express-oauth2-jwt-bearer - npm Package Compare versions

Comparing version 0.2.0 to 1.0.0

dist/index.d.ts

 import { Handler } from 'express';
-import { JwtVerifierOptions, ClaimCheck, ClaimEquals, ClaimIncludes, RequiredScopes, VerifyJwtResult as AuthResult, JWTPayload } from 'access-token-jwt';
+import { JwtVerifierOptions, ClaimCheck, ClaimEquals, ClaimIncludes, RequiredScopes, VerifyJwtResult as AuthResult } from 'access-token-jwt';
+import type { JWTPayload } from 'access-token-jwt';
 declare global {
@@ -4,0 +5,0 @@ namespace Express {

dist/index.js

@@ -9,13 +9,8 @@ 'use strict';
 var url = require('url');
-var createRemoteJWKSet = require('jose-node-cjs-runtime/jwks/remote');
-var jwtVerify = require('jose-node-cjs-runtime/jwt/verify');
+var jose = require('jose');
 var http = require('http');
 var https = require('https');
 var events = require('events');
+var util = require('util');
 
-function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
-
-var createRemoteJWKSet__default = /*#__PURE__*/_interopDefaultLegacy(createRemoteJWKSet);
-var jwtVerify__default = /*#__PURE__*/_interopDefaultLegacy(jwtVerify);
-
 class UnauthorizedError extends Error {
@@ -97,3 +92,3 @@ constructor(message = 'Unauthorized') {
 
-const decoder = new TextDecoder();
+const decoder = new util.TextDecoder();
 const concat = (...buffers) => {
@@ -247,4 +242,6 @@ const size = buffers.reduce((acc, { length }) => acc + length, 0);
     const JWKS = async (...args) => {
+        if (secretKey)
+            return secretKey;
         if (!origJWKS) {
-            origJWKS = createRemoteJWKSet__default['default'](new url.URL(jwksUri), {
+            origJWKS = jose.createRemoteJWKSet(new url.URL(jwksUri), {
                 agent,
@@ -272,3 +269,3 @@ cooldownDuration,
             });
-            const { payload, protectedHeader: header } = await jwtVerify__default['default'](jwt, secretKey || JWKS);
+            const { payload, protectedHeader: header } = await jose.jwtVerify(jwt, JWKS);
             await validate(payload, header, validators);
@@ -314,2 +311,5 @@ return { payload, header, token: jwt };
     return claimCheck$1((payload) => {
+        if (!('scope' in payload)) {
+            throw new InsufficientScopeError(scopes, "Missing 'scope' claim");
+        }
         if (!fn(payload)) {
@@ -316,0 +316,0 @@ throw new InsufficientScopeError(scopes);

package.json

 {
   "name": "express-oauth2-jwt-bearer",
   "description": "Authentication middleware for Express.js that validates JWT bearer access tokens.",
-  "version": "0.2.0",
+  "version": "1.0.0",
   "main": "dist/index.js",
@@ -10,3 +10,2 @@ "types": "dist/index.d.ts",
     "lint": "eslint --fix --ext .ts ./src",
-    "prepublishOnly": "npm run build",
     "prebuild": "rimraf dist",
@@ -44,3 +43,3 @@ "build": "rollup -c"
   "dependencies": {
-    "jose-node-cjs-runtime": "^3.12.1"
+    "jose": "^4.0.1"
   },
@@ -47,0 +46,0 @@ "engines": {

README.md

@@ -1,7 +0,5 @@
-# express-oauth2-jwt-bearer (Beta)
+# express-oauth2-jwt-bearer
 
 Authentication middleware for Express.js that validates JWT Bearer Access Tokens.
 
-> **Note:** This library is currently in Beta status and has not had a complete security review. We do not recommend using this library in production yet. As we move towards general availability, please be aware that releases may contain breaking changes. We will be monitoring the Issues queue here for feedback and questions. PRs and comments on existing PRs are welcome!
-
 [![CircleCI](https://img.shields.io/circleci/build/github/auth0/node-oauth2-jwt-bearer.svg?branch=master&style=flat)](https://circleci.com/gh/auth0/node-oauth2-jwt-bearer)
@@ -18,3 +16,2 @@ [![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
 - [Error Handling](#error-handling)
-- [Troubleshooting](#troubleshooting)
 - [Contributing](#contributing)
@@ -149,12 +146,2 @@ - [Support + Feedback](#support---feedback)
 
-## Troubleshooting
-
-### Getting `Error: Cannot find module 'jose-node-cjs-runtime/jwks/remote'` when I run the SDK
-
-This package takes a dependency on [jose](https://github.com/panva/jose) which uses [package exports](https://nodejs.org/api/packages.html#packages_exports) which requires Node `^12.19.0 || ^14.15.0`.
-
-Even if you are using the correct version of Node, you may still run into this in some tooling that does not yet support package exports, like [jest](https://github.com/facebook/jest/issues/9771) or Webpack 4. 
-
-To workaround this issue in jest, see how we use a [custom resolver](../../packages/access-token-jwt/resolver.js) for this project.
-
 ## Contributing
@@ -161,0 +148,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

No v1

Quality

Package is not semver >=1. This means it is not stable and does not support ^ ranges.

Found 1 instance in 1 package

Improved metrics

Lines of code

388

increased by0.78%

Number of low quality alerts

0

decreased by-100%

Number of medium supply chain risk alerts

4

decreased by-20%

Worsened metrics

Total package byte prevSize

24056

decreased by-5.18%

Number of lines in readme file

173

decreased by-6.99%

Dependency changes

• + Addedjose@^4.0.1

• + Addedjose@4.15.9(transitive)

• - Removedjose-node-cjs-runtime@^3.12.1

• - Removedjose-node-cjs-runtime@3.20.4(transitive)