jsonwebtoken
Advanced tools
Comparing version 8.3.0 to 8.4.0
@@ -7,2 +7,45 @@ # Change Log | ||
## 8.4.0 - 2018-11-14 | ||
### New Functionality | ||
- Add verify option for nonce validation (#540) ([e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0](https://github.com/auth0/node-jsonwebtoken/commit/e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0)), closes [#540](https://github.com/auth0/node-jsonwebtoken/issues/540) | ||
### Bug Fixes | ||
- Updating Node version in Engines spec in package.json (#528) ([cfd1079305170a897dee6a5f55039783e6ee2711](https://github.com/auth0/node-jsonwebtoken/commit/cfd1079305170a897dee6a5f55039783e6ee2711)), closes [#528](https://github.com/auth0/node-jsonwebtoken/issues/528) [#509](https://github.com/auth0/node-jsonwebtoken/issues/509) | ||
- Fixed error message when empty string passed as expiresIn or notBefore option (#531) ([7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76](https://github.com/auth0/node-jsonwebtoken/commit/7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76)), closes [#531](https://github.com/auth0/node-jsonwebtoken/issues/531) | ||
### Docs | ||
- Update README.md (#527) ([b76f2a80f5229ee5cde321dd2ff14aa5df16d283](https://github.com/auth0/node-jsonwebtoken/commit/b76f2a80f5229ee5cde321dd2ff14aa5df16d283)), closes [#527](https://github.com/auth0/node-jsonwebtoken/issues/527) | ||
- Update README.md (#538) ([1956c4006472fd285b8a85074257cbdbe9131cbf](https://github.com/auth0/node-jsonwebtoken/commit/1956c4006472fd285b8a85074257cbdbe9131cbf)), closes [#538](https://github.com/auth0/node-jsonwebtoken/issues/538) | ||
- Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#548) ([dc89a641293d42f72ecfc623ce2eabc33954cb9d](https://github.com/auth0/node-jsonwebtoken/commit/dc89a641293d42f72ecfc623ce2eabc33954cb9d)), closes [#548](https://github.com/auth0/node-jsonwebtoken/issues/548) | ||
- Document NotBeforeError (#529) ([29cd654b956529e939ae8f8c30b9da7063aad501](https://github.com/auth0/node-jsonwebtoken/commit/29cd654b956529e939ae8f8c30b9da7063aad501)), closes [#529](https://github.com/auth0/node-jsonwebtoken/issues/529) | ||
### Test Improvements | ||
- Use lolex for faking date in tests (#491) ([677ead6d64482f2067b11437dda07309abe73cfa](https://github.com/auth0/node-jsonwebtoken/commit/677ead6d64482f2067b11437dda07309abe73cfa)), closes [#491](https://github.com/auth0/node-jsonwebtoken/issues/491) | ||
- Update dependencies used for running tests (#518) ([5498bdc4865ffb2ba2fd44d889fad7e83873bb33](https://github.com/auth0/node-jsonwebtoken/commit/5498bdc4865ffb2ba2fd44d889fad7e83873bb33)), closes [#518](https://github.com/auth0/node-jsonwebtoken/issues/518) | ||
- Minor test refactoring for recently added tests (#504) ([e2860a9d2a412627d79741a95bc7159971b923b9](https://github.com/auth0/node-jsonwebtoken/commit/e2860a9d2a412627d79741a95bc7159971b923b9)), closes [#504](https://github.com/auth0/node-jsonwebtoken/issues/504) | ||
- Create and implement async/sync test helpers (#523) ([683d8a9b31ad6327948f84268bd2c8e4350779d1](https://github.com/auth0/node-jsonwebtoken/commit/683d8a9b31ad6327948f84268bd2c8e4350779d1)), closes [#523](https://github.com/auth0/node-jsonwebtoken/issues/523) | ||
- Refactor tests related to audience and aud (#503) ([53d405e0223cce7c83cb51ecf290ca6bec1e9679](https://github.com/auth0/node-jsonwebtoken/commit/53d405e0223cce7c83cb51ecf290ca6bec1e9679)), closes [#503](https://github.com/auth0/node-jsonwebtoken/issues/503) | ||
