jsonwebtoken
Advanced tools
Comparing version 7.4.1 to 7.4.2
@@ -7,2 +7,11 @@ # Change Log | ||
## 7.4.2 - 2017-08-04 | ||
- bugfix: sign: add check to be sure secret has a value ([c584d1cbc34b788977b36f17cd57ab2212f1230e](https://github.com/auth0/node-jsonwebtoken/commit/c584d1cbc34b788977b36f17cd57ab2212f1230e)) | ||
- docs: about refreshing tokens ([016fc10b847bfbb76b82171cb530f32d7da2001b](https://github.com/auth0/node-jsonwebtoken/commit/016fc10b847bfbb76b82171cb530f32d7da2001b)) | ||
- docs: verifying with base64 encoded secrets ([c25e9906801f89605080cc71b3ee23a5e45a5811](https://github.com/auth0/node-jsonwebtoken/commit/c25e9906801f89605080cc71b3ee23a5e45a5811)) | ||
- tests: Add tests for ES256 ([89900ea00735f76b04f437c9f542285b420fa9cb](https://github.com/auth0/node-jsonwebtoken/commit/89900ea00735f76b04f437c9f542285b420fa9cb)) | ||
- docs: document keyid as option (#361) ([00086c2c006d7fc1a47bae02fa87d194d79aa558](https://github.com/auth0/node-jsonwebtoken/commit/00086c2c006d7fc1a47bae02fa87d194d79aa558)) | ||
- docs: readme: Using private key with passpharase (#353) ([27a7f1d4f35b662426ff0270526d48658da4c8b7](https://github.com/auth0/node-jsonwebtoken/commit/27a7f1d4f35b662426ff0270526d48658da4c8b7)) | ||
## 7.4.1 - 2017-05-17 | ||
@@ -9,0 +18,0 @@ |
{ | ||
"name": "jsonwebtoken", | ||
"version": "7.4.1", | ||
"version": "7.4.2", | ||
"description": "JSON Web Token implementation (symmetric and asymmetric)", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -26,4 +26,4 @@ # jsonwebtoken | ||
`secretOrPrivateKey` is a string or buffer containing either the secret for HMAC algorithms, or the PEM | ||
encoded private key for RSA and ECDSA. | ||
`secretOrPrivateKey` is a string, buffer, or object containing either the secret for HMAC algorithms or the PEM | ||
encoded private key for RSA and ECDSA. In case of a private key with passphrase an object `{ key, passphrase }` can be used (based on [crypto documentation](https://nodejs.org/api/crypto.html#crypto_sign_sign_private_key_output_format)), in this case be sure you pass the `algorithm` option. | ||
@@ -41,2 +41,3 @@ `options`: | ||
* `header` | ||
* `keyid` | ||
@@ -115,2 +116,4 @@ If `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`. | ||
As mentioned in [this comment](https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138), there are other libraries that expect base64 encoded secrets (random bytes encoded using base64), if that is your case you can pass `new Buffer(secret, 'base64')`, by doing this the secret will be decoded using base64 and the token verification will use the original random bytes. | ||
`options` | ||
@@ -286,2 +289,9 @@ | ||
## Refreshing JWTs | ||
First of all, we recommend to think carefully if auto-refreshing a JWT will not introduce any vulnerability in your system. | ||
We are not comfortable including this as part of the library, however, you can take a look to [this example](https://gist.github.com/ziluvatar/a3feb505c4c0ec37059054537b38fc48) to show how this could be accomplish. | ||
Apart from that example there are [an issue](https://github.com/auth0/node-jsonwebtoken/issues/122) and [a pull request](https://github.com/auth0/node-jsonwebtoken/pull/172) to get more knowledge about this topic. | ||
# TODO | ||
@@ -288,0 +298,0 @@ |
@@ -69,2 +69,5 @@ var Joi = require('joi'); | ||
if (!secretOrPrivateKey) { | ||
return failure(new Error('secretOrPrivateKey must have a value')); | ||
} | ||
@@ -71,0 +74,0 @@ if (typeof payload === 'undefined') { |
@@ -66,3 +66,17 @@ var jwt = require('../index'); | ||
}); | ||
describe('secret must have a value', function(){ | ||
[undefined, '', 0].forEach(function(secret){ | ||
it('should return an error if the secret is falsy: ' + (typeof secret === 'string' ? '(empty string)' : secret), function(done) { | ||
// This is needed since jws will not answer for falsy secrets | ||
jwt.sign('string', secret, {}, function(err, token) { | ||
expect(err).to.be.exist(); | ||
expect(err.message).to.equal('secretOrPrivateKey must have a value'); | ||
expect(token).to.not.exist; | ||
done(); | ||
}); | ||
}); | ||
}); | ||
}); | ||
}); | ||
}); |
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
316
308
28
1102561
22725