner = signer
@@ -334,2 +340,5 @@
   function replySign (payload, options, next) {
+    // if a global signer was not created, sign mode is not supported
+    assert(signer, 'unable to sign: secret is configured in verify mode')
+
     let useLocalSigner = true
@@ -336,0 +345,0 @@ if (typeof options === 'function') {

package.json

 {
   "name": "@fastify/jwt",
-  "version": "7.0.0",
+  "version": "7.1.0",
   "description": "JWT utils for Fastify",
@@ -5,0 +5,0 @@ "main": "jwt.js",

README.md

@@ -120,2 +120,13 @@ # @fastify/jwt
 
+#### Verify-only mode
+
+In cases where your incoming JWT tokens are issued by a trusted external
+service, and you need only to verify their signature without issuing, there is
+an option to configure `fastify-jwt` in *verify-only* mode by passing the
+`secret` object containing only a public key: `{ public }`.
+
+When only a public key is provided, decode and verification functions will work as
+described below, but an exception will be thrown at an attempt to use any form
+of `sign` functionality.
+
 #### Example
@@ -169,7 +180,15 @@ ```js
 })
+// secret as an object with RSA public key
+// fastify-jwt is configured in VERIFY-ONLY mode
+fastify.register(jwt, {
+  secret: {
+    public: process.env.JWT_ISSUER_PUBKEY
+  }
+})
 ```
+
+### Default options
+
 Optionally you can define global default options that will be used by `@fastify/jwt` API if you do not override them.
 
-Additionally, it is also possible to reject tokens selectively (i.e. blacklisting) by providing the option `trusted` with the following signature: `(request, decodedToken) => boolean|Promise<boolean>|SignPayloadType|Promise<SignPayloadType>` where `request` is a `FastifyRequest` and `decodedToken` is the parsed (and verified) token information. Its result should be `false` or `Promise<false>` if the token should be rejected or, otherwise, be `true` or `Promise<true>` if the token should be accepted and, considering that `request.user` will be used after that, the return should be `decodedToken` itself.
-
 #### Example
@@ -361,2 +380,4 @@ ```js
 
+Additionally, it is also possible to reject tokens selectively (i.e. blacklisting) by providing the option `trusted` with the following signature: `(request, decodedToken) => boolean|Promise<boolean>|SignPayloadType|Promise<SignPayloadType>` where `request` is a `FastifyRequest` and `decodedToken` is the parsed (and verified) token information. Its result should be `false` or `Promise<false>` if the token should be rejected or, otherwise, be `true` or `Promise<true>` if the token should be accepted and, considering that `request.user` will be used after that, the return should be `decodedToken` itself.
+
 #### Example trusted tokens
@@ -540,3 +561,3 @@ ```js
 ### fastify.jwt.decode(token [,options])
-This method is used to decode the provided token. It accepts a token (as a `Buffer` or a `string`) and returns the payload or the sections of the token. 
+This method is used to decode the provided token. It accepts a token (as a `Buffer` or a `string`) and returns the payload or the sections of the token.
 `options` must be an `Object` and can contain [decode](#decode) options.
@@ -543,0 +564,0 @@ Can only be used synchronously.

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

158349

increased by2.96%

Lines of code

3674

increased by2.88%

Number of lines in readme file

824

increased by2.62%

No dependency changes