- Refactor tests related to expiresIn and exp (#501) ([72f0d9e5b11a99082250665d1200c58182903fa6](https://github.com/auth0/node-jsonwebtoken/commit/72f0d9e5b11a99082250665d1200c58182903fa6)), closes [#501](https://github.com/auth0/node-jsonwebtoken/issues/501) | ||
- Refactor tests related to iat and maxAge (#507) ([877bd57ab2aca9b7d230805b21f921baed3da169](https://github.com/auth0/node-jsonwebtoken/commit/877bd57ab2aca9b7d230805b21f921baed3da169)), closes [#507](https://github.com/auth0/node-jsonwebtoken/issues/507) | ||
- Refactor tests related to iss and issuer (#543) ([0906a3fa80f52f959ac1b6343d3024ce5c7e9dea](https://github.com/auth0/node-jsonwebtoken/commit/0906a3fa80f52f959ac1b6343d3024ce5c7e9dea)), closes [#543](https://github.com/auth0/node-jsonwebtoken/issues/543) | ||
- Refactor tests related to kid and keyid (#545) ([88645427a0adb420bd3e149199a2a6bf1e17277e](https://github.com/auth0/node-jsonwebtoken/commit/88645427a0adb420bd3e149199a2a6bf1e17277e)), closes [#545](https://github.com/auth0/node-jsonwebtoken/issues/545) | ||
- Refactor tests related to notBefore and nbf (#497) ([39adf87a6faef3df984140f88e6724ddd709fd89](https://github.com/auth0/node-jsonwebtoken/commit/39adf87a6faef3df984140f88e6724ddd709fd89)), closes [#497](https://github.com/auth0/node-jsonwebtoken/issues/497) | ||
- Refactor tests related to subject and sub (#505) ([5a7fa23c0b4ac6c25304dab8767ef840b43a0eca](https://github.com/auth0/node-jsonwebtoken/commit/5a7fa23c0b4ac6c25304dab8767ef840b43a0eca)), closes [#505](https://github.com/auth0/node-jsonwebtoken/issues/505) | ||
- Implement async/sync tests for exp claim (#536) ([9ae3f207ac64b7450ea0a3434418f5ca58d8125e](https://github.com/auth0/node-jsonwebtoken/commit/9ae3f207ac64b7450ea0a3434418f5ca58d8125e)), closes [#536](https://github.com/auth0/node-jsonwebtoken/issues/536) | ||
- Implement async/sync tests for nbf claim (#537) ([88bc965061ed65299a395f42a100fb8f8c3c683e](https://github.com/auth0/node-jsonwebtoken/commit/88bc965061ed65299a395f42a100fb8f8c3c683e)), closes [#537](https://github.com/auth0/node-jsonwebtoken/issues/537) | ||
- Implement async/sync tests for sub claim (#534) ([342b07bb105a35739eb91265ba5b9dd33c300fc6](https://github.com/auth0/node-jsonwebtoken/commit/342b07bb105a35739eb91265ba5b9dd33c300fc6)), closes [#534](https://github.com/auth0/node-jsonwebtoken/issues/534) | ||
- Implement async/sync tests for the aud claim (#535) ([1c8ff5a68e6da73af2809c9d87faaf78602c99bb](https://github.com/auth0/node-jsonwebtoken/commit/1c8ff5a68e6da73af2809c9d87faaf78602c99bb)), closes [#535](https://github.com/auth0/node-jsonwebtoken/issues/535) | ||
### CI | ||
- Added Istanbul to check test-coverage (#468) ([9676a8306428a045e34c3987bd0680fb952b44e3](https://github.com/auth0/node-jsonwebtoken/commit/9676a8306428a045e34c3987bd0680fb952b44e3)), closes [#468](https://github.com/auth0/node-jsonwebtoken/issues/468) | ||
- Complete ESLint conversion and cleanup (#490) ([cb1d2e1e40547f7ecf29fa6635041df6cbba7f40](https://github.com/auth0/node-jsonwebtoken/commit/cb1d2e1e40547f7ecf29fa6635041df6cbba7f40)), closes [#490](https://github.com/auth0/node-jsonwebtoken/issues/490) | ||
- Make code-coverage mandatory when running tests (#495) ([fb0084a78535bfea8d0087c0870e7e3614a2cbe5](https://github.com/auth0/node-jsonwebtoken/commit/fb0084a78535bfea8d0087c0870e7e3614a2cbe5)), closes [#495](https://github.com/auth0/node-jsonwebtoken/issues/495) | ||
## 8.3.0 - 2018-06-11 | ||
@@ -9,0 +52,0 @@ |
{ | ||
"name": "jsonwebtoken", | ||
"version": "8.3.0", | ||
