Comparing version 1.3.2 to 1.4.0
{ | ||
"name": "fast-jwt", | ||
"version": "1.3.2", | ||
"version": "1.4.0", | ||
"description": "Fast JSON Web Token implementation", | ||
@@ -57,3 +57,3 @@ "author": "NearForm Ltd", | ||
"ecdsa-sig-formatter": "^1.0.11", | ||
"mnemonist": "^0.38.0" | ||
"mnemonist": "^0.39.0" | ||
}, | ||
@@ -78,3 +78,3 @@ "devDependencies": { | ||
"tap": "^15.0.2", | ||
"tsd": "^0.18.0", | ||
"tsd": "^0.19.0", | ||
"typescript": "^4.0.3" | ||
@@ -81,0 +81,0 @@ }, |
@@ -24,15 +24,28 @@ # fast-jwt | ||
- `key`: A string or a buffer containing the secret for `HS*` algorithms, the PEM encoded public key for `RS*`, `PS*`, `ES*` and `EdDSA` algorithms or it can be an object containing passphrase protected private key (more details below). The key can also be a function accepting a Node style callback or a function returning a promise. This is the only mandatory option, which must NOT be provided if the token algorithm is `none`. | ||
- `algorithm`: The algorithm to use to sign the token. The default is autodetected from the key, using `RS256` for RSA private keys, `HS256` for plain secrets and the correspondent `ES` or `EdDSA` algorithms for EC or Ed\* private keys. | ||
- `mutatePayload`: If the original payload must be modified in place (via `Object.assign`) and thus will result changed to the caller funciton. | ||
- `expiresIn`: Time span (in milliseconds) after which the token expires, added as the `exp` claim in the payload. This will override any existing value in the claim. | ||
- `notBefore`: Time span (in milliseconds) before the token is active, added as the `nbf` claim in the payload. This will override any existing value in the claim. | ||
- `jti`: The token id, added as the `jti` claim in the payload. This will override any existing value in the claim. | ||
- `aud`: The token audience, added as the `aud` claim in the payload. It must be a string or an array of strings. This will override any existing value in the claim. | ||
- `iss`: The token audience, added as the `iss` claim in the payload. It must be a string. This will override any existing value in the claim. | ||
- `sub`: The token audience, added as the `sub` claim in the payload. It must be a string. This will override any existing value in the claim. | ||
- `nonce`: The token audience, added as the `nonce` claim in the payload. It must be a string. This will override any existing value in the claim. | ||
- `kid`: The token key id, added as the `kid` claim in the header section. It must be a string. | ||
- `key`: A string or a buffer containing the secret for `HS*` algorithms or the PEM encoded private key for `RS*`, `PS*`, `ES*` and `EdDSA` algorithms. If the `key` is a passphrase protected private key it must be an object (more details below). The key can also be a function accepting a Node style callback or a function returning a promise. This is the only mandatory option, which MUST NOT be provided if the token algorithm is `none`. | ||
- `algorithm`: The algorithm to use to sign the token. The default value is autodetected from the key, using `RS256` for RSA private keys, `HS256` for plain secrets and the corresponding `ES` or `EdDSA` algorithms for EC or Ed\* private keys. | ||
- `mutatePayload`: If set to `true`, the original payload will be modified in place (via `Object.assign`) by the signing function. This is useful if you need a raw reference to the payload after claims have been applied to it but before it has been encoded into a token. Default is `false`. | ||
- `expiresIn`: Time span (in milliseconds) after which the token expires, added as the `exp` claim in the payload as defined by the [section 4.1.4 of RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4). This will override any existing value in the claim. | ||
- `notBefore`: Time span (in milliseconds) before the token is active, added as the `nbf` claim in the payload as defined by the [section 4.1.5 of RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5). This will override any existing value in the claim. | ||
- `jti`: The token unique identifier, added as the `jti` claim in the payload as defined by the [section 4.1.7 of RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7). This will override any existing value in the claim. | ||
