
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@passwordlessdev/passwordless-nodejs
Advanced tools
This library is meant for helping you integrate 'Passwordless.dev' with your Node.js backend.
When using .env to configure your web application you'll need to set the following properties:
| Key | Value example | Description | Optional |
|---|---|---|---|
PASSWORDLESS_API | https://v4.passwordless.dev | The base url where your Passwordless.dev back-end is running | Yes |
PASSWORDLESS_SECRET | demo:secret:f831e39c29e64b77aba547478a4b3ec6 | This is your secret obtained from the AdminConsole. | No |
You would then use the PasswordlessClient as:
Specifying the baseUrl would be optional, and will contain https://v4.passwordless.dev as its default value.
const options: PasswordlessOptions = {
baseUrl: 'https://v4.passwordless.dev'
};
this._passwordlessClient = new PasswordlessClient('demo:secret:f831e39c29e64b77aba547478a4b3ec6', options);
const options: PasswordlessOptions = {};
this._passwordlessClient = new PasswordlessClient('demo:secret:f831e39c29e64b77aba547478a4b3ec6', options);
If you had for example a 'UserController.ts' with a 'signup' arrow function. You could register a new token as shown below.
You'll first want to proceed to store the new user in your database and verifying it has succeeded, before registering the token.
signup = async (request: express.Request, response: express.Response) => {
const signupRequest: SignupRequest = request.body;
const repository: UserRepository = new UserRepository();
let id: string = null;
try {
id = repository.create(signupRequest.username, signupRequest.firstName, signupRequest.lastName);
} catch {
// do error handling, creating user failed.
} finally {
repository.close();
}
if (!id) {
// Do not proceed to create a token, we failed to create a user.
response.send(400);
}
let registerOptions = new RegisterOptions();
registerOptions.userId = id;
registerOptions.username = signupRequest.username;
if (signupRequest.deviceName) {
registerOptions.aliases = new Array(1);
registerOptions.aliases[0] = signupRequest.deviceName;
}
registerOptions.discoverable = true;
const token: RegisterTokenResponse = await this._passwordlessClient.createRegisterToken(registerOptions);
response.send(token);
}
signin = async (request: express.Request, response: express.Response) => {
try {
const token: string = request.query.token as string;
const verifiedUser: VerifiedUser = await this._passwordlessClient.verifyToken(token);
if (verifiedUser && verifiedUser.success === true) {
// If you want to build a JWT token for SPA that are rendered client-side, you can do this here.
response.send(JSON.stringify(verifiedUser));
return;
}
} catch (error) {
console.error(error.message);
}
response.send(401);
}
FAQs
Passwordless Node.js library
The npm package @passwordlessdev/passwordless-nodejs receives a total of 7 weekly downloads. As such, @passwordlessdev/passwordless-nodejs popularity was classified as not popular.
We found that @passwordlessdev/passwordless-nodejs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.