Branca allows you to generate and verify encrypted authentication tokens. It defines the external format and encryption scheme of the token. Branca is based on Fernet specification. Payload in Branca token is an arbitrary sequence of bytes. Payload can be for example a JSON object, plain text string or even binary data serialized by MessagePack or Protocol Buffers.
Install the library using Yarn or npm.
$ yarn add branca
$ npm install branca
A Branca token is a base62 encoded concatenation of a header, ciphertext and MAC. Header consists of version, timestamp and nonce. Putting them all together we get the structure below.
Version || Timestamp || Nonce || Ciphertext || MAC
Version is 8 bits ie. one byte. Currently the only version is 0xBA. This is a
magic byte you can use to quickly identify a given token. Version number guarantees
the token format and encryption algorithm.
Timestamp is 32 bits ie. standard 4 byte UNIX timestamp.
Nonce is 96 bits ie. 12 bytes. These should be cryptographically secure random bytes and never reused between tokens.
Payload is encrypted and authenticated using IETF ChaCha20-Poly1305.
Note that this is Authenticated Encryption with Additional Data (AEAD) where the
he header part of the token is the additional data. This means the data in the
header (version, timestamp and nonce) is not encrypted, it is only
authenticated. In laymans terms, header can be seen but it cannot be tampered.
The authentication tag is 128 bits ie. 16 bytes. This is the Poly1305 message authentication code (MAC). It is used to make sure that the message, as well as the non-encrypted header has not been tampered with.
Token payload can be any arbitrary data such as string containing an email address.
const key = "supersecretkeyyoushouldnotcommit";
const branca = require("branca")(key);
const token = branca.encode("tuupola@appelsiini.net");
/* 87x2GqCUw7fho4DVETyEPrv8s79gbfRIZB3ql5nliJ42xNNA88VQm7MZZzZs07O8zMC9vke0XuMxb */
const payload = branca.decode(token);
/* tuupola@appelsiini.net */
Sometimes you might prefer JSON.
const key = "supersecretkeyyoushouldnotcommit";
const branca = require("branca")(key);
const json = JSON.stringify({"scope": ["read", "write", "delete"]});
const token = branca.encode(json);
/*
3Gq55EruBIu2KtWGtzjjkMV45e1froWhTDF8nNNTbnwHvOeGHNHNEuBuyrGqFtEn4faf26LAuVUzijMNaO1Fk72aZ3B5
*/
const payload = JSON.parse(branca.decode(token));
/* { scope: [ 'read', 'write', 'delete' ] } */
You can keep the token size small by using a space efficient serialization method such as MessagePack or Protocol Buffers.
const key = "supersecretkeyyoushouldnotcommit";
const branca = require("branca")(key);
const msgpack = require("msgpack5")();
const packed = msgpack.encode({"scope": ["read", "write", "delete"]});
const test = msgpack.decode(packed);
const token = branca.encode(packed);
/* 2EZpnHNCn1qwjqalGcpnZ2tlpXtIqNYNqeZuQvKzz6TY8nIh1Pukl8R7ZNIFvH28ZICIi9gkikjsHaPg */
const binary = branca.decode(token);
const payload = msgpack.decode(Buffer.from(binary));
/* { scope: [ 'read', 'write', 'delete' ] } */
You can run tests either manually with the following command.
$ node test.js
Please see CONTRIBUTING for details.
If you discover any security related issues, please email tuupola@appelsiini.net instead of using the issue tracker.
The MIT License (MIT). Please see License File for more information.
FAQs
Authenticated and encrypted API tokens using modern crypto
We found that branca demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.