fast-jwt - npm Package Compare versions

Comparing version 0.1.1 to 0.2.0

package.json

 {
   "name": "fast-jwt",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "description": "Fast JSON Web Token implementation",
@@ -52,18 +52,18 @@ "author": "NearForm Ltd",
     "ecdsa-sig-formatter": "^1.0.11",
-    "mnemonist": "^0.32.0"
+    "mnemonist": "^0.38.0"
   },
   "devDependencies": {
     "cronometro": "^0.4.0",
-    "eslint": "^6.8.0",
+    "eslint": "^7.3.1",
     "eslint-config-standard": "^14.1.0",
-    "eslint-plugin-import": "^2.20.0",
+    "eslint-plugin-import": "^2.22.0",
     "eslint-plugin-node": "^11.0.0",
     "eslint-plugin-promise": "^4.2.1",
     "eslint-plugin-standard": "^4.0.1",
-    "fastify": "^2.11.0",
-    "jose": "^1.25.0",
+    "fastify": "^3.0.3",
+    "jose": "^1.28.0",
     "jsonwebtoken": "^8.5.1",
-    "lolex": "^5.1.2",
-    "prettier": "^1.19.1",
-    "tap": "^14.10.6"
+    "lolex": "^6.0.0",
+    "prettier": "^2.0.5",
+    "tap": "^14.10.8"
   },
@@ -70,0 +70,0 @@ "engines": {

src/decoder.js

@@ -31,2 +31,11 @@ 'use strict'
       payload = JSON.parse(payload)
+
+      // https://tools.ietf.org/html/rfc7519#section-7.2
+      //
+      // 10.  Verify that the resulting octet sequence is a UTF-8-encoded
+      //      representation of a completely valid JSON object conforming to
+      //      RFC 7159 [RFC7159]; let the JWT Claims Set be this JSON object.
+      if (!payload || typeof payload !== 'object') {
+        throw new TokenError(TokenError.codes.invalidPayload, 'The payload must be an object', { payload })
+      }
     }
@@ -47,6 +56,7 @@
 
-module.exports = function createDecoder(options) {
-  const { json, complete } = { json: true, ...options }
+module.exports = function createDecoder(options = {}) {
+  const json = !(options.json === false)
+  const complete = options.complete || false
 
   return decode.bind(null, { json, complete })
 }

src/error.js

@@ -26,2 +26,3 @@ 'use strict'
   invalidSignature: 'FAST_JWT_INVALID_SIGNATURE',
+  invalidPayload: 'FAST_JWT_INVALID_PAYLOAD',
   malformed: 'FAST_JWT_MALFORMED',
@@ -28,0 +29,0 @@ inactive: 'FAST_JWT_INACTIVE',

src/verifier.js

@@ -174,6 +174,2 @@ 'use strict'
 
-  if (typeof payload === 'string') {
-    return
-  }
-
   // Verify the payload
@@ -180,0 +176,0 @@ const now = (clockTimestamp || Date.now()) + clockTolerance

test/compliance.spec.js

@@ -11,4 +11,5 @@ 'use strict'
 
-const payload =
-  "It’s a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there’s no knowing where you might be swept off to."
+const payload = {
+  text: "It’s a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there’s no knowing where you might be swept off to."
+}
 
@@ -75,3 +76,3 @@ // All the keys here are extracted from https://tools.ietf.org/html/rfc7520
   const expectedToken =
-    'eyJhbGciOiJIUzI1NiIsImtpZCI6IjAxOGMwYWU1LTRkOWItNDcxYi1iZmQ2LWVlZjMxNGJjNzAzNyJ9.SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4.s0h6KThzkfBBBkLspW1h84VsJZFTsPPqMDA7g1Md7p0'
+    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjAxOGMwYWU1LTRkOWItNDcxYi1iZmQ2LWVlZjMxNGJjNzAzNyJ9.eyJ0ZXh0IjoiSXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4ifQ.1rxc48IZZfiOQFzXieSY08XI5bimhiyCPWTjCzZ3G2Y'
 
@@ -83,3 +84,4 @@ const key = Buffer.from(symmetricKey.k, 'base64')
     key,
-    kid: '018c0ae5-4d9b-471b-bfd6-eef314bc7037'
+    kid: '018c0ae5-4d9b-471b-bfd6-eef314bc7037',
+    noTimestamp: true
   })(payload)
@@ -89,3 +91,3 @@
 
