cookie-signature
Advanced tools
Comparing version 1.1.0 to 1.2.0
@@ -0,1 +1,7 @@ | ||
| 1.1.0 / 2018-01-18 | ||
| ================== | ||
| * switch to built-in `crypto.timingSafeEqual` for validation instead of previous double-hash method (thank you @jodevsa!) | ||
| 1.0.6 / 2015-02-03 | ||
@@ -2,0 +8,0 @@ ================== |
27
index.js
@@ -18,3 +18,3 @@ /** | ||
| if ('string' != typeof val) throw new TypeError("Cookie value must be provided as a string."); | ||
| if ('string' != typeof secret) throw new TypeError("Secret string must be provided."); | ||
| if (null == secret) throw new TypeError("Secret key must be provided."); | ||
| return val + '.' + crypto | ||
@@ -28,6 +28,6 @@ .createHmac('sha256', secret) | ||
| /** | ||
| * Unsign and decode the given `val` with `secret`, | ||
| * Unsign and decode the given `input` with `secret`, | ||
| * returning `false` if the signature is invalid. | ||
| * | ||
| * @param {String} val | ||
| * @param {String} input | ||
| * @param {String} secret | ||
@@ -38,12 +38,13 @@ * @return {String|Boolean} | ||
| exports.unsign = function(val, secret){ | ||
| if ('string' != typeof val) throw new TypeError("Signed cookie string must be provided."); | ||
| if ('string' != typeof secret) throw new TypeError("Secret string must be provided."); | ||
| var str = val.slice(0, val.lastIndexOf('.')) | ||
| , mac = exports.sign(str, secret) | ||
| , macBuffer = Buffer.from(mac) | ||
| , valBuffer = Buffer.alloc(macBuffer.length); | ||
| valBuffer.write(val); | ||
| return crypto.timingSafeEqual(macBuffer, valBuffer) ? str : false; | ||
| exports.unsign = function(input, secret){ | ||
| if ('string' != typeof input) throw new TypeError("Signed cookie string must be provided."); | ||
| if (null == secret) throw new TypeError("Secret key must be provided."); | ||
| var tentativeValue = input.slice(0, input.lastIndexOf('.')), | ||
| expectedInput = exports.sign(tentativeValue, secret), | ||
| expectedBuffer = Buffer.from(expectedInput), | ||
| inputBuffer = Buffer.from(input); | ||
| return ( | ||
| expectedBuffer.length === inputBuffer.length && | ||
| crypto.timingSafeEqual(expectedBuffer, inputBuffer) | ||
| ) ? tentativeValue : false; | ||
| }; |
| { | ||
| "name": "cookie-signature", | ||
| "version": "1.1.0", | ||
| "version": "1.2.0", | ||
| "description": "Sign and unsign cookies", | ||
@@ -5,0 +5,0 @@ "keywords": ["cookie", "sign", "unsign"], |
@@ -19,25 +19,6 @@ | ||
| ## License | ||
| ## License | ||
| (The MIT License) | ||
| MIT. | ||
| Copyright (c) 2012 LearnBoost <tj@learnboost.com> | ||
| Permission is hereby granted, free of charge, to any person obtaining | ||
| a copy of this software and associated documentation files (the | ||
| 'Software'), to deal in the Software without restriction, including | ||
| without limitation the rights to use, copy, modify, merge, publish, | ||
| distribute, sublicense, and/or sell copies of the Software, and to | ||
| permit persons to whom the Software is furnished to do so, subject to | ||
| the following conditions: | ||
| The above copyright notice and this permission notice shall be | ||
| included in all copies or substantial portions of the Software. | ||
| THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, | ||
| EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | ||
| MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | ||
| IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY | ||
| CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, | ||
| TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE | ||
| SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
| See LICENSE file for details. |
No alert changes
Improved metrics
- Total package byte prevSize
- increased by7.63%
4287
- Number of package files
- increased by25%
5
- Lines of code
- increased by5%
42
Worsened metrics
- Number of lines in readme file
- decreased by-42.86%
24
No dependency changes