Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Command line tool that generates JWT tokens that helps in the testing of applications.
Install via npm.
npm install -g jwtgen
The following command will generate a JWT using HMAC-SHA256, a shared secret of my-secret
, expires in 1 hour and contains user id of user123
as the iss
value.
jwtgen -a HS256 -s "my-secret" -c "iss=user123" -e 3600
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ1c2VyMTIzNCIsImlhdCI6MTQ
1NzU1NTQwNSwiZXhwIjoxNDU3NTU5MDA1fQ.nixEkSKDkru92TBsxdzR8GLANIGQrkRa7E21
C-luNg
If the same command is run with the -v
option, a more verbose output is displayed.
jwtgen -a HS256 -s "my-secret" -c "iss=user123" -e 3600 -v
algorithm: HS256
claims:
{
"iss": "user1234",
"iat": 1457555405,
"exp": 1457559005
}
token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ1c2VyMTIzNCIsImlhdCI6MTQ
1NzU1NTQwNSwiZXhwIjoxNDU3NTU5MDA1fQ.nixEkSKDkru92TBsxdzR8GLANIGQrkRa7E21
C-luNg
Expired tokens can be generated by specifying an offset to the iat
value. The following example issues the token 1 hour (3600 seconds) in the past and expires at the generated time.
jwtgen -a HS256 -s "my-secret" -c "iss=user1234" -i=-3600 -e 3600 -v
algorithm: HS256
claims:
{
"iss": "user1234",
"iat": 1457552128,
"exp": 1457555728
}
token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ1c2VyMTIzNCIsImlhdCI6MTQ
1NzU1MjEyOCwiZXhwIjoxNDU3NTU1NzI4fQ.1SoNk-bCy8l3stfN8q4yrjBjbQkaRWP8AMyP
joDDeHE
Tokens that are not yet valid can be generated by specifying the iat
value directly as in the following example:
jwtgen -a HS256 -s "my-secret" -c "iss=user1234" -i=1557555728 -e 3600 -v
algorithm: HS256
claims:
{
"iss": "user1234",
"iat": 1557555728,
"exp": 1557559328
}
token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ1c2VyMTIzNCIsImlhdCI6MTU
1NzU1NTcyOCwiZXhwIjoxNTU3NTU5MzI4fQ.kFt-wgNGIQmB4z-G47yQqGfPPW1FSeyKTFdl
8h5elOQ
Running the --help
command will display a list of options that can be used.
jwtgen --help
Usage: jwtgen [options]
Options:
-a, --algorithm algorithm
[required] [choices: "HS256", "HS384", "HS512", "RS256"]
-s, --secret secret value for HMAC algorithm [string]
-p, --private private key file (required for RS256 algorithm) [string]
-c, --claim claim in the form [key=value] [string]
--claims JSON string containing claims [string]
-h, --header header in the form [key=value] [string]
--headers JSON string containing headers [string]
-i, --iat issued at (iat) in seconds from the UNIX epoch [default: now]
-e, --exp expiry date in seconds from issued at (iat) time
-v, --verbose verbose output [boolean]
--help Show help [boolean]
Copyright (c) 2016, Vandium Software Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Vandium Software Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL VANDIUM SOFTWARE INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2.2.0 (2017-06-14)
FAQs
JWT key generator
The npm package jwtgen receives a total of 669 weekly downloads. As such, jwtgen popularity was classified as not popular.
We found that jwtgen demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.