Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@packt/jwt-authorizer
Advanced tools
Module to manage JWT claims-based authentication with permissions.
Use this package for checking a users authentication and authorization in a microservice environment, and to encode their permissions into the JWT. There are 2 classes within this package, AuthHelper
and PermissionManager
.
Exceptions are thrown using the @packt/error-custom
error type, with unique error codes:
Code Class Function Description
------- ----------------- ----------------------- -----------------------------------
1000100 AuthHelper processJwt JWT verification failed
1000101 AuthHelper processJwt UserId doesn't match and no permission to override
1000102 AuthHelper processJwt No userId in token
1000103 VerifyJson VerifyJson Service [${key}] has no numeric service index
1000104 VerifyJson VerifyJson Service [${key}] has an index greater than the number of services
1000105 VerifyJson VerifyJson Service index [${serviceNum}] exists twice (extra time in [${key}])
1000106 VerifyJson VerifyJson Value [${value}] of Key [${permissionKey}] in Service [${serviceNum}] is not Base2
1000107 VerifyJson VerifyJson Value [${value}] of Key [${permissionKey}] in Service [${serviceNum}] exists twice
1000108 PermissionManager constructor No config file supplied
1000109 PermissionManager addPermission Service doesn't match global permissions object
1000110 PermissionManager removePermission Service doesn't match global permissions object
1000111 PermissionManager checkPermission Service doesn't match global permissions object
1000112 PermissionManager static checkPermission Service doesn't match global permissions object
1000113 AuthHelper processJwt Invalid Jwt format
1000114 AuthHelper constructor Invalid public key format
The JWT itself defines whether a user is authenticated, and a specific object structure is used to manage permissions. This has been designed to encode full permissions into the JWT in a minimal amount of space, and allow the consuming microservice to check permissions without a call to a central service, reducing processing time and direct runtime dependency.
Permissions are detailed as an object with the following format:
{
"genin": {
"service": 0,
"dRankMission": 1,
"cRankMission": 2
},
"chunin": {
"service": 1,
"bRankMission": 1,
"aRankMission": 2
},
"jonin": {
"service": 2,
"sRankMission": 1,
"potentialKage": 2
}
}
Top level objects are individual services, and each must contain a service
property with a numeric index. These must be 0 based, unique and no higher than the number of objects-1.
Within each object are permission properties, which are base2 numbers.
This object structure is passed into the PermissionManager
class as a JSON string and validated for correct structure. It is recommended that the JSON is stored in the authentication and authorization service (that generates the JWTs) and validated as part of the build step.
The permissions a user has can he held in a UInt8Array
which base64 encodes to an extremely short string to be put into the JWT.
As the UInt8Array
can only store 8 bits per service, there can only be 8 permissions per service. Any services needing more permissions will need to be split over 2 'virtual' services.
AuthHelper
is to be used in microservices to verify if the user has a valid authentication and authorization.
constructor(rawJwt, publicKey, service, overrideAccessPermission)
Instantiates the helper object with raw information needed.
processJwt(userId)
Validates the JWT for structure and signature.
userId
to JWT, when a different userId
is provided then a permission check is made using the service
and overrideAccesspermission
specified in the constructor.jwt expired
userCan(permissionClass, permission)
Checks whether the user has the required permission.
PermissionManager
is to be used in microservices to verify if the user has a valid authentication and authorization.
constructor(globalJSON, permsIn = undefined)
Creates permission object ready to manage.
addPermission(serviceIndex, perm)
Adds a permimssion into the internal permission object.
removePermission(serviceIndex, perm)
Removes a permimssion from the internal permission object.
toString()
Returns a base64 version of the permissions array to be stored in a JWT.
listPermissions()
Returns an array of permissions set for the current object.
checkPermission(serviceIndex, permission)
Checks the permission is included in the current permissions object.
static checkPermissions(encodedPermissions, serviceIndex, permission)
Checks the permission is included in the supplied encoded permissions object.
FAQs
Module to manage JWT claims-based authentication with permissions.
The npm package @packt/jwt-authorizer receives a total of 0 weekly downloads. As such, @packt/jwt-authorizer popularity was classified as not popular.
We found that @packt/jwt-authorizer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.