jsonwebtoken
Advanced tools
Comparing version 7.4.3 to 8.0.0
@@ -7,2 +7,12 @@ # Change Log | ||
## 8.0.0 - 2017-09-06 | ||
**Breaking changes: See [Migration notes from v7](https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v7-to-v8)** | ||
- docs: readme, migration notes ([12cd8f7f47224f904f6b8f39d1dee73775de4f6f](https://github.com/auth0/node-jsonwebtoken/commit/12cd8f7f47224f904f6b8f39d1dee73775de4f6f)) | ||
- verify: remove process.nextTick (#302) ([3305cf04e3f674b9fb7e27c9b14ddd159650ff82](https://github.com/auth0/node-jsonwebtoken/commit/3305cf04e3f674b9fb7e27c9b14ddd159650ff82)) | ||
- Reduce size of NPM package (#347) ([0be5409ac6592eeaae373dce91ec992fa101bd8a](https://github.com/auth0/node-jsonwebtoken/commit/0be5409ac6592eeaae373dce91ec992fa101bd8a)) | ||
- Remove joi to shrink module size (#348) ([2e7e68dbd59e845cdd940afae0a296f48438445f](https://github.com/auth0/node-jsonwebtoken/commit/2e7e68dbd59e845cdd940afae0a296f48438445f)) | ||
- maxAge: Add validation to timespan result ([66a4f8b996c8357727ce62a84605a005b2f5eb18](https://github.com/auth0/node-jsonwebtoken/commit/66a4f8b996c8357727ce62a84605a005b2f5eb18)) | ||
## 7.4.3 - 2017-08-17 | ||
@@ -9,0 +19,0 @@ |
{ | ||
"name": "jsonwebtoken", | ||
"version": "7.4.3", | ||
"version": "8.0.0", | ||
"description": "JSON Web Token implementation (symmetric and asymmetric)", | ||
"main": "index.js", | ||
"scripts": { | ||
"test": "mocha --require test/util/fakeDate && nsp check" | ||
"test": "mocha --require test/util/fakeDate && nsp check && cost-of-modules" | ||
}, | ||
@@ -22,4 +22,10 @@ "repository": { | ||
"dependencies": { | ||
"joi": "^6.10.1", | ||
"jws": "^3.1.4", | ||
"lodash.includes": "^4.3.0", | ||
"lodash.isarray": "^4.0.0", | ||
"lodash.isboolean": "^3.0.3", | ||
"lodash.isinteger": "^4.0.4", | ||
"lodash.isnumber": "^3.0.3", | ||
"lodash.isplainobject": "^4.0.6", | ||
"lodash.isstring": "^4.0.1", | ||
"lodash.once": "^4.0.0", | ||
@@ -33,2 +39,3 @@ "ms": "^2.0.0", | ||
"conventional-changelog": "~1.1.0", | ||
"cost-of-modules": "^1.0.1", | ||
"mocha": "^2.1.0", | ||
@@ -41,3 +48,9 @@ "nsp": "^2.6.2", | ||
"node": ">=0.12" | ||
} | ||
}, | ||
"files": [ | ||
"lib", | ||
"decode.js", | ||
"sign.js", | ||
"verify.js" | ||
] | ||
} |
@@ -16,2 +16,6 @@ # jsonwebtoken | ||
# Migration notes | ||
* [From v7 to v8](https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v7-to-v8) | ||
# Usage | ||
@@ -126,4 +130,4 @@ | ||
* `clockTolerance`: number of seconds to tolerate when checking the `nbf` and `exp` claims, to deal with small clock differences among different servers | ||
* `maxAge`: the maximum allowed age for tokens to still be valid. Currently it is expressed in milliseconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `1000`, `"2 days"`, `"10h"`, `"7d"`. **We advise against using milliseconds precision, though, since JWTs can only contain seconds. The maximum precision might be reduced to seconds in the future.** | ||
* `clockTimestamp`: the time in seconds that should be used as the current time for all necessary comparisons (also against `maxAge`, so our advise is to avoid using `clockTimestamp` and a `maxAge` in milliseconds together) | ||
* `maxAge`: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `1000`, `"2 days"`, `"10h"`, `"7d"`. | ||