"version": "8.4.0", | ||
"description": "JSON Web Token implementation (symmetric and asymmetric)", | ||
"main": "index.js", | ||
"nyc": { | ||
"check-coverage": true, | ||
"lines": 95, | ||
"statements": 95, | ||
"functions": 100, | ||
"branches": 95, | ||
"exclude": [ | ||
"./test/**" | ||
], | ||
"reporter": [ | ||
"json", | ||
"lcov", | ||
"text-summary" | ||
] | ||
}, | ||
"scripts": { | ||
"test": "mocha --require test/util/fakeDate && nsp check && cost-of-modules" | ||
"lint": "eslint .", | ||
"coverage": "nyc mocha", | ||
"test": "npm run lint && npm run coverage && nsp check && cost-of-modules" | ||
}, | ||
@@ -33,13 +50,15 @@ "repository": { | ||
"devDependencies": { | ||
"atob": "^1.1.2", | ||
"chai": "^1.10.0", | ||
"atob": "^2.1.2", | ||
"chai": "^4.1.2", | ||
"conventional-changelog": "~1.1.0", | ||
"cost-of-modules": "^1.0.1", | ||
"mocha": "^2.1.0", | ||
"eslint": "^4.19.1", | ||
"mocha": "^5.2.0", | ||
"nsp": "^2.6.2", | ||
"sinon": "^1.15.4" | ||
"nyc": "^11.9.0", | ||
"sinon": "^6.0.0" | ||
}, | ||
"engines": { | ||
"npm": ">=1.4.28", | ||
"node": ">=0.12" | ||
"node": ">=4" | ||
}, | ||
@@ -46,0 +65,0 @@ "files": [ |
# jsonwebtoken | ||
[![Build Status](https://secure.travis-ci.org/auth0/node-jsonwebtoken.svg?branch=master)](http://travis-ci.org/auth0/node-jsonwebtoken)[![Dependency Status](https://david-dm.org/auth0/node-jsonwebtoken.svg)](https://david-dm.org/auth0/node-jsonwebtoken) | ||
| **Build** | **Dependency** | | ||
|-----------|---------------| | ||
| [![Build Status](https://secure.travis-ci.org/auth0/node-jsonwebtoken.svg?branch=master)](http://travis-ci.org/auth0/node-jsonwebtoken) | [![Dependency Status](https://david-dm.org/auth0/node-jsonwebtoken.svg)](https://david-dm.org/auth0/node-jsonwebtoken) | | ||
@@ -28,4 +30,7 @@ | ||
`payload` could be an object literal, buffer or string representing valid JSON. *Please note that* `exp` or any other claim is only set if the payload is an object literal. Buffer or string payloads are not checked for JSON validity. | ||
`payload` could be an object literal, buffer or string representing valid JSON. | ||
> **Please _note_ that** `exp` or any other claim is only set if the payload is an object literal. Buffer or string payloads are not checked for JSON validity. | ||
> If `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`. | ||
`secretOrPrivateKey` is a string, buffer, or object containing either the secret for HMAC algorithms or the PEM | ||
@@ -37,4 +42,6 @@ encoded private key for RSA and ECDSA. In case of a private key with passphrase an object `{ key, passphrase }` can be used (based on [crypto documentation](https://nodejs.org/api/crypto.html#crypto_sign_sign_private_key_output_format)), in this case be sure you pass the `algorithm` option. | ||
* `algorithm` (default: `HS256`) | ||
* `expiresIn`: expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`). | ||
* `notBefore`: expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`). | ||
* `expiresIn`: expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). | ||
> Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`). | ||
* `notBefore`: expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). | ||
> Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`). | ||
* `audience` | ||
@@ -49,6 +56,6 @@ * `issuer` | ||
If `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`. | ||
There are no default values for `expiresIn`, `notBefore`, `audience`, `subject`, `issuer`. These claims can also be provided in the payload directly with `exp`, `nbf`, `aud`, `sub` and `iss` respectively, but you can't include in both places. | ||
