Security News
Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" by Security Experts
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Keep It Simple, Stupid, Secure and Fast JWT module
Most of the time, people uses node-jsonwebtoken and express-jwt without using a cache mechanism to verify tokens. This requires a lot of CPU for each request on server-side! On client-side, the token is generated once with an infinite expiration timestamp, which is not very secure. The first purpose of this module is to solve these two problems.
When discovering JWT, you do not know what signing algorithm to choose and where to put your data (issuer, audience, ...). This module solves this for you. It chooses a highly secured algorithm by default. If you want another algorithm, fork it. The algorithm used (asymmetric) allow the client to generate himself a token without having to exchange a secret with the server. Only the public key is exchanged.
To save extra bandwidth, it let you define only two parameters : a client id ("Alice", issuer), and a server id ("Bob", audience). The generated token allows only Alice (clientId) to speak exclusively to Bob (serverId).
Main purpose : be plug'n'play for developers who do not have a lot of time.
npm install kitten-jwt --save
Using request
module for example:
var jwt = require('kitten-jwt');
// Generate an ephemeral jwt token (short expiration date), auto-renewed every 12-hour by default
// This function is very fast (uses cache), it can be called for every HTTP request
var token = jwt.getToken('client-id-1220202', 'server-app-name', 'privKeyOfTheClient');
// Insert the token in HTTP Header, it will be parsed by jwt.verifyHTTPHeaderFn automatically
request.setHeader('Authorization', 'Bearer ' + token); // "Bearer" keyword is optional
Or, if your client is a browser, store the JWT in a cookie
instead of Authorization
header.
With ExpressJS
:
// let the browser send it back automatically.
// Do not forget to refresh it before the 12-hour expiration
response.cookie('access_token', token);
var jwt = require('kitten-jwt');
// custom method to get the client public key, kitten-jwt caches the result automatically
function getPublicKeyFn(req, res, payload, callback) {
var _clientId = payload.iss;
// do whatever you want: db query, file read to return the public key
// it accepts an array of public key ['pubKeyOfTheClient1', 'pubKeyOfTheClient2']
return callback('pubKeyOfTheClient');
}
// use the helper function to verify token in an express middleware
// This function is very fast (uses lru-cache)
// It searches JWT in req.header.authorization, then in req.header.cookie.<access_token>
express().use(jwt.verifyHTTPHeaderFn('server-app-name', getPublicKeyFn));
// if the public key changes
jwt.resetCache();
// In other middleware, you can print JWT payload object, added by verifyHTTPHeaderFn
console.log(req.jwtPayload);
Token generated by kitten-jwt are quite compact (limited) for performance reasons, and follows JWT RFC
{
alg : 'ES512',
typ : JWT
}
{
iss : clientId, // issuer
aud : serverId, // audience, tenand id, etc...
exp : (Date.now() + expiresIn) // expiration timestamp UTC
}
Why it is important to have a serverId? If the audience is not defined, the same token can be used for another web-service which have the same clientId and public key.
These functions uses cache to be as fast as possible
jwt.getToken (clientId, serverId, privKey)
Generate a token for the tuple clientId-serverId, which expires in about 12 hours (+- random)
Re-use this same token during about 12 hours if called more than twice
Generate a new token automatically before expiration (20-minute before) or if privKey change
jwt.verifyHTTPHeaderFn (serverId, getPublicKeyFn)
Generate a middleware function(req, req, next)
Verify and set req.jwtPayload
callback(String|Array)
where
the parameter is either a string (one public key) or an array of strings (multiple public key to test)jwt.resetCache (clientId, callback)
: invalidate cache
These APIs should not be used directly in a web app because nothing is cached (slow).
jwt.generate (clientId, serverId, expiresIn, privKey, data)
: generate a token
It returns a signed base64 url encoded string of the token.
jwt.verify (jwt, pubKey, callback, now = Date.now())
: verify the signature of a token
jwt.generateECDHKeys (outputDir, outputKeyName, callback)
: generate pub / priv ECDSA keys
jwt.set (options)
: set default options:
{
// client cache size used by getToken
clientCacheSize : 5,
// how many time before client token expiration kitten-cache renews tokens in millisecond
clientRenewTokenBeforeExp : 60 * 20 * 1000,
// default client tokens expiration in seconds
clientTokenExpiration : 60 * 60 * 12,
// server cache size used by verifyHTTPHeaderFn
serverCacheSize : 5
}
1.1.1
verify
returns payload even if the token is expired1.1.0
set(options)
verify
function1.0.0
getPublicKeyFn
can return an array of public keysaccess_token
TODO :
FAQs
Keep It Simple, Stupid, Secure and Fast JWT module
The npm package kitten-jwt receives a total of 7 weekly downloads. As such, kitten-jwt popularity was classified as not popular.
We found that kitten-jwt demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.