* `clockTimestamp`: the time in seconds that should be used as the current time for all necessary comparisons. | ||
@@ -130,0 +134,0 @@ |
81
sign.js
@@ -1,27 +0,51 @@ | ||
var Joi = require('joi'); | ||
var timespan = require('./lib/timespan'); | ||
var xtend = require('xtend'); | ||
var jws = require('jws'); | ||
var includes = require('lodash.includes'); | ||
var isArray = require('lodash.isarray'); | ||
var isBoolean = require('lodash.isboolean'); | ||
var isInteger = require('lodash.isinteger'); | ||
var isNumber = require('lodash.isnumber'); | ||
var isPlainObject = require('lodash.isplainobject'); | ||
var isString = require('lodash.isstring'); | ||
var once = require('lodash.once'); | ||
var sign_options_schema = Joi.object().keys({ | ||
expiresIn: [Joi.number().integer(), Joi.string()], | ||
notBefore: [Joi.number().integer(), Joi.string()], | ||
audience: [Joi.string(), Joi.array()], | ||
algorithm: Joi.string().valid('RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none'), | ||
header: Joi.object(), | ||
encoding: Joi.string(), | ||
issuer: Joi.string(), | ||
subject: Joi.string(), | ||
jwtid: Joi.string(), | ||
noTimestamp: Joi.boolean(), | ||
keyid: Joi.string() | ||
}); | ||
var sign_options_schema = { | ||
expiresIn: { isValid: function(value) { return isInteger(value) || isString(value); }, message: '"expiresIn" should be a number of seconds or string representing a timespan' }, | ||
notBefore: { isValid: function(value) { return isInteger(value) || isString(value); }, message: '"notBefore" should be a number of seconds or string representing a timespan' }, | ||
audience: { isValid: function(value) { return isString(value) || isArray(value); }, message: '"audience" must be a string or array' }, | ||
algorithm: { isValid: includes.bind(null, ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none']), message: '"algorithm" must be a valid string enum value' }, | ||
header: { isValid: isPlainObject, message: '"header" must be an object' }, | ||
encoding: { isValid: isString, message: '"encoding" must be a string' }, | ||
issuer: { isValid: isString, message: '"issuer" must be a string' }, | ||
subject: { isValid: isString, message: '"subject" must be a string' }, | ||
jwtid: { isValid: isString, message: '"jwtid" must be a string' }, | ||
noTimestamp: { isValid: isBoolean, message: '"noTimestamp" must be a boolean' }, | ||
keyid: { isValid: isString, message: '"keyid" must be a string' }, | ||
}; | ||
var registered_claims_schema = Joi.object().keys({ | ||
iat: Joi.number(), | ||
exp: Joi.number(), | ||
nbf: Joi.number() | ||
}).unknown(); | ||
var registered_claims_schema = { | ||
iat: { isValid: isNumber, message: '"iat" should be a number of seconds' }, | ||
exp: { isValid: isNumber, message: '"exp" should be a number of seconds' }, | ||
nbf: { isValid: isNumber, message: '"nbf" should be a number of seconds' } | ||
}; | ||
function validate(schema, unknown, object) { | ||
if (!isPlainObject(object)) { | ||
throw new Error('Expected object'); | ||
} | ||
Object.keys(object) | ||
.forEach(function(key) { | ||
var validator = schema[key]; | ||
if (!validator) { | ||
if (!unknown) { | ||
throw new Error('"' + key + '" is not allowed'); | ||
} | ||
return; | ||
} | ||
if (!validator.isValid(object[key])) { | ||
throw new Error(validator.message); | ||
