Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
A command line utility for generating ASAP (JWT tokens as per the Atlassian Service Authentication Protocol) token and making curl calls with the same.
A command line utility for generating ASAP (JWT tokens as per the Atlassian Service Authentication Protocol) token and making curl calls with the same.
The utility generates an ASAP token from a pre-configured config file (or passed in options). This token can be printed out or used to make a curl call directly.
For more information on ASAP and JWT see
npm install -g asap-cli
$ asap
Usage: asap [options] <command>
Commands:
init Pre-configure an ASAP config file which can be used to generate asap tokens
token Generate the ASAP Authorization header
curl Execute curl commands with auto injected ASAP Auth Header
http Execute HTTPie commands with auto injected ASAP Auth Header.
Note: HTTPie needs to be installed (https://github.com/jkbrzt/httpie)
show <key> Output a specific configuration value used by this tool
run Execute the specified command with auto injected ASAP environment variables.
validate <resourceServerAudience> <publicKeyBaseUrl>
Validate the generated ASAP token against a public key server and an expected server audience. This comes handy to check if the asap client configs are setup properly
export-as-data-uri Export the private key as a data URI
proxy [options] Run an HTTP proxy that adds the ASAP Auth Header, will only bind to localhost. Note: this will create a ~/.http-mitm-proxy directory containing the generated certificates.
Options:
-h, --help output usage information
--config-file [configFile] ASAP Config File, defaults to .asap-config
--private-key [privateKey] Private Key
--private-key-file [privateKeyFile] Private Key File
--issuer [issuer] JWT issuer
--sub [sub] JWT subject
--audience [audience] JWT Audience, comma separated for more than one
--kid [kid] JWT Key ID
--expiry [expiry] Expiry in seconds
--additional-claims [additionalClaims] Additional Claims in key=value,anotherKey=anotherValue format Additional Claims in key=value,anotherKey=value format or as JSON
Create a config file in the current directory, which can be reused by the other commands.
Examples
$ asap init
Specify the JWT Issuer: token_issuer
Specify the JWT Subject (leave blank to use issuer): subject
Specify the JWT Key ID: key_id
Specify the JWT Audience (comma separated for more than one): intended_audience1,intended_audience2
Specify the Private Key File (If you want to specify the private key directly, leave this blank): pk.pem
Specify the JWT token expiry in seconds (defaults to 60 sec): 120
Specify the ASAP Config File (defaults to .asap-config):
ASAP Auth config file initialised successfully... curl away!!! (Well.. "asap curl" really)
Generate the ASAP token from the pre-configured config file (defaults to .asap-config). The config file or the values read from the config file can be overriden by specifying the global options. The output can be directly copied to the "Authorization" header.
Examples
$ asap token
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleV9pZCJ9.eyJpc3MiOiJ0b2tlbl9pc3N1ZXIiLCJzdWIiOiJ0b2tlbl9pc3N1ZXIiLCJhdWQiOiJpbnRlbmRlZF9hdWRpZW5jZSIsImp0aSI6ImIxNDgwZDdkNWM5ZTVkMjMwOGUyNzM1MWM4OWI3YjBjNDMzZThkNmYiLCJpYXQiOjE0NjQ5MjQxODcsImV4cCI6MTQ2NDkyNDE4N30.nXdaYTmrHr99miufkHZxKA4kJC6hh2I0x7eO4ELQItJf_67RsnLA13ECT0iDo86tNqniPLwmnEMS9RCRzbumEdiR6vpGGaXM3LV0Y95BRK9YWiqQCWZs7SUstFnTTqI7UjyOtN22kwLbeHLmDRd_YMo2kLBY4Ago0BCNlsCoUKLRiEeMjuO0A_rtKnGuNo7fxGi0XqZVaPC2arHBks-6DmP3mz3FpvT-BO4fDFTA57Bb9HhnTBO6foEyr5q9VTU--Ov_kl8v_Fpi5XlGjWaiPzEfYbyXm1GPQCRu3107lqMShcSTtlkcr73WFNkaK2GPWmyGspuuRFP9tHcxg
Override the expiry set in the config file
$ asap --expiry 200 token
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleV9pZCJ9.eyJpc3MiOiJ0b2tlbl9pc3N1ZXIiLCJzdWIiOiJ0b2tlbl9pc3N1ZXIiLCJhdWQiOiJpbnRlbmRlZF9hdWRpZW5jZSIsImp0aSI6ImIxNDgwZDdkNWM5ZTVkMjMwOGUyNzM1MWM4OWI3YjBjNDMzZThkNmYiLCJpYXQiOjE0NjQ5MjQxODcsImV4cCI6MTQ2NDkyNDE4N30.nXdaYTmrHr99miufkHZxKA4kJC6hh2I0x7eO4ELQItJf_67RsnLA13ECT0iDo86tNqniPLwmnEMS9RCRzbumEdiR6vpGGaXM3LV0Y95BRK9YWiqQCWZs7SUstFnTTqI7UjyOtN22kwLbeHLmDRd_YMo2kLBY4Ago0BCNlsCoUKLRiEeMjuO0A_rtKnGuNo7fxGi0XqZVaPC2arHBks-6DmP3mz3FpvT-BO4fDFTA57Bb9HhnTBO6foEyr5q9VTU--Ov_kl8v_Fpi5XlGjWaiPzEfYbyXm1GPQCRu3107lqMShcSTtlkcr73WFNkaK2GPWmyGspuuRFP9tHcxg
Extra JWT claims can be put under additionalClaims
key of .asap-config
.