- `aud`: The token audience, added as the `aud` claim in the payload as defined by the [section 4.1.3 of RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). This claim identifies the recipients that the token is intended for. It must be a string or an array of strings. This will override any existing value in the claim. | ||
- `iss`: The token issuer, added as the `iss` claim in the payload as defined by the [section 4.1.1 of RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1). It must be a string. This will override any existing value in the claim. | ||
- `sub`: The token subject, added as the `sub` claim in the payload as defined by the [section 4.1.2 of RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2). It must be a string. This will override any existing value in the claim. | ||
- `nonce`: The token nonce, added as the `nonce` claim in the payload. The `nonce` value is used to associate a Client session with an ID Token. Note that this is a [IANA JSON Web Token Claims Registry](https://www.iana.org/assignments/jwt/jwt.xhtml#claims) public claim registered by OpenID Connect (OIDC). It must be a string. This will override any existing value in the claim. | ||
- `kid`: The token key id, added as the `kid` claim in the header section (see [section 4.1.4 of RFC 7515](https://www.rfc-editor.org/rfc/rfc7515#section-4.1.4) and [section 4.5 of RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517#section-4.5)). It must be a string. | ||
- `header`: Additional claims to add to the header section. This will override the `typ` and `kid` claims. | ||
- `noTimestamp`: If the `iat` claim should not be added to the token. | ||
- `noTimestamp`: If set to `true`, the `iat` claim should not be added to the token. Default is `false`. | ||
- `clockTimestamp`: The timestamp in milliseconds (like the output of `Date.now()`) that should be used as the current time for all necessary time comparisons. Default is the system time. | ||
@@ -94,2 +107,3 @@ | ||
- `complete`: Return an object with the decoded header, payload, signature and input (the token part before the signature), instead of just the content of the payload. Default is `false`. | ||
- `checkTyp`: When validating the decoded header, setting this option forces the check of the `typ` property against this value. Example: `checkTyp: 'JWT'`. Default is `undefined`. | ||
@@ -128,16 +142,30 @@ | ||
- `key`: A string or a buffer containing the secret for `HS*` algorithms or the PEM encoded public key for `RS*`, `PS*`, `ES*` and `EdDSA` algorithms. The key can also be a function accepting a Node style callback or a function returning a promise. This is the only mandatory option, which must NOT be provided if the token algorithm is `none`. | ||
- `key`: A string or a buffer containing the secret for `HS*` algorithms or the PEM encoded public key for `RS*`, `PS*`, `ES*` and `EdDSA` algorithms. The key can also be a function accepting a Node style callback or a function returning a promise. This is the only mandatory option, which MUST NOT be provided if the token algorithm is `none`. | ||
- `algorithms`: List of strings with the names of the allowed algorithms. By default, all algorithms are accepted. | ||
- `complete`: Return an object with the decoded header, payload, signature and input (the token part before the signature), instead of just the content of the payload. Default is `false`. | ||
- `cache`: A positive number specifying the size of the verified tokens cache (using LRU strategy). Setting to `true` is equivalent to provide the size `1000`. When enabled, as you can see in the benchmarks section below, performances dramatically improve. By default the cache is disabled. | ||
- `cacheTTL`: The maximum time to live of a cache entry (in milliseconds). If the token has a earlier expiration or the verifier has a shorter `maxAge`, the earlier takes precedence. The default is `600000`, which is 10 minutes. | ||
- `allowedJti`: A string, a regular expression, an array of strings or an array of regular expressions containing allowed values for the id claim (`jti`). By default, all values are accepted. | ||
- `allowedAud`: A string, a regular expression, an array of strings or an array of regular expressions containing allowed values for the audience claim (`aud`). By default, all values are accepted. | ||
- `allowedIss`: A string, a regular expression, an array of strings or an array of regular expressions containing allowed values for the issuer claim (`iss`). By default, all values are accepted. | ||
- `allowedSub`: A string, a regular expression, an array of strings or an array of regular expressions containing allowed values for the subject claim (`sub`). By default, all values are accepted. | ||
- `allowedNonce`: A string, a regular expression, an array of strings or an array of regular expressions containing allowed values for the nonce claim (`nonce`). By default, all values are accepted. | ||
- `ignoreExpiration`: Do not validate the expiration of the token. Default is `false`. | ||
- `ignoreNotBefore`: Do not validate the activation of the token. Default is `false`. | ||
- `maxAge`: The maximum allowed age (in milliseconds) for tokens to still be valid. By default this is not checked. | ||
- `clockTimestamp`: The timestamp in milliseconds (like the output of `Date.now()`) that should be used as the current time for all necessary time comparisons. Default is the system time. | ||
- `clockTolerance`: Timespan in milliseconds to add the current timestamp when performing time comparisons. Default is `0`. | ||
@@ -144,0 +172,0 @@ |
@@ -9,2 +9,3 @@ 'use strict' | ||
timingSafeEqual, | ||
createPublicKey, | ||
constants: { | ||
@@ -30,2 +31,3 @@ RSA_PKCS1_PSS_PADDING, | ||
const publicKeyPemMatcher = '-----BEGIN PUBLIC KEY-----' | ||
const publicKeyX509CertMatcher = '-----BEGIN CERTIFICATE-----' | ||
const privateKeysCache = new Cache(1000) | ||
@@ -106,3 +108,3 @@ const publicKeysCache = new Cache(1000) | ||
function performDetectPrivateKeyAlgorithm(key) { | ||
if (key.includes(publicKeyPemMatcher)) { | ||
if (key.includes(publicKeyPemMatcher) || key.includes(publicKeyX509CertMatcher)) { | ||
throw new TokenError(TokenError.codes.invalidKey, 'Public keys are not supported for signing.') | ||
@@ -161,3 +163,3 @@ } | ||
throw new TokenError(TokenError.codes.invalidKey, 'Private keys are not supported for verifying.') | ||
} else if (!key.includes(publicKeyPemMatcher)) { | ||
} else if (!key.includes(publicKeyPemMatcher) && !key.includes(publicKeyX509CertMatcher)) { | ||
// Not a PEM, assume a plain secret | ||
@@ -167,3 +169,7 @@ return hsAlgorithms | ||
// We only support a single format for public keys. Legacy "BEGIN RSA PUBLIC KEY" are not supported | ||
// if the key is a X509 cert we need to convert it | ||
if (key.includes(publicKeyX509CertMatcher)) { | ||
key = createPublicKey(key).export({ type: 'spki', format: 'pem' }) | ||
} | ||
const keyData = PublicKey.decode(key, 'pem', { label: 'PUBLIC KEY' }) | ||
@@ -170,0 +176,0 @@ const oid = keyData.algorithm.algorithm.join('.') |
@@ -56,2 +56,15 @@ import 'node' | ||
export interface JwtHeader { | ||
alg: string | Algorithm | ||
typ?: string | undefined | ||
cty?: string | undefined | ||
crit?: Array<string | Exclude<keyof JwtHeader, 'crit'>> | undefined | ||
kid?: string | undefined | ||
jku?: string | undefined | ||
x5u?: string | string[] | undefined | ||
'x5t#S256'?: string | undefined | ||
x5t?: string | undefined | ||
x5c?: string | string[] | undefined | ||
} | ||
export interface SignerOptions { | ||
@@ -69,3 +82,3 @@ key: string | Buffer | KeyFetcher | ||
kid: string | ||
header: { [key: string]: string } | ||
header: JwtHeader | ||
noTimestamp: boolean | ||
@@ -72,0 +85,0 @@ clockTimestamp: number |
@@ -18,13 +18,11 @@ 'use strict' | ||
function checkAreCompatibleAlgorithms(expected, actual) { | ||
const expectedType = expected[0].slice(0, 2) | ||
const actualType = actual[0].slice(0, 2) | ||
let valid = false | ||
let valid = true // We accept everything for HS | ||
for (const expectedAlg of expected) { | ||
valid = actual.indexOf(expectedAlg) !== -1 | ||
if (expectedType === 'RS' || expectedType === 'PS') { | ||
// RS and PS use same keys | ||
valid = actualType === 'RS' | ||
} else if (expectedType === 'ES' || expectedType === 'Ed') { | ||
// ES and Ed only can have a single value | ||
valid = expectedType === actualType | ||
// if at least one of the expected algorithms is compatible we're done | ||
if (valid) { | ||
break | ||
} | ||
} | ||
@@ -31,0 +29,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
85003
1198
419
11
1
+ Addedmnemonist@0.39.8(transitive)
- Removedmnemonist@0.38.5(transitive)
Updatedmnemonist@^0.39.0