} | ||
}); | ||
} | ||
@@ -76,8 +100,8 @@ var options_to_payload = { | ||
} else if (isObjectPayload) { | ||
var payload_validation_result = registered_claims_schema.validate(payload); | ||
if (payload_validation_result.error) { | ||
return failure(payload_validation_result.error); | ||
try { | ||
validate(registered_claims_schema, true, payload); | ||
} | ||
catch (error) { | ||
return failure(error); | ||
} | ||
payload = xtend(payload); | ||
@@ -102,7 +126,8 @@ } else { | ||
var validation_result = sign_options_schema.validate(options); | ||
if (validation_result.error) { | ||
return failure(validation_result.error); | ||
try { | ||
validate(sign_options_schema, false, options); | ||
} | ||
catch (error) { | ||
return failure(error); | ||
} | ||
@@ -109,0 +134,0 @@ var timestamp = payload.iat || Math.floor(Date.now() / 1000); |
@@ -5,4 +5,4 @@ var JsonWebTokenError = require('./lib/JsonWebTokenError'); | ||
var decode = require('./decode'); | ||
var timespan = require('./lib/timespan'); | ||
var jws = require('jws'); | ||
var ms = require('ms'); | ||
var xtend = require('xtend'); | ||
@@ -25,8 +25,3 @@ | ||
if (callback) { | ||
done = function() { | ||
var args = Array.prototype.slice.call(arguments, 0); | ||
return process.nextTick(function() { | ||
callback.apply(null, args); | ||
}); | ||
}; | ||
done = callback; | ||
} else { | ||
@@ -170,12 +165,13 @@ done = function(err, data) { | ||
if (options.maxAge) { | ||
var maxAge = ms(options.maxAge); | ||
if (typeof payload.iat !== 'number') { | ||
return done(new JsonWebTokenError('iat required when maxAge is specified')); | ||
} | ||
// We have to compare against either options.clockTimestamp or the currentDate _with_ millis | ||
// to not change behaviour (version 7.2.1). Should be resolve somehow for next major. | ||
var nowOrClockTimestamp = ((options.clockTimestamp || 0) * 1000) || Date.now(); | ||
if (nowOrClockTimestamp - (payload.iat * 1000) > maxAge + (options.clockTolerance || 0) * 1000) { | ||
return done(new TokenExpiredError('maxAge exceeded', new Date(payload.iat * 1000 + maxAge))); | ||
var maxAgeTimestamp = timespan(options.maxAge, payload.iat); | ||
if (typeof maxAgeTimestamp === 'undefined') { | ||
return done(new JsonWebTokenError('"maxAge" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60')); | ||
} | ||
if (clockTimestamp >= maxAgeTimestamp + (options.clockTolerance || 0)) { | ||
return done(new TokenExpiredError('maxAge exceeded', new Date(maxAgeTimestamp * 1000))); | ||
} | ||
} | ||
@@ -182,0 +178,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
312
0
54649
11
7
12
372
1
+ Addedlodash.includes@^4.3.0
+ Addedlodash.isarray@^4.0.0
+ Addedlodash.isboolean@^3.0.3
+ Addedlodash.isinteger@^4.0.4
+ Addedlodash.isnumber@^3.0.3
+ Addedlodash.isplainobject@^4.0.6
+ Addedlodash.isstring@^4.0.1
+ Addedlodash.includes@4.3.0(transitive)
+ Addedlodash.isarray@4.0.0(transitive)
+ Addedlodash.isboolean@3.0.3(transitive)
+ Addedlodash.isinteger@4.0.4(transitive)
+ Addedlodash.isnumber@3.0.3(transitive)
+ Addedlodash.isplainobject@4.0.6(transitive)
+ Addedlodash.isstring@4.0.1(transitive)
- Removedjoi@^6.10.1
- Removedhoek@2.16.3(transitive)
- Removedisemail@1.2.0(transitive)
- Removedjoi@6.10.1(transitive)
- Removedmoment@2.30.1(transitive)
- Removedtopo@1.1.0(transitive)