Socket
Socket
Sign inDemoInstall

jsonwebtoken

Package Overview
Dependencies
Maintainers
8
Versions
81
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

jsonwebtoken - npm Package Compare versions

Comparing version 7.4.3 to 8.0.0

10

CHANGELOG.md

@@ -7,2 +7,12 @@ # Change Log

## 8.0.0 - 2017-09-06
**Breaking changes: See [Migration notes from v7](https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v7-to-v8)**
- docs: readme, migration notes ([12cd8f7f47224f904f6b8f39d1dee73775de4f6f](https://github.com/auth0/node-jsonwebtoken/commit/12cd8f7f47224f904f6b8f39d1dee73775de4f6f))
- verify: remove process.nextTick (#302) ([3305cf04e3f674b9fb7e27c9b14ddd159650ff82](https://github.com/auth0/node-jsonwebtoken/commit/3305cf04e3f674b9fb7e27c9b14ddd159650ff82))
- Reduce size of NPM package (#347) ([0be5409ac6592eeaae373dce91ec992fa101bd8a](https://github.com/auth0/node-jsonwebtoken/commit/0be5409ac6592eeaae373dce91ec992fa101bd8a))
- Remove joi to shrink module size (#348) ([2e7e68dbd59e845cdd940afae0a296f48438445f](https://github.com/auth0/node-jsonwebtoken/commit/2e7e68dbd59e845cdd940afae0a296f48438445f))
- maxAge: Add validation to timespan result ([66a4f8b996c8357727ce62a84605a005b2f5eb18](https://github.com/auth0/node-jsonwebtoken/commit/66a4f8b996c8357727ce62a84605a005b2f5eb18))
## 7.4.3 - 2017-08-17

@@ -9,0 +19,0 @@

21

package.json
{
"name": "jsonwebtoken",
"version": "7.4.3",
"version": "8.0.0",
"description": "JSON Web Token implementation (symmetric and asymmetric)",
"main": "index.js",
"scripts": {
"test": "mocha --require test/util/fakeDate && nsp check"
"test": "mocha --require test/util/fakeDate && nsp check && cost-of-modules"
},

@@ -22,4 +22,10 @@ "repository": {

"dependencies": {
"joi": "^6.10.1",
"jws": "^3.1.4",
"lodash.includes": "^4.3.0",
"lodash.isarray": "^4.0.0",
"lodash.isboolean": "^3.0.3",
"lodash.isinteger": "^4.0.4",
"lodash.isnumber": "^3.0.3",
"lodash.isplainobject": "^4.0.6",
"lodash.isstring": "^4.0.1",
"lodash.once": "^4.0.0",

@@ -33,2 +39,3 @@ "ms": "^2.0.0",

"conventional-changelog": "~1.1.0",
"cost-of-modules": "^1.0.1",
"mocha": "^2.1.0",

@@ -41,3 +48,9 @@ "nsp": "^2.6.2",

"node": ">=0.12"
}
},
"files": [
"lib",
"decode.js",
"sign.js",
"verify.js"
]
}

8

README.md

@@ -16,2 +16,6 @@ # jsonwebtoken

# Migration notes
* [From v7 to v8](https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v7-to-v8)
# Usage

@@ -126,4 +130,4 @@

* `clockTolerance`: number of seconds to tolerate when checking the `nbf` and `exp` claims, to deal with small clock differences among different servers
* `maxAge`: the maximum allowed age for tokens to still be valid. Currently it is expressed in milliseconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `1000`, `"2 days"`, `"10h"`, `"7d"`. **We advise against using milliseconds precision, though, since JWTs can only contain seconds. The maximum precision might be reduced to seconds in the future.**
* `clockTimestamp`: the time in seconds that should be used as the current time for all necessary comparisons (also against `maxAge`, so our advise is to avoid using `clockTimestamp` and a `maxAge` in milliseconds together)
* `maxAge`: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `1000`, `"2 days"`, `"10h"`, `"7d"`.
* `clockTimestamp`: the time in seconds that should be used as the current time for all necessary comparisons.

