jsonwebtoken
Advanced tools
Comparing version 1.3.0 to 2.0.0
48
index.js
@@ -11,3 +11,5 @@ var jws = require('jws'); | ||
var header = {typ: 'JWT', alg: options.algorithm || 'HS256'}; | ||
var header = ((typeof options.headers === 'object') && options.headers) || {}; | ||
header.typ = 'JWT'; | ||
header.alg = options.algorithm || 'HS256'; | ||
@@ -20,3 +22,5 @@ if (options.header) { | ||
payload.iat = Math.floor(Date.now() / 1000); | ||
if (!options.noTimestamp) { | ||
payload.iat = Math.floor(Date.now() / 1000); | ||
} | ||
@@ -43,14 +47,32 @@ if (options.expiresInMinutes) { | ||
module.exports.verify = function(jwtString, secretOrPublicKey, options, callback) { | ||
if ((typeof options === 'function') && !callback) callback = options; | ||
if ((typeof options === 'function') && !callback) { | ||
callback = options; | ||
options = {}; | ||
} | ||
if (!options) options = {}; | ||
if (callback) { | ||
var done = function() { | ||
var args = Array.prototype.slice.call(arguments, 0) | ||
return process.nextTick(function() { | ||
callback.apply(null, args) | ||
}); | ||
}; | ||
} else { | ||
var done = function(err, data) { | ||
if (err) throw err; | ||
return data; | ||
}; | ||
} | ||
if (!jwtString) | ||
return callback(new JsonWebTokenError('jwt must be provided')); | ||
return done(new JsonWebTokenError('jwt must be provided')); | ||
var parts = jwtString.split('.'); | ||
if (parts.length !== 3) | ||
return callback(new JsonWebTokenError('jwt malformed')); | ||
return done(new JsonWebTokenError('jwt malformed')); | ||
if (parts[2].trim() === '' && secretOrPublicKey) | ||
return callback(new JsonWebTokenError('jwt signature is required')); | ||
return done(new JsonWebTokenError('jwt signature is required')); | ||
@@ -62,7 +84,7 @@ var valid; | ||
catch (e) { | ||
return callback(e); | ||
return done(e); | ||
} | ||
if (!valid) | ||
return callback(new JsonWebTokenError('invalid signature')); | ||
return done(new JsonWebTokenError('invalid signature')); | ||
@@ -74,3 +96,3 @@ var payload; | ||
} catch(err) { | ||
return callback(err); | ||
return done(err); | ||
} | ||
@@ -80,3 +102,3 @@ | ||
if (Math.floor(Date.now() / 1000) >= payload.exp) | ||
return callback(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000))); | ||
return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000))); | ||
} | ||
@@ -91,3 +113,3 @@ | ||
if (!match) | ||
return callback(new JsonWebTokenError('jwt audience invalid. expected: ' + payload.aud)); | ||
return done(new JsonWebTokenError('jwt audience invalid. expected: ' + payload.aud)); | ||
} | ||
@@ -97,6 +119,6 @@ | ||
if (payload.iss !== options.issuer) | ||
return callback(new JsonWebTokenError('jwt issuer invalid. expected: ' + payload.iss)); | ||
return done(new JsonWebTokenError('jwt issuer invalid. expected: ' + payload.iss)); | ||
} | ||
callback(null, payload); | ||
return done(null, payload); | ||
}; | ||
@@ -103,0 +125,0 @@ |
{ | ||
"name": "jsonwebtoken", | ||
"version": "1.3.0", | ||
"version": "2.0.0", | ||
"description": "JSON Web Token implementation (symmetric and asymmetric)", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -32,2 +32,3 @@ # jsonwebtoken [![Build Status](https://secure.travis-ci.org/auth0/node-jsonwebtoken.png)](http://travis-ci.org/auth0/node-jsonwebtoken) | ||
* `issuer` | ||
* `noTimestamp` | ||
@@ -39,2 +40,4 @@ If `payload` is not a buffer or a string, it will be coerced into a string | ||
Generated jwts will include an `iat` claim by default unless `noTimestamp` is specified. | ||
Example | ||
@@ -52,6 +55,8 @@ | ||
### jwt.verify(token, secretOrPublicKey, options, callback) | ||
### jwt.verify(token, secretOrPublicKey, [options, callback]) | ||
(Synchronous with callback) Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will return the error. | ||
(Asynchronous) If a callback is supplied, function acts asynchronously. Callback passed the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will be passed the error. | ||
(Synchronous) If a callback is not supplied, function acts synchronously. Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will throw the error. | ||
`token` is the JsonWebToken string | ||
@@ -68,2 +73,6 @@ | ||
```js | ||
// verify a token symmetric - synchronous | ||
var decoded = jwt.verify(token, 'shhhhh'); | ||
console.log(decoded.foo) // bar | ||
// verify a token symmetric | ||
@@ -74,2 +83,9 @@ jwt.verify(token, 'shhhhh', function(err, decoded) { | ||
// invalid token - synchronous | ||
try { | ||
var decoded = jwt.verify(token, 'wrong-secret'); | ||
} catch(err) { | ||
// err | ||
} | ||
// invalid token | ||
@@ -76,0 +92,0 @@ jwt.verify(token, 'wrong-secret', function(err, decoded) { |
@@ -18,2 +18,12 @@ var jwt = require('../index'); | ||
it('should without options', function(done) { | ||
var callback = function(err, decoded) { | ||
assert.ok(decoded.foo); | ||
assert.equal('bar', decoded.foo); | ||
done(); | ||
}; | ||
callback.issuer = "shouldn't affect"; | ||
jwt.verify(token, secret, callback ); | ||
}); | ||
it('should validate with secret', function(done) { | ||
@@ -20,0 +30,0 @@ jwt.verify(token, secret, function(err, decoded) { |
@@ -21,17 +21,31 @@ var jwt = require('../index'); | ||
it('should validate with public key', function(done) { | ||
jwt.verify(token, pub, function(err, decoded) { | ||
context('asynchronous', function() { | ||
it('should validate with public key', function(done) { | ||
jwt.verify(token, pub, function(err, decoded) { | ||
assert.ok(decoded.foo); | ||
assert.equal('bar', decoded.foo); | ||
done(); | ||
}); | ||
}); | ||
it('should throw with invalid public key', function(done) { | ||
jwt.verify(token, invalid_pub, function(err, decoded) { | ||
assert.isUndefined(decoded); | ||
assert.isNotNull(err); | ||
done(); | ||
}); | ||
}); | ||
}); | ||
context('synchronous', function() { | ||
it('should validate with public key', function() { | ||
var decoded = jwt.verify(token, pub); | ||
assert.ok(decoded.foo); | ||
assert.equal('bar', decoded.foo); | ||
done(); | ||
}); | ||
}); | ||
it('should throw with invalid public key', function(done) { | ||
jwt.verify(token, invalid_pub, function(err, decoded) { | ||
assert.isUndefined(decoded); | ||
assert.isNotNull(err); | ||
done(); | ||
it('should throw with invalid public key', function() { | ||
var jwtVerify = jwt.verify.bind(null, token, invalid_pub) | ||
assert.throw(jwtVerify, 'invalid signature'); | ||
}); | ||
}); | ||
@@ -38,0 +52,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
26026
392
206
0