
Security News
MCP Community Begins Work on Official MCP Metaregistry
The MCP community is launching an official registry to standardize AI tool discovery and let agents dynamically find and install MCP servers.
crypto-auth
Advanced tools
API Authentication Middleware based on Signed-Certificates (SHA-256) and Token based session with limited TTL.
API Authentication Middleware based on Signed-Certificates (SHA-256) and Token based sessions.
The basic idea is distributing signed-certificates files to protect your API instead of use a classic api key. You'll as many api clients as certificates you generate, each of them may have different expiration date.
Why? Certificates provide the chance to set expiration date flexibility. You can generate new certificates offline. Companies who communicate each others demand extremely secure APIs. Sharing an API-KEY for infinite length its just not good.
THIS INTENDED TO USE ADDITIONALLY TO HTTPS FOR IMPROVED SECURITY
openssl req -nodes -sha256 -newkey rsa:2048 -keyout auth.key -out auth.csr openssl req -new -key auth.key -out auth.csr
openssl x509 -req -days 365 -in auth.csr -signkey auth.key -out auth.crt (You can also include -startdate YYMMDDHHMMSSZ - The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure)
var authProvider = require('./crypto-auth')( { debug: true, jsonTokenStore: false, privateKey: require('path').resolve(__dirname,'certificates','auth.key') });
app.post('/api/requestToken',authProvider.requestToken);
app.post('/api/check',authProvider.auth ,function(req,res){ return res.json({success: true}); });
(Go to crypto-auth and run node express-example.js to launch the example ) curl -F certificate=@certificates/auth.crt -X POST http://localhost:3000/api/requestToken curl -H "token: 123456789" -X POST http://localhost:3000/api/check
Run npm test (It will verify scripts work and OpenSSL is correctly installed.)
I know storing requestsTokens in memory can be a problem, for now you can use jsonTokenStore: true to store it on a temporary file. Further release will allow use custom stores.
Give your clients a bash script to let them generate new certificates to send as a password and validate their identity. Avoiding reuse of certificates would make every request connection unique making every new request require a new certificate to validate. This would be good for NON-HTTPS connections. Problem, added complexity.
FAQs
API Authentication Middleware based on Signed-Certificates (SHA-256) and Token based session with limited TTL.
The npm package crypto-auth receives a total of 3 weekly downloads. As such, crypto-auth popularity was classified as not popular.
We found that crypto-auth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The MCP community is launching an official registry to standardize AI tool discovery and let agents dynamically find and install MCP servers.
Research
Security News
Socket uncovers an npm Trojan stealing crypto wallets and BullX credentials via obfuscated code and Telegram exfiltration.
Research
Security News
Malicious npm packages posing as developer tools target macOS Cursor IDE users, stealing credentials and modifying files to gain persistent backdoor access.