@@ -130,0 +134,0 @@

81

sign.js

@@ -1,27 +0,51 @@

var Joi = require('joi');
var timespan = require('./lib/timespan');
var xtend = require('xtend');
var jws = require('jws');
var includes = require('lodash.includes');
var isArray = require('lodash.isarray');
var isBoolean = require('lodash.isboolean');
var isInteger = require('lodash.isinteger');
var isNumber = require('lodash.isnumber');
var isPlainObject = require('lodash.isplainobject');
var isString = require('lodash.isstring');
var once = require('lodash.once');
var sign_options_schema = Joi.object().keys({
expiresIn: [Joi.number().integer(), Joi.string()],
notBefore: [Joi.number().integer(), Joi.string()],
audience: [Joi.string(), Joi.array()],
algorithm: Joi.string().valid('RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none'),
header: Joi.object(),
encoding: Joi.string(),
issuer: Joi.string(),
subject: Joi.string(),
jwtid: Joi.string(),
noTimestamp: Joi.boolean(),
keyid: Joi.string()
});
var sign_options_schema = {
expiresIn: { isValid: function(value) { return isInteger(value) || isString(value); }, message: '"expiresIn" should be a number of seconds or string representing a timespan' },
notBefore: { isValid: function(value) { return isInteger(value) || isString(value); }, message: '"notBefore" should be a number of seconds or string representing a timespan' },
audience: { isValid: function(value) { return isString(value) || isArray(value); }, message: '"audience" must be a string or array' },
algorithm: { isValid: includes.bind(null, ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none']), message: '"algorithm" must be a valid string enum value' },
header: { isValid: isPlainObject, message: '"header" must be an object' },
encoding: { isValid: isString, message: '"encoding" must be a string' },
issuer: { isValid: isString, message: '"issuer" must be a string' },
subject: { isValid: isString, message: '"subject" must be a string' },
jwtid: { isValid: isString, message: '"jwtid" must be a string' },
noTimestamp: { isValid: isBoolean, message: '"noTimestamp" must be a boolean' },
keyid: { isValid: isString, message: '"keyid" must be a string' },
};
var registered_claims_schema = Joi.object().keys({
iat: Joi.number(),
exp: Joi.number(),
nbf: Joi.number()
}).unknown();
var registered_claims_schema = {
iat: { isValid: isNumber, message: '"iat" should be a number of seconds' },
exp: { isValid: isNumber, message: '"exp" should be a number of seconds' },
nbf: { isValid: isNumber, message: '"nbf" should be a number of seconds' }
};
function validate(schema, unknown, object) {
if (!isPlainObject(object)) {
throw new Error('Expected object');
}
Object.keys(object)
.forEach(function(key) {
var validator = schema[key];
if (!validator) {
if (!unknown) {
throw new Error('"' + key + '" is not allowed');
}
return;
}
if (!validator.isValid(object[key])) {
throw new Error(validator.message);
}
});
}

@@ -76,8 +100,8 @@ var options_to_payload = {

} else if (isObjectPayload) {
var payload_validation_result = registered_claims_schema.validate(payload);
if (payload_validation_result.error) {
return failure(payload_validation_result.error);
try {
validate(registered_claims_schema, true, payload);
}
catch (error) {
return failure(error);
}
payload = xtend(payload);

@@ -102,7 +126,8 @@ } else {

var validation_result = sign_options_schema.validate(options);
if (validation_result.error) {
return failure(validation_result.error);
try {
validate(sign_options_schema, false, options);
}
catch (error) {
return failure(error);
}

@@ -109,0 +134,0 @@ var timestamp = payload.iat || Math.floor(Date.now() / 1000);

22

verify.js

@@ -5,4 +5,4 @@ var JsonWebTokenError = require('./lib/JsonWebTokenError');

var decode = require('./decode');
var timespan = require('./lib/timespan');
var jws = require('jws');
var ms = require('ms');
var xtend = require('xtend');

