jsonwebtoken - npm Package Compare versions

Comparing version 8.3.0 to 8.4.0

CHANGELOG.md

		@@ -7,2 +7,45 @@ # Change Log

		## 8.4.0 - 2018-11-14

		### New Functionality

		- Add verify option for nonce validation (#540) ([e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0](https://github.com/auth0/node-jsonwebtoken/commit/e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0)), closes [#540](https://github.com/auth0/node-jsonwebtoken/issues/540)

		### Bug Fixes

		- Updating Node version in Engines spec in package.json (#528) ([cfd1079305170a897dee6a5f55039783e6ee2711](https://github.com/auth0/node-jsonwebtoken/commit/cfd1079305170a897dee6a5f55039783e6ee2711)), closes [#528](https://github.com/auth0/node-jsonwebtoken/issues/528) [#509](https://github.com/auth0/node-jsonwebtoken/issues/509)
		- Fixed error message when empty string passed as expiresIn or notBefore option (#531) ([7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76](https://github.com/auth0/node-jsonwebtoken/commit/7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76)), closes [#531](https://github.com/auth0/node-jsonwebtoken/issues/531)

		### Docs

		- Update README.md (#527) ([b76f2a80f5229ee5cde321dd2ff14aa5df16d283](https://github.com/auth0/node-jsonwebtoken/commit/b76f2a80f5229ee5cde321dd2ff14aa5df16d283)), closes [#527](https://github.com/auth0/node-jsonwebtoken/issues/527)
		- Update README.md (#538) ([1956c4006472fd285b8a85074257cbdbe9131cbf](https://github.com/auth0/node-jsonwebtoken/commit/1956c4006472fd285b8a85074257cbdbe9131cbf)), closes [#538](https://github.com/auth0/node-jsonwebtoken/issues/538)
		- Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#548) ([dc89a641293d42f72ecfc623ce2eabc33954cb9d](https://github.com/auth0/node-jsonwebtoken/commit/dc89a641293d42f72ecfc623ce2eabc33954cb9d)), closes [#548](https://github.com/auth0/node-jsonwebtoken/issues/548)
		- Document NotBeforeError (#529) ([29cd654b956529e939ae8f8c30b9da7063aad501](https://github.com/auth0/node-jsonwebtoken/commit/29cd654b956529e939ae8f8c30b9da7063aad501)), closes [#529](https://github.com/auth0/node-jsonwebtoken/issues/529)

