cookie-signature
Advanced tools
Comparing version 1.1.0 to 1.2.0
@@ -0,1 +1,7 @@ | ||
1.1.0 / 2018-01-18 | ||
================== | ||
* switch to built-in `crypto.timingSafeEqual` for validation instead of previous double-hash method (thank you @jodevsa!) | ||
1.0.6 / 2015-02-03 | ||
@@ -2,0 +8,0 @@ ================== |
27
index.js
@@ -18,3 +18,3 @@ /** | ||
if ('string' != typeof val) throw new TypeError("Cookie value must be provided as a string."); | ||
if ('string' != typeof secret) throw new TypeError("Secret string must be provided."); | ||
if (null == secret) throw new TypeError("Secret key must be provided."); | ||
return val + '.' + crypto | ||
@@ -28,6 +28,6 @@ .createHmac('sha256', secret) | ||
/** | ||
* Unsign and decode the given `val` with `secret`, | ||
* Unsign and decode the given `input` with `secret`, | ||
* returning `false` if the signature is invalid. | ||
* | ||
* @param {String} val | ||
* @param {String} input | ||
* @param {String} secret | ||
@@ -38,12 +38,13 @@ * @return {String|Boolean} | ||
exports.unsign = function(val, secret){ | ||
if ('string' != typeof val) throw new TypeError("Signed cookie string must be provided."); | ||
if ('string' != typeof secret) throw new TypeError("Secret string must be provided."); | ||
var str = val.slice(0, val.lastIndexOf('.')) | ||
, mac = exports.sign(str, secret) | ||
, macBuffer = Buffer.from(mac) | ||
, valBuffer = Buffer.alloc(macBuffer.length); | ||
valBuffer.write(val); | ||
return crypto.timingSafeEqual(macBuffer, valBuffer) ? str : false; | ||
exports.unsign = function(input, secret){ | ||
if ('string' != typeof input) throw new TypeError("Signed cookie string must be provided."); | ||
if (null == secret) throw new TypeError("Secret key must be provided."); | ||
var tentativeValue = input.slice(0, input.lastIndexOf('.')), | ||
expectedInput = exports.sign(tentativeValue, secret), | ||
expectedBuffer = Buffer.from(expectedInput), | ||
inputBuffer = Buffer.from(input); | ||
return ( | ||
expectedBuffer.length === inputBuffer.length && | ||
crypto.timingSafeEqual(expectedBuffer, inputBuffer) | ||
) ? tentativeValue : false; | ||
}; |
{ | ||
"name": "cookie-signature", | ||
"version": "1.1.0", | ||
"version": "1.2.0", | ||
"description": "Sign and unsign cookies", | ||
@@ -5,0 +5,0 @@ "keywords": ["cookie", "sign", "unsign"], |
@@ -19,25 +19,6 @@ | ||
## License | ||
## License | ||
(The MIT License) | ||
MIT. | ||
Copyright (c) 2012 LearnBoost <tj@learnboost.com> | ||
Permission is hereby granted, free of charge, to any person obtaining | ||
a copy of this software and associated documentation files (the | ||
'Software'), to deal in the Software without restriction, including | ||
without limitation the rights to use, copy, modify, merge, publish, | ||
distribute, sublicense, and/or sell copies of the Software, and to | ||
permit persons to whom the Software is furnished to do so, subject to | ||
the following conditions: | ||
The above copyright notice and this permission notice shall be | ||
included in all copies or substantial portions of the Software. | ||
THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, | ||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | ||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | ||
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY | ||
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, | ||
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE | ||
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | ||
See LICENSE file for details. |
4287
5
42
24