🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
jsonwebtoken
Advanced tools
jsonwebtoken - npm Package Compare versions
Comparing version 5.0.0 to 5.0.1
@@ -6,2 +6,37 @@ # Change Log | ||
| ## [5.0.0] - 2015-04-11 | ||
| ### Changed | ||
| - [sign] Only set defautl `iat` if the user does not specify that argument. | ||
| https://github.com/auth0/node-jsonwebtoken/commit/e900282a8d2dff1d4dec815f7e6aa7782e867d91 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/35036b188b4ee6b42df553bbb93bc8a6b19eae9d | ||
| https://github.com/auth0/node-jsonwebtoken/commit/954bd7a312934f03036b6bb6f00edd41f29e54d9 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/24a370080e0b75f11d4717cd2b11b2949d95fc2e | ||
| https://github.com/auth0/node-jsonwebtoken/commit/a77df6d49d4ec688dfd0a1cc723586bffe753516 | ||
| ### Security | ||
| - [verify] Update to jws@^3.0.0 and renaming `header.alg` mismatch exception to `invalid algorithm` and adding more mismatch tests. | ||
| As `jws@3.0.0` changed the verify method signature to be `jws.verify(signature, algorithm, secretOrKey)`, the token header must be decoded first in order to make sure that the `alg` field matches one of the allowed `options.algorithms`. After that, the now validated `header.alg` is passed to `jws.verify` | ||
| As the order of steps has changed, the error that was thrown when the JWT was invalid is no longer the `jws` one: | ||
| ``` | ||
| { [Error: Invalid token: no header in signature 'a.b.c'] code: 'MISSING_HEADER', signature: 'a.b.c' } | ||
| ``` | ||
| That old error (removed from jws) has been replaced by a `JsonWebTokenError` with message `invalid token`. | ||
| > Important: versions >= 4.2.2 this library are safe to use but we decided to deprecate everything `< 5.0.0` to prevent security warnings from library `node-jws` when doing `npm install`. | ||
| https://github.com/auth0/node-jsonwebtoken/commit/634b8ed0ff5267dc25da5c808634208af109824e | ||
| https://github.com/auth0/node-jsonwebtoken/commit/9f24ffd5791febb449d4d03ff58d7807da9b9b7e | ||
| https://github.com/auth0/node-jsonwebtoken/commit/19e6cc6a1f2fd90356f89b074223b9665f2aa8a2 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/1e4623420159c6410616f02a44ed240f176287a9 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/954bd7a312934f03036b6bb6f00edd41f29e54d9 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/24a370080e0b75f11d4717cd2b11b2949d95fc2e | ||
| https://github.com/auth0/node-jsonwebtoken/commit/a77df6d49d4ec688dfd0a1cc723586bffe753516 | ||
| ## [4.2.2] - 2015-03-26 | ||
@@ -8,0 +43,0 @@ ### Fixed |
18
index.js
@@ -7,4 +7,6 @@ var jws = require('jws'); | ||
| module.exports.decode = function (jwt, options) { | ||
| options = options || {}; | ||
| var decoded = jws.decode(jwt, options); | ||
| var payload = decoded && decoded.payload; | ||
| if (!decoded) { return null; } | ||
| var payload = decoded.payload; | ||
@@ -16,7 +18,17 @@ //try parse the payload | ||
| if(typeof obj === 'object') { | ||
| return obj; | ||
| payload = obj; | ||
| } | ||
| } catch (e) { } | ||
| } | ||
| //return header if `complete` option is enabled. header includes claims | ||
| //such as `kid` and `alg` used to select the key within a JWKS needed to | ||
| //verify the signature | ||
| if (options.complete === true) { | ||
| return { | ||
| header: decoded.header, | ||
| payload: payload, | ||
| signature: decoded.signature | ||
| } | ||
| } | ||
| return payload; | ||
@@ -23,0 +35,0 @@ }; |
| { | ||
| "name": "jsonwebtoken", | ||
| "version": "5.0.0", | ||
| "version": "5.0.1", | ||
| "description": "JSON Web Token implementation (symmetric and asymmetric)", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -140,2 +140,3 @@ # jsonwebtoken [](http://travis-ci.org/auth0/node-jsonwebtoken) | ||
| * `json`: force JSON.parse on the payload even if the header doesn't contain `"typ":"JWT"`. | ||
| * `complete`: return an object with the decode payload and header. | ||
@@ -147,2 +148,7 @@ Example | ||
| var decoded = jwt.decode(token); | ||
| // get the decoded payload and header | ||
| var decoded = jwt.decode(token, {complete: true}); | ||
| console.log(decoded.header); | ||
| console.log(decoded.payload) | ||
| ``` | ||
@@ -229,3 +235,3 @@ | ||
| [Auth0](auth0.com) | ||
| [Auth0](https://auth0.com) | ||
@@ -232,0 +238,0 @@ ## License |
@@ -278,3 +278,12 @@ var jwt = require('../index'); | ||
| }); | ||
| it('should return the header and payload and signature if complete option is set', function(done) { | ||
| var obj = { foo: 'bar' }; | ||
| var token = jwt.sign(obj, priv, { algorithm: 'RS256' }); | ||
| var decoded = jwt.decode(token, { complete: true }); | ||
| assert.deepEqual(decoded.payload, obj); | ||
| assert.deepEqual(decoded.header, { typ: 'JWT', alg: 'RS256' }); | ||
| assert.ok(typeof decoded.signature == 'string'); | ||
| done(); | ||
| }); | ||
| }); | ||
| }); |
New alerts
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
46311
7.62%- Lines of code
653
3.32%- Number of lines in readme file
238
2.59%Worsened metrics
- Number of medium supply chain risk alerts
1
Infinity%No dependency changes