		### Test Improvements

		- Use lolex for faking date in tests (#491) ([677ead6d64482f2067b11437dda07309abe73cfa](https://github.com/auth0/node-jsonwebtoken/commit/677ead6d64482f2067b11437dda07309abe73cfa)), closes [#491](https://github.com/auth0/node-jsonwebtoken/issues/491)
		- Update dependencies used for running tests (#518) ([5498bdc4865ffb2ba2fd44d889fad7e83873bb33](https://github.com/auth0/node-jsonwebtoken/commit/5498bdc4865ffb2ba2fd44d889fad7e83873bb33)), closes [#518](https://github.com/auth0/node-jsonwebtoken/issues/518)
		- Minor test refactoring for recently added tests (#504) ([e2860a9d2a412627d79741a95bc7159971b923b9](https://github.com/auth0/node-jsonwebtoken/commit/e2860a9d2a412627d79741a95bc7159971b923b9)), closes [#504](https://github.com/auth0/node-jsonwebtoken/issues/504)
		- Create and implement async/sync test helpers (#523) ([683d8a9b31ad6327948f84268bd2c8e4350779d1](https://github.com/auth0/node-jsonwebtoken/commit/683d8a9b31ad6327948f84268bd2c8e4350779d1)), closes [#523](https://github.com/auth0/node-jsonwebtoken/issues/523)
		- Refactor tests related to audience and aud (#503) ([53d405e0223cce7c83cb51ecf290ca6bec1e9679](https://github.com/auth0/node-jsonwebtoken/commit/53d405e0223cce7c83cb51ecf290ca6bec1e9679)), closes [#503](https://github.com/auth0/node-jsonwebtoken/issues/503)
		- Refactor tests related to expiresIn and exp (#501) ([72f0d9e5b11a99082250665d1200c58182903fa6](https://github.com/auth0/node-jsonwebtoken/commit/72f0d9e5b11a99082250665d1200c58182903fa6)), closes [#501](https://github.com/auth0/node-jsonwebtoken/issues/501)
		- Refactor tests related to iat and maxAge (#507) ([877bd57ab2aca9b7d230805b21f921baed3da169](https://github.com/auth0/node-jsonwebtoken/commit/877bd57ab2aca9b7d230805b21f921baed3da169)), closes [#507](https://github.com/auth0/node-jsonwebtoken/issues/507)
		- Refactor tests related to iss and issuer (#543) ([0906a3fa80f52f959ac1b6343d3024ce5c7e9dea](https://github.com/auth0/node-jsonwebtoken/commit/0906a3fa80f52f959ac1b6343d3024ce5c7e9dea)), closes [#543](https://github.com/auth0/node-jsonwebtoken/issues/543)
		- Refactor tests related to kid and keyid (#545) ([88645427a0adb420bd3e149199a2a6bf1e17277e](https://github.com/auth0/node-jsonwebtoken/commit/88645427a0adb420bd3e149199a2a6bf1e17277e)), closes [#545](https://github.com/auth0/node-jsonwebtoken/issues/545)
		- Refactor tests related to notBefore and nbf (#497) ([39adf87a6faef3df984140f88e6724ddd709fd89](https://github.com/auth0/node-jsonwebtoken/commit/39adf87a6faef3df984140f88e6724ddd709fd89)), closes [#497](https://github.com/auth0/node-jsonwebtoken/issues/497)
		- Refactor tests related to subject and sub (#505) ([5a7fa23c0b4ac6c25304dab8767ef840b43a0eca](https://github.com/auth0/node-jsonwebtoken/commit/5a7fa23c0b4ac6c25304dab8767ef840b43a0eca)), closes [#505](https://github.com/auth0/node-jsonwebtoken/issues/505)
		- Implement async/sync tests for exp claim (#536) ([9ae3f207ac64b7450ea0a3434418f5ca58d8125e](https://github.com/auth0/node-jsonwebtoken/commit/9ae3f207ac64b7450ea0a3434418f5ca58d8125e)), closes [#536](https://github.com/auth0/node-jsonwebtoken/issues/536)
		- Implement async/sync tests for nbf claim (#537) ([88bc965061ed65299a395f42a100fb8f8c3c683e](https://github.com/auth0/node-jsonwebtoken/commit/88bc965061ed65299a395f42a100fb8f8c3c683e)), closes [#537](https://github.com/auth0/node-jsonwebtoken/issues/537)
		- Implement async/sync tests for sub claim (#534) ([342b07bb105a35739eb91265ba5b9dd33c300fc6](https://github.com/auth0/node-jsonwebtoken/commit/342b07bb105a35739eb91265ba5b9dd33c300fc6)), closes [#534](https://github.com/auth0/node-jsonwebtoken/issues/534)
		- Implement async/sync tests for the aud claim (#535) ([1c8ff5a68e6da73af2809c9d87faaf78602c99bb](https://github.com/auth0/node-jsonwebtoken/commit/1c8ff5a68e6da73af2809c9d87faaf78602c99bb)), closes [#535](https://github.com/auth0/node-jsonwebtoken/issues/535)

		### CI

		- Added Istanbul to check test-coverage (#468) ([9676a8306428a045e34c3987bd0680fb952b44e3](https://github.com/auth0/node-jsonwebtoken/commit/9676a8306428a045e34c3987bd0680fb952b44e3)), closes [#468](https://github.com/auth0/node-jsonwebtoken/issues/468)
		- Complete ESLint conversion and cleanup (#490) ([cb1d2e1e40547f7ecf29fa6635041df6cbba7f40](https://github.com/auth0/node-jsonwebtoken/commit/cb1d2e1e40547f7ecf29fa6635041df6cbba7f40)), closes [#490](https://github.com/auth0/node-jsonwebtoken/issues/490)
		- Make code-coverage mandatory when running tests (#495) ([fb0084a78535bfea8d0087c0870e7e3614a2cbe5](https://github.com/auth0/node-jsonwebtoken/commit/fb0084a78535bfea8d0087c0870e7e3614a2cbe5)), closes [#495](https://github.com/auth0/node-jsonwebtoken/issues/495)


		## 8.3.0 - 2018-06-11
		@@ -9,0 +52,0 @@

package.json

		{
		"name": "jsonwebtoken",
		"version": "8.3.0",
		"version": "8.4.0",
		"description": "JSON Web Token implementation (symmetric and asymmetric)",
		"main": "index.js",
		"nyc": {
		"check-coverage": true,
		"lines": 95,
		"statements": 95,
		"functions": 100,
		"branches": 95,
		"exclude": [
		"./test/**"
		],
		"reporter": [
		"json",
		"lcov",
		"text-summary"
		]
		},
		"scripts": {
		"test": "mocha --require test/util/fakeDate && nsp check && cost-of-modules"
		"lint": "eslint .",
		"coverage": "nyc mocha",
		"test": "npm run lint && npm run coverage && nsp check && cost-of-modules"
		},
		@@ -33,13 +50,15 @@ "repository": {
		"devDependencies": {
		"atob": "^1.1.2",
		"chai": "^1.10.0",
		"atob": "^2.1.2",
		"chai": "^4.1.2",
		"conventional-changelog": "~1.1.0",
		"cost-of-modules": "^1.0.1",
		"mocha": "^2.1.0",
		"eslint": "^4.19.1",
		"mocha": "^5.2.0",
		"nsp": "^2.6.2",
		"sinon": "^1.15.4"
		"nyc": "^11.9.0",
		"sinon": "^6.0.0"
		},
		"engines": {
		"npm": ">=1.4.28",
		"node": ">=0.12"
		"node": ">=4"
		},
		@@ -46,0 +65,0 @@ "files": [