@@ -25,8 +25,3 @@

if (callback) {
done = function() {
var args = Array.prototype.slice.call(arguments, 0);
return process.nextTick(function() {
callback.apply(null, args);
});
};
done = callback;
} else {

@@ -170,12 +165,13 @@ done = function(err, data) {

if (options.maxAge) {
var maxAge = ms(options.maxAge);
if (typeof payload.iat !== 'number') {
return done(new JsonWebTokenError('iat required when maxAge is specified'));
}
// We have to compare against either options.clockTimestamp or the currentDate _with_ millis
// to not change behaviour (version 7.2.1). Should be resolve somehow for next major.
var nowOrClockTimestamp = ((options.clockTimestamp || 0) * 1000) || Date.now();
if (nowOrClockTimestamp - (payload.iat * 1000) > maxAge + (options.clockTolerance || 0) * 1000) {
return done(new TokenExpiredError('maxAge exceeded', new Date(payload.iat * 1000 + maxAge)));
var maxAgeTimestamp = timespan(options.maxAge, payload.iat);
if (typeof maxAgeTimestamp === 'undefined') {
return done(new JsonWebTokenError('"maxAge" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60'));
}
if (clockTimestamp >= maxAgeTimestamp + (options.clockTolerance || 0)) {
return done(new TokenExpiredError('maxAge exceeded', new Date(maxAgeTimestamp * 1000)));
}
}