Alternatively, they can be passed in as CLI arguments
asap --additional-claims key=value,anotherKey=anotherValue token
or
asap --additional-claims '{"key": "value", "anotherKey": true}' token
or when lists are required the following patterns are supported
asap --additional-claims "list=a,b"
asap --additional-claims "list=[a,b]"
asap --additional-claims "list=a,list=b"
asap --additional-claims "list[]=a,list[]=b"
asap --additional-claims "list[0]=a,list[1]=b"
asap --additional-claims '{"list":["a","b"]}'
Note that passing in additional claims in the command line will completely override any additionalClaims
already present in the config file
Make curl calls with the ASAP token (generated from the config file) set as the Authorization header. All the arguments meant for the curl command are passed through to curl. So this will support all the options that curl supports. The config file or the values read from the config file can be overriden by specifying the global options.
Examples
$ asap curl -X PUT -d "foo=bar" "https://authenticated-service.company.com/item" -v
> PUT /item HTTP/1.1
> User-Agent: curl/7.37.1
> Host: authenticated-service.company.com
> Accept: */*
> Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleV9pZCJ9.eyJpc3MiOiJ0b2tlbl9pc3N1ZXIiLCJzdWIiOiJ0b2tlbl9pc3N1ZXIiLCJhdWQiOiJpbnRlbmRlZF9hdWRpZW5jZSIsImp0aSI6ImNlOThjN2IyYzUwMTJlYzNhMzBkNjhlNWM0ZTMxZGU0MTgzOGU2YzEiLCJpYXQiOjE0NjQ5MjQ3MTksImV4cCI6MTQ2NDkyNDcxOX0.a45Tz3hSwBpjK91AI46VpZ9DlQ7mA0IisqT7OymSSZiY5Qa1NtW3ZKmgAUFEj4C-MFaC0gB5j2g5-Lu_LjHtCO5KxOvF_eig8nIs3MH57k_jDFJCPioL9nxGbiHYfQd9_InrDVOqz8H_bZeSvnqq94c2MwDhvibYPPMRMEeY1aG3oFWA5m8andeeP1F1799TFzbQZXd0Iv6BOjM35ujAeAGHTqj8wZOEczSoOcXY0dPnrXcPTu9ZLkskhtDYiVHyZHTvA_0ugXX4Wq6D7KZpUbefylS6Be8BrbCscIFyuVDNEyQi5MBIDTGQ8P5Xgn_5A00nGbuiLP63iX-zCp00NQ
>
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json
Make HTTPie calls with the ASAP token (generated from the config file) set as the Authorization header. All the arguments meant for the HTTPie command are passed through. So this will support all the options that HTTPie supports. The config file or the values read from the config file can be overriden by specifying the global options.
Prerequisite: HTTPie needs to be installed. See https://github.com/jkbrzt/httpie for installation and usage.
Examples
$ asap http PUT https://authenticated-service.company.com/item X-API-Token:123 foo=bar
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 26
Content-Type: application/json; charset=utf-8
{
"data": "Some data"
}
Display the current value of a particular config field (from .asap-config
)
Examples
$ asap show issuer
dev-machine
$ asap show additionalClaims
{ "foo": "bar" }
$ TRUSTED_ISSUERS=$(asap show issuer) ./run-local-server.sh
Runs an HTTP(S) proxy (defaults to port 8888) which will add the ASAP token as Authorization header to forwarded requests.
Note that this terminates TLS since the requests have to be modified, storing the generated certificates in ~/.http-mitm-proxy
.
$ asap proxy --port 8889
Listening on port 8889, will generate JWT tokens for user/1481174136
Now localhost:8889
can be used as a proxy server which will add the Authorization headers to the forwarded requests.
Example:
$ curl --proxy 127.0.0.1:8888 --insecure https://www.google.com -v
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.37.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
<
* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: www.google.com
> GET / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: www.google.com
> Accept: */*
>
< HTTP/1.1 302 Found
< cache-control: private
< content-type: text/html; charset=UTF-8
< location: https://www.google.com.au/?gfe_rd=cr&ei=Kih4WO3mMq3r8AeZoangAw
* Closing connection 0
Executes the specified command (with arguments) with the ASAP_
environment variables set:
ASAP_KEY_ID
ASAP_ISSUER
ASAP_PRIVATE_KEY
ASAP_AUDIENCE
ASAP_PUBLIC_KEY_REPOSITORY_URL
ASAP_PUBLIC_KEY_FALLBACK_REPOSITORY_URL
$ asap run env
PATH=...
ASAP_KEY_ID=...
$ asap run python script.py --port 8080
The tool expects a .asap-config
file to be present in the current directory.
Note: If no config is present, the tool will look for one in your home dir (i.e., ~/.asap-config
)
npm install
# Run all checks
npm run check
# Run just the jasmine tests
npm test
# Run just the linter
npm run lint
npm version 99.98.97
npm publish
git push
git push --tags
FAQs
A command line utility for generating ASAP (JWT tokens as per the Atlassian Service Authentication Protocol) token and making curl calls with the same.
The npm package asap-cli receives a total of 25 weekly downloads. As such, asap-cli popularity was classified as not popular.
We found that asap-cli demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.