-  t.equal(verified, payload)
+  t.deepEqual(verified, payload)
   t.equal(token, expectedToken)
@@ -98,3 +100,3 @@
   const expectedToken =
-    'eyJhbGciOiJSUzI1NiIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZXhhbXBsZSJ9.SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4.MRjdkly7_-oTPTS3AXP41iQIGKa80A0ZmTuV5MEaHoxnW2e5CZ5NlKtainoFmKZopdHM1O2U4mwzJdQx996ivp83xuglII7PNDi84wnB-BDkoBwA78185hX-Es4JIwmDLJK3lfWRa-XtL0RnltuYv746iYTh_qHRD68BNt1uSNCrUCTJDt5aAE6x8wW1Kt9eRo4QPocSadnHXFxnt8Is9UzpERV0ePPQdLuW3IS_de3xyIrDaLGdjluPxUAhb6L2aXic1U12podGU0KLUQSE_oI-ZnmKJ3F4uOZDnd6QZWJushZ41Axf_fcIe8u9ipH84ogoree7vjbU5y18kDquDg'
+    'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZXhhbXBsZSJ9.eyJ0ZXh0IjoiSXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4ifQ.IVYRXcdRwWOx1Gvz3iag8td3cIf4EdeIjrDM79vDwZwEBhipoeJz1JKW22Ag7BUE_Wsl-ONufHwbAP4Sr0dJUAJL9ZsAoH1UIkR5Xm4kpk-8gSAR4LB3RhHAfvbgDC-V2E91szKRHNKbvGtQLInCO7MADg9GMold_U74jDSYZE9nZVwkN5CebYeFUEsiLwq2_bKB3fCHJGh2fDzTXpkc2pm_h_oLxYuig8SB5dvPRg_j5I5y3DDyxvYluB3oMi4QUYYvNG5AnNufkPrlnjCw6QhHM1Ct3ocz1pOXmH3JCr3twXF0GUfY3H4MJTbBtmmxRmyErLEKcpRXHFWjT3DKGA'
 
@@ -104,3 +106,4 @@ const token = createSigner({
     key: rsaPrivateKey,
-    kid: 'bilbo.baggins@hobbiton.example'
+    kid: 'bilbo.baggins@hobbiton.example',
+    noTimestamp: true
   })(payload)
@@ -110,3 +113,3 @@
 
-  t.equal(verified, payload)
+  t.deepEqual(verified, payload)
   t.equal(token, expectedToken)
@@ -119,3 +122,3 @@
   const expectedToken =
-    'eyJhbGciOiJQUzM4NCIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZXhhbXBsZSJ9.SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4.cu22eBqkYDKgIlTpzDXGvaFfz6WGoz7fUDcfT0kkOy42miAh2qyBzk1xEsnk2IpN6-tPid6VrklHkqsGqDqHCdP6O8TTB5dDDItllVo6_1OLPpcbUrhiUSMxbbXUvdvWXzg-UD8biiReQFlfz28zGWVsdiNAUf8ZnyPEgVFn442ZdNqiVJRmBqrYRXe8P_ijQ7p8Vdz0TTrxUeT3lm8d9shnr2lfJT8ImUjvAA2Xez2Mlp8cBE5awDzT0qI0n6uiP1aCN_2_jLAeQTlqRHtfa64QQSUmFAAjVKPbByi7xho0uTOcbH510a6GYmJUAfmWjwZ6oD4ifKo8DYM-X72Eaw'
+    'eyJhbGciOiJQUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZXhhbXBsZSJ9.eyJ0ZXh0IjoiSXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4ifQ.dM4A9qfogzmTfIB0-dbUcXUD9TfGC4wa6cft9wzuUmYBQEKpeAMOmtn3nTXAp3jFuhGCzmCHT2_y0-HKO2R55oewCiIAyPVHIffVK_Vga0eezX_wglVY1dtYvBaCpA6zYA3nJwmDsnK_Ivb-B5tuQYHuZUkL6A-SoLT2TfKic7yuLUs-Z5i58_f0ExwSwEPiMdbPXrg8azaAtiy5caNi76Vd_ROqNuhuFlgDAsACJPtJOpwmcgQ_er865QIkdvfV_UfOrcGPavjdKtj-h4UkikeX5YHsVYKoNJCo5hEAAgGcJKjGS4Bthm67y4Z_DfTxzxRfkFE7Sj15gSAZcSEONw'
 
@@ -125,3 +128,4 @@ const token = createSigner({
     key: rsaPrivateKey,
-    kid: 'bilbo.baggins@hobbiton.example'
+    kid: 'bilbo.baggins@hobbiton.example',
+    noTimestamp: true
   })(payload)
@@ -131,3 +135,3 @@
 
-  t.equal(verified, payload)
+  t.deepEqual(verified, payload)
   // Since PS algorithm uses random data, we cannot match the signature
@@ -141,3 +145,3 @@ t.equal(token.replace(/\..+/, ''), expectedToken.replace(/\..+/, ''))
   const expectedToken =
-    'eyJhbGciOiJFUzUxMiIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZXhhbXBsZSJ9.SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4.AE_R_YZCChjn4791jSQCrdPZCNYqHXCTZH0-JZGYNlaAjP2kqaluUIIUnC9qvbu9Plon7KRTzoNEuT4Va2cmL1eJAQy3mtPBu_u_sDDyYjnAMDxXPn7XrT0lw-kvAD890jl8e2puQens_IEKBpHABlsbEPX6sFY8OcGDqoRuBomu9xQ2'
+    'eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZXhhbXBsZSJ9.eyJ0ZXh0IjoiSXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4ifQ.AKrrbzQgTVYtM9iJGq2mzAAwAD0tK0sU2Oa3FqelV7Zc_VeC1VgApx9vkeZGen36CEcAvPpIAtcVZeWqp0nEB4JfAMsFhZI8QSuHnY152Abxi6WxaOXH22wYsYPYF_H4J41JG10C2X3ORHDsPrvIO8yfXdJ4AyNLOg6s0Suqq8YQP_8q'
 