@@ -182,0 +178,0 @@ 

.history/.gitignore_20170513142606
.history/.gitignore_20170513144908
.history/.gitignore_20170513144915
.history/.travis_20170513142530.yml
.history/CHANGELOG_20170804143542.md
.history/CHANGELOG_20170817161903.md
.history/CHANGELOG_20170817161932.md
.history/CHANGELOG_20170817161957.md
.history/CHANGELOG_20170817162020.md
.history/CHANGELOG_20170817162102.md
.history/ecissue_20170611105811.js
.history/ecissue_20170611110014.js
.history/ecissue_20170611110046.js
.history/ecissue_20170611110149.js
.history/ecissue_20170611110319.js
.history/ecissue_20170611110407.js
.history/index.d_20170513010248.ts
.history/index.d_20170513010322.ts
.history/lib/claim_checks_20170611142053.js
.history/lib/claim_checks_20170611142101.js
.history/lib/claim_checks_20170611142211.js
.history/lib/claim_checks_20170611142318.js
.history/lib/claim_checks_20170611142521.js
.history/lib/claim_checks_20170611143226.js
.history/lib/claim_checks_20170611143410.js
.history/lib/claim_checks_20170611143443.js
.history/lib/claim_checks_20170611160545.js
.history/lib/claim_checks_20170611160826.js
.history/lib/claim_checks_20170611161125.js
.history/lib/claim_checks_20170611161534.js
.history/lib/claim_checks_20170611161848.js
.history/lib/claim_checks_20170611162126.js
.history/lib/claim_checks_20170611162608.js
.history/lib/claim_checks_20170611162645.js
.history/lib/matchers_20170611141841.js
.history/lib/matchers_20170611141949.js
.history/lib/payload_checks_20170611162758.js
.history/lib/payload_checks_20170611162842.js
.history/lib/payload_checks_20170611162857.js
.history/lib/payload_checks_20170611162901.js
.history/lib/payload_checks_20170611163142.js
.history/lib/payload_checks_20170611163308.js
.history/lib/payload_checks_20170611163325.js
.history/lib/payload_checks_20170611163352.js
.history/lib/payload_checks_20170611163433.js
.history/lib/payload_checks_20170611163534.js
.history/lib/payload_checks_20170611163652.js
.history/lib/payload_checks_20170611163659.js
.history/lib/payload_checks_20170611163722.js
.history/lib/payload_checks_20170611163736.js
.history/lib/payload_checks_20170611163744.js
.history/lib/payload_checks_20170611163755.js
.history/lib/payload_checks_20170611163842.js
.history/lib/payload_checks_20170611163937.js
.history/lib/payload_checks_20170611163945.js
.history/lib/payload_checks_20170611164012.js
.history/lib/payload_checks_20170611164118.js
.history/lib/payload_checks_20170611164133.js
.history/lib/payload_checks_20170611164147.js
.history/lib/payload_checks_20170611164316.js
.history/lib/payload_checks_20170611164413.js
.history/lib/payload_checks_20170611164427.js
.history/lib/payload_checks_20170611164802.js
.history/lib/payload_checks_20170611165845.js
.history/lib/payload_checks_20170611165916.js
.history/lib/payload_checks_20170611170110.js
.history/lib/payload_checks_20170611170200.js
.history/lib/payload_checks_20170611170242.js
.history/lib/payload_checks_20170611170500.js
.history/lib/payload_checks_20170611170507.js
.history/lib/payload_checks_20170611170613.js
.history/lib/payload_checks_20170611171206.js
.history/lib/payload_checks_20170611171300.js
.history/lib/payload_checks_20170611171307.js
.history/lib/payload_checks_20170611171454.js
.history/lib/payload_checks_20170611171605.js
.history/lib/payload_checks_20170611171610.js
.history/lib/payload_checks_20170611171622.js
.history/lib/payload_checks_20170611171656.js
.history/lib/payload_checks_20170611171759.js
.history/lib/payload_checks_20170624222641.js
.history/lib/payload_checks_20170624223320.js
.history/lib/payload_checks_20170624224104.js
.history/lib/payload_checks_20170624225245.js
.history/lib/payload_checks_20170624225731.js
.history/lib/payload_checks_20170624232758.js
.history/lib/payload_checks_20170624232839.js
.history/lib/payload_checks_20170624232929.js
.history/lib/payload_checks_20170624233010.js
.history/lib/payload_checks_20170624233055.js
.history/lib/payload_checks_20170624233201.js
.history/lib/payload_checks_20170624233301.js
.history/lib/payload_checks_20170624233715.js
.history/lib/payload_checks_20170624234804.js
.history/lib/payload_checks_20170624235933.js
.history/lib/payload_checks_2017062501148.js
