Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Fetch utils for JWKS keys
npm install get-jwks
const buildGetJwks = require('get-jwks')
const getJwks = buildGetJwks()
const jwk = await getJwks.getJwk({
domain: 'https://exampe.com/',
alg: 'token_alg',
kid: 'token_kid'
})
Calling the asynchronous function getJwk
will fetch the JSON Web Key, and verify if any of the public keys matches the alg
and kid
values of your JWT token. It will cache the matching key so if called again it will not make another request to retrieve a JWKS.
domain
: A string containing the domain (ie: https://www.example.com/
) from which the library should fetch the JWKS. get-jwks
will add the JWKS location (.well-known/jwks.json
) to form the final url (ie: https://www.example.com/.well-known/jwks.json
).alg
: The alg header parameter represents the cryptographic algorithm used to secure the token. You will find it in your decoded JWT.kid
: The kid is a hint that indicates which key was used to secure the JSON web signature of the token. You will find it in your decoded JWT.const buildGetJwks = require('get-jwks')
const getJwks = buildGetJwks()
const publicKey = await getJwks.getPublicKey({
domain: 'https://exampe.com/',
alg: 'token_alg',
kid: 'token_kid'
})
Calling the asynchronous function getPublicKey
will run the getJwk
function to retrieve a matching key, then convert it to a PEM public key. It requires the same arguments as getJwk
.
getJwks.clearCache()
Clears all contents of the cache
When creating the cache constructor you pass some optional parameters based off the tiny-lru package.
max
: Max items to hold in cache, the default setting is 100.ttl
: Milliseconds an item will remain in cache; lazy expiration upon next get() of an item, the default setting is 60000.const buildGetJwks = require('get-jwks')
const getJwks = buildGetJwks({
max: 500,
ttl: 60 * 1000
})
fastify-jwt is a Json Web Token plugin for Fastify.
The following example includes a scenario where you'd like to varify a JWT against a valid JWK on any request to your Fastify server. Any request with a valid JWT auth token in the header will return a successful response, otherwise will respond with an authentication error.
const Fastify = require('fastify')
const fjwt = require('fastify-jwt')
const buildGetJwks = require('get-jwks')
const fastify = Fastify()
const getJwks = buildGetJwks()
fastify.register(fjwt, {
decode: { complete: true },
secret: (request, token, callback) => {
const { header: { kid, alg }, payload: { iss } } = token
getJwks.getPublicKey({ kid, domain: iss, alg })
.then(publicKey => callback(null, publicKey), callback)
}
})
fastify.addHook('onRequest', async (request, reply) => {
await request.jwtVerify()
})
fastify.listen(3000)
FAQs
Fetch utils for JWKS keys
The npm package get-jwks receives a total of 51,711 weekly downloads. As such, get-jwks popularity was classified as popular.
We found that get-jwks demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.