@@ -147,3 +151,4 @@ const token = createSigner({
     key: ecPrivateKey,
-    kid: 'bilbo.baggins@hobbiton.example'
+    kid: 'bilbo.baggins@hobbiton.example',
+    noTimestamp: true
   })(payload)
@@ -153,3 +158,3 @@
 
-  t.equal(verified, payload)
+  t.deepEqual(verified, payload)
   // Since ES algorithm uses random data, we cannot match the signature
@@ -178,9 +183,9 @@ t.equal(token.replace(/\..+/, ''), expectedToken.replace(/\..+/, ''))
     const expectedToken =
-      'eyJhbGciOiJFZERTQSJ9.RXhhbXBsZSBvZiBFZDI1NTE5IHNpZ25pbmc.hgyY0il_MGCjP0JzlnLWG1PPOt7-09PGcvMg3AIbQR6dWbhijcNR4ki4iylGjg5BhVsPt9g7sVvpAr_MuM0KAg'
+      'eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJ0ZXh0IjoiSXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBkb24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcmUgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4ifQ.s6A86zrJs551R4UxXwJsfRCGswdTJYFeNWjHUkZvragJ7hN43T5UetbpG4S6L2G7wOq5N_JJKrkbs0q0Gd-EAQ'
 
-    const token = createSigner({ algorithm: 'EdDSA', key: ed25519PrivateKey })('Example of Ed25519 signing')
+    const token = createSigner({ algorithm: 'EdDSA', key: ed25519PrivateKey, noTimestamp: true })(payload)
 
     const verified = createVerifier({ key: ed25519PublicKey })(token)
 
-    t.equal(verified, 'Example of Ed25519 signing')
+    t.deepEqual(verified, payload)
     t.equal(token, expectedToken)
@@ -187,0 +192,0 @@

test/decoder.spec.js

@@ -70,1 +70,20 @@ 'use strict'
 })
+
+// https://tools.ietf.org/html/rfc7519#section-7.2
+//
+// 10.  Verify that the resulting octet sequence is a UTF-8-encoded
+//      representation of a completely valid JSON object conforming to
+//      RFC 7159 [RFC7159]; let the JWT Claims Set be this JSON object.
+test('payload must be a JSON object', t => {
+  // string
+  t.throws(() => defaultDecoder('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.MTIz.5frDWv6bqXyHPXl3oZYOTnALMCGwfEYjQZbke2iyR3Y'), {
+    message: 'The payload must be an object'
+  })
+
+  // null
+  t.throws(() => defaultDecoder('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.bnVsbA.Y-B_ctjXNWaZlNk8kqfSZ06B8GSZvPAfhMz-pQ2prfo'), {
+    message: 'The payload must be an object'
+  })
+
+  t.end()
+})

test/verifier.spec.js

@@ -56,11 +56,8 @@ 'use strict'
 
-  t.equal(verify('eyJhbGciOiJIUzI1NiJ9.MTIz.UqiZ2LDYZqYB3xJgkHaihGQnJ_WPTz3hERDpA7bWYjA', { noTimestamp: true }), '123')
+  t.throws(() => {
+    verify('eyJhbGciOiJIUzI1NiJ9.MTIz.UqiZ2LDYZqYB3xJgkHaihGQnJ_WPTz3hERDpA7bWYjA', { noTimestamp: true })
+  }, {
+    code: 'FAST_JWT_INVALID_PAYLOAD'
+  })
 
-  t.equal(
-    verify(Buffer.from('eyJhbGciOiJIUzI1NiJ9.MTIz.UqiZ2LDYZqYB3xJgkHaihGQnJ_WPTz3hERDpA7bWYjA', 'utf-8'), {
-      noTimestamp: true
-    }),
-    '123'
-  )
-
   t.strictDeepEqual(
@@ -78,10 +75,2 @@ verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {
 
-  t.equal(
-    verify(Buffer.from('eyJhbGciOiJub25lIn0.MTIz.', 'utf-8'), {
-      noTimestamp: true,
-      key: ''
-    }),
-    '123'
-  )
-
   if (useNewCrypto) {
@@ -88,0 +77,0 @@ t.strictDeepEqual(

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

198579

increased by0.7%

Lines of code

3588

increased by0.56%

Dependency changes

• + Addedmnemonist@0.38.5(transitive)

• + Addedobliterator@2.0.4(transitive)

• - Removedmnemonist@0.32.0(transitive)

• - Removedobliterator@1.6.1(transitive)

• Updatedmnemonist@^0.38.0