jsonwebtoken
Advanced tools
jsonwebtoken - npm Package Compare versions
+35
-13
@@ -11,3 +11,5 @@ var jws = require('jws'); | ||
| var header = {typ: 'JWT', alg: options.algorithm || 'HS256'}; | ||
| var header = ((typeof options.headers === 'object') && options.headers) || {}; | ||
| header.typ = 'JWT'; | ||
| header.alg = options.algorithm || 'HS256'; | ||
@@ -20,3 +22,5 @@ if (options.header) { | ||
| payload.iat = Math.floor(Date.now() / 1000); | ||
| if (!options.noTimestamp) { | ||
| payload.iat = Math.floor(Date.now() / 1000); | ||
| } | ||
@@ -43,14 +47,32 @@ if (options.expiresInMinutes) { | ||
| module.exports.verify = function(jwtString, secretOrPublicKey, options, callback) { | ||
| if ((typeof options === 'function') && !callback) callback = options; | ||
| if ((typeof options === 'function') && !callback) { | ||
| callback = options; | ||
| options = {}; | ||
| } | ||
| if (!options) options = {}; | ||
| if (callback) { | ||
| var done = function() { | ||
| var args = Array.prototype.slice.call(arguments, 0) | ||
| return process.nextTick(function() { | ||
| callback.apply(null, args) | ||
| }); | ||
| }; | ||
| } else { | ||
| var done = function(err, data) { | ||
| if (err) throw err; | ||
| return data; | ||
| }; | ||
| } | ||
| if (!jwtString) | ||
| return callback(new JsonWebTokenError('jwt must be provided')); | ||
| return done(new JsonWebTokenError('jwt must be provided')); | ||
| var parts = jwtString.split('.'); | ||
| if (parts.length !== 3) | ||
| return callback(new JsonWebTokenError('jwt malformed')); | ||
| return done(new JsonWebTokenError('jwt malformed')); | ||
| if (parts[2].trim() === '' && secretOrPublicKey) | ||
| return callback(new JsonWebTokenError('jwt signature is required')); | ||
| return done(new JsonWebTokenError('jwt signature is required')); | ||
@@ -62,7 +84,7 @@ var valid; | ||
| catch (e) { | ||
| return callback(e); | ||
| return done(e); | ||
| } | ||
| if (!valid) | ||
| return callback(new JsonWebTokenError('invalid signature')); | ||
| return done(new JsonWebTokenError('invalid signature')); | ||
@@ -74,3 +96,3 @@ var payload; | ||
| } catch(err) { | ||
| return callback(err); | ||
| return done(err); | ||
| } | ||
@@ -80,3 +102,3 @@ | ||
| if (Math.floor(Date.now() / 1000) >= payload.exp) | ||
| return callback(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000))); | ||
| return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000))); | ||
| } | ||
@@ -91,3 +113,3 @@ | ||
| if (!match) | ||
| return callback(new JsonWebTokenError('jwt audience invalid. expected: ' + payload.aud)); | ||
| return done(new JsonWebTokenError('jwt audience invalid. expected: ' + payload.aud)); | ||
| } | ||
@@ -97,6 +119,6 @@ | ||
| if (payload.iss !== options.issuer) | ||
| return callback(new JsonWebTokenError('jwt issuer invalid. expected: ' + payload.iss)); | ||
| return done(new JsonWebTokenError('jwt issuer invalid. expected: ' + payload.iss)); | ||
| } | ||
| callback(null, payload); | ||
| return done(null, payload); | ||
| }; | ||
@@ -103,0 +125,0 @@ |
+1
-1
| { | ||
| "name": "jsonwebtoken", | ||
| "version": "1.3.0", | ||
| "version": "2.0.0", | ||
| "description": "JSON Web Token implementation (symmetric and asymmetric)", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
+18
-2
@@ -32,2 +32,3 @@ # jsonwebtoken [](http://travis-ci.org/auth0/node-jsonwebtoken) | ||
| * `issuer` | ||
| * `noTimestamp` | ||
@@ -39,2 +40,4 @@ If `payload` is not a buffer or a string, it will be coerced into a string | ||