> There are no default values for `expiresIn`, `notBefore`, `audience`, `subject`, `issuer`. These claims can also be provided in the payload directly with `exp`, `nbf`, `aud`, `sub` and `iss` respectively, but you **_can't_** include in both places. | ||
Remember that `exp`, `nbf` and `iat` are **NumericDate**, see related [Token Expiration (exp claim)](#token-expiration-exp-claim) | ||
@@ -61,3 +68,3 @@ | ||
Sign with default (HMAC SHA256) | ||
Synchronous Sign with default (HMAC SHA256) | ||
@@ -69,3 +76,3 @@ ```js | ||
Sign with RSA SHA256 | ||
Synchronous Sign with RSA SHA256 | ||
```js | ||
@@ -137,3 +144,4 @@ // sign with RSA SHA256 | ||
* `algorithms`: List of strings with the names of the allowed algorithms. For instance, `["HS256", "HS384"]`. | ||
* `audience`: if you want to check audience (`aud`), provide a value here. The audience can be checked against a string, a regular expression or a list of strings and/or regular expressions. Eg: `"urn:foo"`, `/urn:f[o]{2}/`, `[/urn:f[o]{2}/, "urn:bar"]` | ||
* `audience`: if you want to check audience (`aud`), provide a value here. The audience can be checked against a string, a regular expression or a list of strings and/or regular expressions. | ||
> Eg: `"urn:foo"`, `/urn:f[o]{2}/`, `[/urn:f[o]{2}/, "urn:bar"]` | ||
* `issuer` (optional): string or array of strings of valid values for the `iss` field. | ||
@@ -144,4 +152,6 @@ * `ignoreExpiration`: if `true` do not validate the expiration of the token. | ||
* `clockTolerance`: number of seconds to tolerate when checking the `nbf` and `exp` claims, to deal with small clock differences among different servers | ||
* `maxAge`: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `1000`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`). | ||
* `maxAge`: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). | ||
> Eg: `1000`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`). | ||
* `clockTimestamp`: the time in seconds that should be used as the current time for all necessary comparisons. | ||
* `nonce`: if you want to check `nonce` claim, provide a string value here. It is used on Open ID for the ID Tokens. ([Open ID implementation notes](https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes)) | ||
@@ -231,3 +241,3 @@ | ||
__Warning:__ This will __not__ verify whether the signature is valid. You should __not__ use this for untrusted messages. You most likely want to use `jwt.verify` instead. | ||
> __Warning:__ This will __not__ verify whether the signature is valid. You should __not__ use this for untrusted messages. You most likely want to use `jwt.verify` instead. | ||
@@ -307,2 +317,26 @@ `token` is the JsonWebToken string | ||
### NotBeforeError | ||
Thrown if current time is before the nbf claim. | ||
Error object: | ||
* name: 'NotBeforeError' | ||
* message: 'jwt not active' | ||
* date: 2018-10-04T16:10:44.000Z | ||
```js | ||
jwt.verify(token, 'shhhhh', function(err, decoded) { | ||
if (err) { | ||
/* | ||
err = { | ||
name: 'NotBeforeError', | ||
message: 'jwt not active', | ||
date: 2018-10-04T16:10:44.000Z | ||
} | ||
*/ | ||
} | ||
}); | ||
``` | ||
## Algorithms supported | ||
@@ -327,5 +361,5 @@ | ||
First of all, we recommend to think carefully if auto-refreshing a JWT will not introduce any vulnerability in your system. | ||
First of all, we recommend you to think carefully if auto-refreshing a JWT will not introduce any vulnerability in your system. | ||
