jsonwebtoken - npm Package Compare versions

Comparing version 1.3.0 to 2.0.0

index.js

@@ -11,3 +11,5 @@ var jws = require('jws');
 
-  var header = {typ: 'JWT', alg: options.algorithm || 'HS256'};
+  var header = ((typeof options.headers === 'object') && options.headers) || {};
+  header.typ = 'JWT';
+  header.alg = options.algorithm || 'HS256';
 
@@ -20,3 +22,5 @@ if (options.header) {
 
-  payload.iat = Math.floor(Date.now() / 1000);
+  if (!options.noTimestamp) {
+    payload.iat = Math.floor(Date.now() / 1000);
+  }
 
@@ -43,14 +47,32 @@ if (options.expiresInMinutes) {
 module.exports.verify = function(jwtString, secretOrPublicKey, options, callback) {
-  if ((typeof options === 'function') && !callback) callback = options;
+  if ((typeof options === 'function') && !callback) {
+    callback = options;
+    options = {};
+  }
+
   if (!options) options = {};
 
+  if (callback) {
+    var done = function() {
+      var args = Array.prototype.slice.call(arguments, 0)
+      return process.nextTick(function() {
+          callback.apply(null, args)
+      });
+    };
+  } else {
+    var done = function(err, data) {
+      if (err) throw err;
+      return data;
+    };
+  }
+
   if (!jwtString)
-    return callback(new JsonWebTokenError('jwt must be provided'));
+    return done(new JsonWebTokenError('jwt must be provided'));
 
   var parts = jwtString.split('.');
   if (parts.length !== 3)
-    return callback(new JsonWebTokenError('jwt malformed'));
+    return done(new JsonWebTokenError('jwt malformed'));
 
   if (parts[2].trim() === '' && secretOrPublicKey)
-    return callback(new JsonWebTokenError('jwt signature is required'));
+    return done(new JsonWebTokenError('jwt signature is required'));
 
@@ -62,7 +84,7 @@ var valid;
   catch (e) {
-    return callback(e);
+    return done(e);
   }
 
   if (!valid)
-    return callback(new JsonWebTokenError('invalid signature'));
+    return done(new JsonWebTokenError('invalid signature'));
 
@@ -74,3 +96,3 @@ var payload;
   } catch(err) {
-    return callback(err);
+    return done(err);
   }
@@ -80,3 +102,3 @@
     if (Math.floor(Date.now() / 1000) >= payload.exp)
-      return callback(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000)));
+      return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000)));
   }
@@ -91,3 +113,3 @@
     if (!match)
-      return callback(new JsonWebTokenError('jwt audience invalid. expected: ' + payload.aud));
+      return done(new JsonWebTokenError('jwt audience invalid. expected: ' + payload.aud));
   }
@@ -97,6 +119,6 @@
     if (payload.iss !== options.issuer)
-      return callback(new JsonWebTokenError('jwt issuer invalid. expected: ' + payload.iss));
+      return done(new JsonWebTokenError('jwt issuer invalid. expected: ' + payload.iss));
   }
 
-  callback(null, payload);
+  return done(null, payload);
 };
@@ -103,0 +125,0 @@

package.json

 {
   "name": "jsonwebtoken",
-  "version": "1.3.0",
+  "version": "2.0.0",
   "description": "JSON Web Token implementation (symmetric and asymmetric)",
@@ -5,0 +5,0 @@ "main": "index.js",

README.md

@@ -32,2 +32,3 @@ # jsonwebtoken [![Build Status](https://secure.travis-ci.org/auth0/node-jsonwebtoken.png)](http://travis-ci.org/auth0/node-jsonwebtoken)
 * `issuer`
+* `noTimestamp`
 
@@ -39,2 +40,4 @@ If `payload` is not a buffer or a string, it will be coerced into a string
 
+Generated jwts will include an `iat` claim by default unless `noTimestamp` is specified.
+
 Example
@@ -52,6 +55,8 @@
 
-### jwt.verify(token, secretOrPublicKey, options, callback)
+### jwt.verify(token, secretOrPublicKey, [options, callback])
 
-(Synchronous with callback) Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will return the error.
+(Asynchronous) If a callback is supplied, function acts asynchronously. Callback passed the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will be passed the error.
 
+(Synchronous) If a callback is not supplied, function acts synchronously. Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will throw the error.
+
 `token` is the JsonWebToken string
@@ -68,2 +73,6 @@
 ```js
+// verify a token symmetric - synchronous
+var decoded = jwt.verify(token, 'shhhhh');
+console.log(decoded.foo) // bar
+
 // verify a token symmetric
@@ -74,2 +83,9 @@ jwt.verify(token, 'shhhhh', function(err, decoded) {
 
+// invalid token - synchronous
+try {
+  var decoded = jwt.verify(token, 'wrong-secret');
+} catch(err) {
+  // err 
+}
+
 // invalid token
@@ -76,0 +92,0 @@ jwt.verify(token, 'wrong-secret', function(err, decoded) {

test/jwt.hs.tests.js

@@ -18,2 +18,12 @@ var jwt = require('../index');
 
+    it('should without options', function(done) {
+      var callback = function(err, decoded) {
+    	assert.ok(decoded.foo);
+        assert.equal('bar', decoded.foo);
+        done();
+      };
+      callback.issuer = "shouldn't affect";
+      jwt.verify(token, secret, callback );
+    });
+
     it('should validate with secret', function(done) {
@@ -20,0 +30,0 @@ jwt.verify(token, secret, function(err, decoded) {

test/jwt.rs.tests.js

@@ -21,17 +21,31 @@ var jwt = require('../index');
 
-    it('should validate with public key', function(done) {
-      jwt.verify(token, pub, function(err, decoded) {
+    context('asynchronous', function() {
+      it('should validate with public key', function(done) {
+        jwt.verify(token, pub, function(err, decoded) {
+          assert.ok(decoded.foo);
+          assert.equal('bar', decoded.foo);
+          done();
+        });
+      });
+
+      it('should throw with invalid public key', function(done) {
+        jwt.verify(token, invalid_pub, function(err, decoded) {
+          assert.isUndefined(decoded);
+          assert.isNotNull(err);
+          done();
+        });
+      });
+    });
+
+    context('synchronous', function() {
+      it('should validate with public key', function() {
+        var decoded = jwt.verify(token, pub);
         assert.ok(decoded.foo);
         assert.equal('bar', decoded.foo);
-        done();
       });
-    });
 
-    it('should throw with invalid public key', function(done) {
-      jwt.verify(token, invalid_pub, function(err, decoded) {
-        assert.isUndefined(decoded);
-        assert.isNotNull(err);
-        done();
+      it('should throw with invalid public key', function() {
+        var jwtVerify = jwt.verify.bind(null, token, invalid_pub)
+        assert.throw(jwtVerify, 'invalid signature');
       });
-
     });
@@ -38,0 +52,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

26026

increased by7.53%

Lines of code

392

increased by12%

Number of lines in readme file

206

increased by8.42%

Number of medium supply chain risk alerts

0

decreased by-100%

No dependency changes