.history/lib/payload_checks_2017062503116.js
.history/lib/payload_checks_2017062503225.js
.history/lib/payload_checks_201706250732.js
.history/lib/payload_checks_201706250743.js
.history/lib/payload_checks_201706250818.js
.history/lib/payload_checks_201706250837.js
.history/lib/payload_checks_201706250847.js
.history/lib/timespan_20170513162630.js
.history/lib/timespan_20170513162744.js
.history/lib/verify_checks/aud_20170611171543.js
.history/lib/verify_checks/aud_20170611171555.js
.history/lib/verify_checks/exp_20170611171442.js
.history/lib/verify_checks/exp_20170611171504.js
.history/lib/verify_checks/iss_20170611171644.js
.history/lib/verify_checks/nbf_20170611171215.js
.history/lib/verify_checks/nbf_20170611171229.js
.history/lib/verify_checks/nbf_20170611171241.js
.history/lib/verify_checks/nbf_20170611171321.js
.history/lib/verify/payload-checks_2017062504211.js
.history/lib/verify/payload-checks_2017062504231.js
.history/lib/verify/payload/verifier_2017062503130.js
.history/lib/verify/PayloadChecks_2017062503250.js
.history/lib/verify/PayloadChecks_2017062503409.js
.history/lib/verify/PayloadVerifier_20170625010906.js
.history/lib/verify/PayloadVerifier_2017062503717.js
.history/lib/verify/PayloadVerifier_2017062503921.js
.history/lib/verify/PayloadVerifier_2017062504120.js
.history/lib/verify/PayloadVerifier_2017062504629.js
.history/lib/verify/PayloadVerifier_2017062504718.js
.history/package_20170513122214.json
.history/package_20170513122244.json
.history/package_20170513142409.json
.history/package_20170513142453.json
.history/package_20170513142659.json
.history/package_20170513144757.json
.history/README_20170624113057.md
.history/README_20170624113904.md
.history/README_20170624113944.md
.history/README_20170624114239.md
.history/README_20170714131043.md
.history/README_20170714131333.md
.history/README_20170714131446.md
.history/README_20170714131544.md
.history/README_20170714131628.md
.history/README_20170714132156.md
.history/README_20170714174551.md
.history/README_20170714174555.md
.history/README_20170714174602.md
.history/sign_2017011304458.js
.history/sign_2017011304615.js
.history/sign_20170724162830.js
.history/sign_20170724162903.js
.history/sign_20170724163911.js
.history/sign_20170724163949.js
.history/sign_20170724164042.js
.history/sign_20170724165002.js
.history/sign_20170724165020.js
.history/sign_20170724165059.js
.history/sign_20170724165421.js
.history/sign_20170817134030.js
.history/sign_20170817134051.js
.history/sign_20170817134417.js
.history/sign_20170817134431.js
.history/sign_20170817134909.js
.history/test/async_sign.tests_20170724164558.js
.history/test/async_sign.tests_20170724164633.js
.history/test/async_sign.tests_20170724164927.js
.history/test/async_sign.tests_20170724165127.js
.history/test/async_sign.tests_20170724165236.js
.history/test/async_sign.tests_20170724165344.js
.history/test/async_sign.tests_20170724165359.js
.history/test/async_sign.tests_20170724165438.js
.history/test/async_sign.tests_20170724165516.js
.history/test/async_sign.tests_20170724165532.js
.history/test/async_sign.tests_20170724165554.js
.history/test/async_sign.tests_20170817134547.js
.history/test/async_sign.tests_20170817134704.js
.history/test/custom_verifiers.tests_20170611141651.js
.history/test/custom_verifiers.tests_20170611162335.js
.history/test/issue_196.tests_20170206184753.js
.history/test/issue_70.tests_20170610123449.js
.history/test/jwt.asymmetric_signing.tests_20170610213044.js
.history/test/jwt.asymmetric_signing.tests_20170610213645.js
.history/test/jwt.asymmetric_signing.tests_20170610235842.js
.history/test/jwt.asymmetric_signing.tests_20170611123247.js
.history/test/jwt.asymmetric_signing.tests_20170611123420.js
.history/test/jwt.asymmetric_signing.tests_20170611123424.js
.history/test/jwt.asymmetric_signing.tests_20170611123503.js
.history/test/jwt.asymmetric_signing.tests_20170611123603.js
.history/test/jwt.asymmetric_signing.tests_20170611123650.js
.history/test/jwt.asymmetric_signing.tests_20170611123734.js
.history/test/jwt.asymmetric_signing.tests_20170611125018.js
.history/test/jwt.asymmetric_signing.tests_20170611125054.js
.history/test/jwt.asymmetric_signing.tests_20170611125102.js