| Generated jwts will include an `iat` claim by default unless `noTimestamp` is specified. | ||
| Example | ||
@@ -52,6 +55,8 @@ | ||
| ### jwt.verify(token, secretOrPublicKey, options, callback) | ||
| ### jwt.verify(token, secretOrPublicKey, [options, callback]) | ||
| (Synchronous with callback) Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will return the error. | ||
| (Asynchronous) If a callback is supplied, function acts asynchronously. Callback passed the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will be passed the error. | ||
| (Synchronous) If a callback is not supplied, function acts synchronously. Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will throw the error. | ||
| `token` is the JsonWebToken string | ||
@@ -68,2 +73,6 @@ | ||
| ```js | ||
| // verify a token symmetric - synchronous | ||
| var decoded = jwt.verify(token, 'shhhhh'); | ||
| console.log(decoded.foo) // bar | ||
| // verify a token symmetric | ||
@@ -74,2 +83,9 @@ jwt.verify(token, 'shhhhh', function(err, decoded) { | ||
| // invalid token - synchronous | ||
| try { | ||
| var decoded = jwt.verify(token, 'wrong-secret'); | ||
| } catch(err) { | ||
| // err | ||
| } | ||
| // invalid token | ||
@@ -76,0 +92,0 @@ jwt.verify(token, 'wrong-secret', function(err, decoded) { |
+10
-0
@@ -18,2 +18,12 @@ var jwt = require('../index'); | ||
| it('should without options', function(done) { | ||
| var callback = function(err, decoded) { | ||
| assert.ok(decoded.foo); | ||
| assert.equal('bar', decoded.foo); | ||
| done(); | ||
| }; | ||
| callback.issuer = "shouldn't affect"; | ||
| jwt.verify(token, secret, callback ); | ||
| }); | ||
| it('should validate with secret', function(done) { | ||
@@ -20,0 +30,0 @@ jwt.verify(token, secret, function(err, decoded) { |
+24
-10
@@ -21,17 +21,31 @@ var jwt = require('../index'); | ||
| it('should validate with public key', function(done) { | ||
| jwt.verify(token, pub, function(err, decoded) { | ||
| context('asynchronous', function() { | ||
| it('should validate with public key', function(done) { | ||
| jwt.verify(token, pub, function(err, decoded) { | ||
| assert.ok(decoded.foo); | ||
| assert.equal('bar', decoded.foo); | ||
| done(); | ||
| }); | ||
| }); | ||
| it('should throw with invalid public key', function(done) { | ||
| jwt.verify(token, invalid_pub, function(err, decoded) { | ||
| assert.isUndefined(decoded); | ||
| assert.isNotNull(err); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); | ||
| context('synchronous', function() { | ||
| it('should validate with public key', function() { | ||
| var decoded = jwt.verify(token, pub); | ||
| assert.ok(decoded.foo); | ||
| assert.equal('bar', decoded.foo); | ||
| done(); | ||
| }); | ||
| }); | ||
| it('should throw with invalid public key', function(done) { | ||
| jwt.verify(token, invalid_pub, function(err, decoded) { | ||
| assert.isUndefined(decoded); | ||
| assert.isNotNull(err); | ||
| done(); | ||
| it('should throw with invalid public key', function() { | ||
| var jwtVerify = jwt.verify.bind(null, token, invalid_pub) | ||
| assert.throw(jwtVerify, 'invalid signature'); | ||
| }); | ||
| }); | ||
@@ -38,0 +52,0 @@ |
New alerts
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Fixed alerts
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
26026
7.53%- Lines of code
392
12%- Number of lines in readme file
206
8.42%- Number of medium supply chain risk alerts
0
-100%