We are not comfortable including this as part of the library, however, you can take a look to [this example](https://gist.github.com/ziluvatar/a3feb505c4c0ec37059054537b38fc48) to show how this could be accomplished. | ||
We are not comfortable including this as part of the library, however, you can take a look at [this example](https://gist.github.com/ziluvatar/a3feb505c4c0ec37059054537b38fc48) to show how this could be accomplished. | ||
Apart from that example there are [an issue](https://github.com/auth0/node-jsonwebtoken/issues/122) and [a pull request](https://github.com/auth0/node-jsonwebtoken/pull/172) to get more knowledge about this topic. | ||
@@ -332,0 +366,0 @@ |
18
sign.js
@@ -12,4 +12,4 @@ var timespan = require('./lib/timespan'); | ||
var sign_options_schema = { | ||
expiresIn: { isValid: function(value) { return isInteger(value) || isString(value); }, message: '"expiresIn" should be a number of seconds or string representing a timespan' }, | ||
notBefore: { isValid: function(value) { return isInteger(value) || isString(value); }, message: '"notBefore" should be a number of seconds or string representing a timespan' }, | ||
expiresIn: { isValid: function(value) { return isInteger(value) || (isString(value) && value); }, message: '"expiresIn" should be a number of seconds or string representing a timespan' }, | ||
notBefore: { isValid: function(value) { return isInteger(value) || (isString(value) && value); }, message: '"notBefore" should be a number of seconds or string representing a timespan' }, | ||
audience: { isValid: function(value) { return isString(value) || Array.isArray(value); }, message: '"audience" must be a string or array' }, | ||
@@ -151,3 +151,8 @@ algorithm: { isValid: includes.bind(null, ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none']), message: '"algorithm" must be a valid string enum value' }, | ||
if (typeof options.notBefore !== 'undefined') { | ||
payload.nbf = timespan(options.notBefore, timestamp); | ||
try { | ||
payload.nbf = timespan(options.notBefore, timestamp); | ||
} | ||
catch (err) { | ||
return failure(err); | ||
} | ||
if (typeof payload.nbf === 'undefined') { | ||
@@ -159,3 +164,8 @@ return failure(new Error('"notBefore" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60')); | ||
if (typeof options.expiresIn !== 'undefined' && typeof payload === 'object') { | ||
payload.exp = timespan(options.expiresIn, timestamp); | ||
try { | ||
payload.exp = timespan(options.expiresIn, timestamp); | ||
} | ||
catch (err) { | ||
return failure(err); | ||
} | ||
if (typeof payload.exp === 'undefined') { | ||
@@ -162,0 +172,0 @@ return failure(new Error('"expiresIn" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60')); |
@@ -36,2 +36,6 @@ var JsonWebTokenError = require('./lib/JsonWebTokenError'); | ||
if (options.nonce !== undefined && (typeof options.nonce !== 'string' || options.nonce.trim() === '')) { | ||
return done(new JsonWebTokenError('nonce must be a non-empty string')); | ||
} | ||
var clockTimestamp = options.clockTimestamp || Math.floor(Date.now() / 1000); | ||
@@ -183,2 +187,8 @@ | ||
if (options.nonce) { | ||
if (payload.nonce !== options.nonce) { | ||
return done(new JsonWebTokenError('jwt nonce invalid. expected: ' + options.nonce)); | ||
} | ||
} | ||
if (options.maxAge) { | ||
@@ -185,0 +195,0 @@ if (typeof payload.iat !== 'number') { |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
70349
417
372
9