.history/test/jwt.asymmetric_signing.tests_20170611125216.js
.history/test/jwt.asymmetric_signing.tests_20170611125543.js
.history/test/jwt.asymmetric_signing.tests_20170611131822.js
.history/test/jwt.asymmetric_signing.tests_20170611131827.js
.history/test/jwt.asymmetric_signing.tests_20170611131843.js
.history/test/jwt.hs.tests_20170817134348.js
.history/test/undefined_secretOrPublickey.tests_20170611132657.js
.history/test/undefined_secretOrPublickey.tests_20170611132832.js
.history/test/verify.tests_20170624233751.js
.history/test/verify.tests_20170624233815.js
.history/test/verify.tests_20170624234349.js
.history/tester_20170714123121.js
.history/tester_20170714123134.js
.history/tester_20170714123149.js
.history/tester_20170714123159.js
.history/tester_20170714123215.js
.history/tester_20170714123240.js
.history/tester_20170714123244.js
.history/tester_20170714123254.js
.history/tester_20170714123314.js
.history/tester_20170714123348.js
.history/tester_20170714123445.js
.history/tester_20170714123521.js
.history/tester_20170714123734.js
.history/tester_20170714123831.js
.history/tester_20170714125048.js
.history/tester_20170714125350.js
.history/tester_20170714125406.js
.history/tester_20170714125435.js
.history/tester_20170714130320.js
.history/token-generator_20170714125353.js
.history/token-generator_20170714125518.js
.history/tokenGenerator_20170714114934.js
.history/tokenGenerator_20170714115012.js
.history/tokenGenerator_20170714115225.js
.history/tokenGenerator_20170714115454.js
.history/tokenGenerator_20170714115742.js
.history/tokenGenerator_20170714115925.js
.history/tokenGenerator_20170714120855.js
.history/tokenGenerator_20170714121351.js
.history/tokenGenerator_20170714121630.js
.history/tokenGenerator_20170714121750.js
.history/tokenGenerator_20170714122022.js
.history/tokenGenerator_20170714122100.js
.history/tokenGenerator_20170714122518.js
.history/tokenGenerator_20170714122734.js
.history/tokenGenerator_20170714122951.js
.history/tokenGenerator_20170714123114.js
.history/tokenGenerator_20170714123654.js
.history/tokenGenerator_20170714124432.js
.history/tokenGenerator_20170714124637.js
.history/tokenGenerator_20170714124702.js
.history/tokenGenerator_20170714124727.js
.history/tokenGenerator_20170714124849.js
.history/verify_2017011304950.js
.history/verify_2017011305133.js
.history/verify_2017011305435.js
.history/verify_20170624224732.js
.history/verify_20170624224837.js
.history/verify_20170624225657.js
.history/verify_20170624225721.js
.history/verify_20170624225824.js
.history/verify_20170624230422.js
.history/verify_20170624230734.js
.history/verify_20170624232900.js
.history/verify_20170624232952.js
.history/verify_20170624233036.js
.history/verify_20170624233130.js
.history/verify_20170624233228.js
.history/verify_20170624233850.js
.history/verify_20170624234527.js
.history/verify_20170624234530.js
.history/verify_20170624234535.js
.history/verify_20170624234542.js
.history/verify_2017062501149.js
.history/verify_2017062501429.js
.history/verify_2017062501755.js
.history/verify_2017062502652.js
.history/verify_2017062502752.js
.history/verify_2017062502930.js
.history/verify_201706250332.js
.history/verify_2017062503510.js
.history/verify_2017062503708.js
.history/verify_2017062503737.js
.history/verify_2017062504011.js
.history/verify_20170714174531.js
.history/verify_20170714174538.js
.jshintrc
.npmignore
.travis.yml
bin/changelog
test/async_sign.tests.js
test/buffer.tests.js
test/ecdsa-private.pem
test/ecdsa-public-invalid.pem
test/ecdsa-public-x509.pem
test/ecdsa-public.pem
test/encoding.tests.js
test/expires_format.tests.js
test/iat.tests.js
test/invalid_exp.tests.js
test/invalid_pub.pem
test/issue_147.tests.js
test/issue_196.tests.js
test/issue_304.tests.js
test/issue_70.tests.js
test/jwt.asymmetric_signing.tests.js
test/jwt.hs.tests.js
test/keyid.tests.js
test/non_object_values.tests.js
test/noTimestamp.tests.js
test/priv.pem
test/pub.pem
test/rsa-private.pem
test/rsa-public-key.pem
test/rsa-public-key.tests.js
test/rsa-public.pem
test/set_headers.tests.js
test/undefined_secretOrPublickey.tests.js
test/util/fakeDate.js
test/verify.tests.js
test/wrong_alg.tests.js
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc