Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Fetch utils for JWKS keys
Just run:
npm install get-jwks
const buildGetJwks = require('get-jwks')
const getJwks = buildGetJwks()
const secret = await getJwks.getSecret({
domain: 'https://exampe.com/',
alg: 'token_alg',
kid: 'token_kid'
})
// to clear the secret in cache
getJwks.clearCache()
Calling the getSecret
will fetch the JSON Web Key, Set and verify if any of the public keys matches the alg
and kid
values of your JWT token. And it will cache the secret so if called again it will not make another http request to return the secret. It is asynchronous.
domain
: A string containing the domain (ie: https://www.example.com/
) from which the library should fetch the JWKS. get-jwks
will add the JWKS location (.well-known/jwks.json
) to form the final url (ie: https://www.example.com/.well-known/jwks.json
).alg
: The alg header parameter represents the cryptographic algorithm used to secure the token. You will find it in your decoded JWT.kid
: The kid is a hint that indicates which key was used to secure the JSON web signature of the token. You will find it in your decoded JWT.Clears the contents of the cache
When creating the cache constructor you pass some optional parameters based off the tiny-lru package.
max
: Max items to hold in cache, the default setting is 100.ttl
: Milliseconds an item will remain in cache; lazy expiration upon next get() of an item, the default setting is 60000.const buildGetJwks = require('get-jwks')
const getJwks = buildGetJwks({
max: 500,
ttl: 60 * 1000
})
FAQs
Fetch utils for JWKS keys
We found that get-jwks demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.