README.md

		# jsonwebtoken

		[![Build Status](https://secure.travis-ci.org/auth0/node-jsonwebtoken.svg?branch=master)](http://travis-ci.org/auth0/node-jsonwebtoken)[![Dependency Status](https://david-dm.org/auth0/node-jsonwebtoken.svg)](https://david-dm.org/auth0/node-jsonwebtoken)
		\| Build \| Dependency \|
		\|-----------\|---------------\|
		\| [![Build Status](https://secure.travis-ci.org/auth0/node-jsonwebtoken.svg?branch=master)](http://travis-ci.org/auth0/node-jsonwebtoken) \| [![Dependency Status](https://david-dm.org/auth0/node-jsonwebtoken.svg)](https://david-dm.org/auth0/node-jsonwebtoken) \|

		@@ -28,4 +30,7 @@

		`payload` could be an object literal, buffer or string representing valid JSON. Please note that `exp` or any other claim is only set if the payload is an object literal. Buffer or string payloads are not checked for JSON validity.
		`payload` could be an object literal, buffer or string representing valid JSON.
		> Please _note_ that `exp` or any other claim is only set if the payload is an object literal. Buffer or string payloads are not checked for JSON validity.

		> If `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`.

		`secretOrPrivateKey` is a string, buffer, or object containing either the secret for HMAC algorithms or the PEM
		@@ -37,4 +42,6 @@ encoded private key for RSA and ECDSA. In case of a private key with passphrase an object `{ key, passphrase }` can be used (based on [crypto documentation](https://nodejs.org/api/crypto.html#crypto_sign_sign_private_key_output_format)), in this case be sure you pass the `algorithm` option.
		* `algorithm` (default: `HS256`)
		* `expiresIn`: expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`).
		* `notBefore`: expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`).
		* `expiresIn`: expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms).
		> Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`).
		* `notBefore`: expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms).
		> Eg: `60`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`).
		* `audience`
		@@ -49,6 +56,6 @@ * `issuer`

		If `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`.

		There are no default values for `expiresIn`, `notBefore`, `audience`, `subject`, `issuer`. These claims can also be provided in the payload directly with `exp`, `nbf`, `aud`, `sub` and `iss` respectively, but you can't include in both places.

		> There are no default values for `expiresIn`, `notBefore`, `audience`, `subject`, `issuer`. These claims can also be provided in the payload directly with `exp`, `nbf`, `aud`, `sub` and `iss` respectively, but you _can't_ include in both places.

		Remember that `exp`, `nbf` and `iat` are NumericDate, see related [Token Expiration (exp claim)](#token-expiration-exp-claim)
		@@ -61,3 +68,3 @@

		Sign with default (HMAC SHA256)
		Synchronous Sign with default (HMAC SHA256)

		@@ -69,3 +76,3 @@ ```js

		Sign with RSA SHA256
		Synchronous Sign with RSA SHA256
		```js
		@@ -137,3 +144,4 @@ // sign with RSA SHA256
		* `algorithms`: List of strings with the names of the allowed algorithms. For instance, `["HS256", "HS384"]`.
		* `audience`: if you want to check audience (`aud`), provide a value here. The audience can be checked against a string, a regular expression or a list of strings and/or regular expressions. Eg: `"urn:foo"`, `/urn:f[o]{2}/`, `[/urn:f[o]{2}/, "urn:bar"]`
		* `audience`: if you want to check audience (`aud`), provide a value here. The audience can be checked against a string, a regular expression or a list of strings and/or regular expressions.
		> Eg: `"urn:foo"`, `/urn:f[o]{2}/`, `[/urn:f[o]{2}/, "urn:bar"]`
		* `issuer` (optional): string or array of strings of valid values for the `iss` field.
		@@ -144,4 +152,6 @@ * `ignoreExpiration`: if `true` do not validate the expiration of the token.
		* `clockTolerance`: number of seconds to tolerate when checking the `nbf` and `exp` claims, to deal with small clock differences among different servers
		* `maxAge`: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms). Eg: `1000`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`).
		* `maxAge`: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms).
		> Eg: `1000`, `"2 days"`, `"10h"`, `"7d"`. A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default (`"120"` is equal to `"120ms"`).
		* `clockTimestamp`: the time in seconds that should be used as the current time for all necessary comparisons.
		* `nonce`: if you want to check `nonce` claim, provide a string value here. It is used on Open ID for the ID Tokens. ([Open ID implementation notes](https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes))

		@@ -231,3 +241,3 @@

		__Warning:__ This will __not__ verify whether the signature is valid. You should __not__ use this for untrusted messages. You most likely want to use `jwt.verify` instead.
		> __Warning:__ This will __not__ verify whether the signature is valid. You should __not__ use this for untrusted messages. You most likely want to use `jwt.verify` instead.

		@@ -307,2 +317,26 @@ `token` is the JsonWebToken string

		### NotBeforeError
		Thrown if current time is before the nbf claim.

		Error object:

		* name: 'NotBeforeError'
		* message: 'jwt not active'
		* date: 2018-10-04T16:10:44.000Z

		```js
		jwt.verify(token, 'shhhhh', function(err, decoded) {
		if (err) {
		/*
		err = {
		name: 'NotBeforeError',
		message: 'jwt not active',
		date: 2018-10-04T16:10:44.000Z
		}
		*/
		}
		});
		```


		## Algorithms supported
		@@ -327,5 +361,5 @@

		First of all, we recommend to think carefully if auto-refreshing a JWT will not introduce any vulnerability in your system.
		First of all, we recommend you to think carefully if auto-refreshing a JWT will not introduce any vulnerability in your system.

		We are not comfortable including this as part of the library, however, you can take a look to [this example](https://gist.github.com/ziluvatar/a3feb505c4c0ec37059054537b38fc48) to show how this could be accomplished.
		We are not comfortable including this as part of the library, however, you can take a look at [this example](https://gist.github.com/ziluvatar/a3feb505c4c0ec37059054537b38fc48) to show how this could be accomplished.
		Apart from that example there are [an issue](https://github.com/auth0/node-jsonwebtoken/issues/122) and [a pull request](https://github.com/auth0/node-jsonwebtoken/pull/172) to get more knowledge about this topic.
		@@ -332,0 +366,0 @@

sign.js

		@@ -12,4 +12,4 @@ var timespan = require('./lib/timespan');
		var sign_options_schema = {
		expiresIn: { isValid: function(value) { return isInteger(value) \|\| isString(value); }, message: '"expiresIn" should be a number of seconds or string representing a timespan' },
		notBefore: { isValid: function(value) { return isInteger(value) \|\| isString(value); }, message: '"notBefore" should be a number of seconds or string representing a timespan' },
		expiresIn: { isValid: function(value) { return isInteger(value) \|\| (isString(value) && value); }, message: '"expiresIn" should be a number of seconds or string representing a timespan' },
		notBefore: { isValid: function(value) { return isInteger(value) \|\| (isString(value) && value); }, message: '"notBefore" should be a number of seconds or string representing a timespan' },
		audience: { isValid: function(value) { return isString(value) \|\| Array.isArray(value); }, message: '"audience" must be a string or array' },
		@@ -151,3 +151,8 @@ algorithm: { isValid: includes.bind(null, ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'none']), message: '"algorithm" must be a valid string enum value' },
		if (typeof options.notBefore !== 'undefined') {
		payload.nbf = timespan(options.notBefore, timestamp);
		try {
		payload.nbf = timespan(options.notBefore, timestamp);
		}
		catch (err) {
		return failure(err);
		}
		if (typeof payload.nbf === 'undefined') {
		@@ -159,3 +164,8 @@ return failure(new Error('"notBefore" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60'));
		if (typeof options.expiresIn !== 'undefined' && typeof payload === 'object') {
		payload.exp = timespan(options.expiresIn, timestamp);
		try {
		payload.exp = timespan(options.expiresIn, timestamp);
		}
		catch (err) {
		return failure(err);
		}
		if (typeof payload.exp === 'undefined') {
		@@ -162,0 +172,0 @@ return failure(new Error('"expiresIn" should be a number of seconds or string representing a timespan eg: "1d", "20h", 60'));

verify.js

		@@ -36,2 +36,6 @@ var JsonWebTokenError = require('./lib/JsonWebTokenError');

		if (options.nonce !== undefined && (typeof options.nonce !== 'string' \|\| options.nonce.trim() === '')) {
		return done(new JsonWebTokenError('nonce must be a non-empty string'));
		}

		var clockTimestamp = options.clockTimestamp \|\| Math.floor(Date.now() / 1000);
		@@ -183,2 +187,8 @@

		if (options.nonce) {
		if (payload.nonce !== options.nonce) {
		return done(new JsonWebTokenError('jwt nonce invalid. expected: ' + options.nonce));
		}
		}

		if (options.maxAge) {
		@@ -185,0 +195,0 @@ if (typeof payload.iat !== 'number') {

jsonwebtoken - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics