Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
socketio-jwt
Advanced tools
socketio-jwt - npm Package Compare versions
Comparing version 4.3.3 to 4.3.4
@@ -43,9 +43,9 @@ var xtend = require('xtend'); | ||
| }; | ||
| if(typeof data.token !== "string") { | ||
| return onError({message: 'invalid token datatype'}, 'invalid_token'); | ||
| } | ||
| jwt.verify(data.token, options.secret, options, function(err, decoded) { | ||
| var onJwtVerificationReady = function(err, decoded) { | ||
| if (err) { | ||
@@ -56,3 +56,3 @@ return onError(err, 'invalid_token'); | ||
| // success handler | ||
| var onSuccess = function(){ | ||
| var onSuccess = function() { | ||
| socket.decoded_token = decoded; | ||
@@ -78,5 +78,14 @@ socket.emit('authenticated'); | ||
| } | ||
| }); | ||
| }; | ||
| var onSecretReady = function(err, secret) { | ||
| if (err || !secret) { | ||
| return onError(err, 'invalid_secret'); | ||
| } | ||
| jwt.verify(data.token, secret, options, onJwtVerificationReady); | ||
| }; | ||
| getSecret(socket.request, options.secret, data.token, onSecretReady); | ||
| }); | ||
| }; | ||
@@ -146,6 +155,6 @@ } | ||
| jwt.verify(token, options.secret, options, function(err, decoded) { | ||
| var onJwtVerificationReady = function(err, decoded) { | ||
| if (err) { | ||
| error = new UnauthorizedError('invalid_token', err); | ||
| error = new UnauthorizedError(err.code || 'invalid_token', err); | ||
| return auth.fail(error, data, accept); | ||
@@ -157,6 +166,45 @@ } | ||
| return auth.success(data, accept); | ||
| }); | ||
| }; | ||
| var onSecretReady = function(err, secret) { | ||
| if (err) { | ||
| error = new UnauthorizedError(err.code || 'invalid_secret', err); | ||
| return auth.fail(error, data, accept); | ||
| } | ||
| jwt.verify(token, secret, options, onJwtVerificationReady); | ||
| }; | ||
| getSecret(req, options.secret, token, onSecretReady); | ||
| }; | ||
| } | ||
| function getSecret(request, secret, token, callback) { | ||
| if (typeof secret === 'function') { | ||
| if (!token) { | ||
| return callback({ code: 'invalid_token', message: 'jwt must be provided' }); | ||
| } | ||
| var parts = token.split('.'); | ||
| if (parts.length < 3) { | ||
| return callback({ code: 'invalid_token', message: 'jwt malformed' }); | ||
| } | ||
| if (parts[2].trim() === '') { | ||
| return callback({ code: 'invalid_token', message: 'jwt signature is required' }); | ||
| } | ||
| var decodedToken = jwt.decode(token); | ||
| if (!decodedToken) { | ||
| return callback({ code: 'invalid_token', message: 'jwt malformed' }); | ||
| } | ||
| secret(request, decodedToken, callback); | ||
| } else { | ||
| callback(null, secret); | ||
| } | ||
| }; | ||
| exports.authorize = authorize; |
| { | ||
| "name": "socketio-jwt", | ||
| "version": "4.3.3", | ||
| "version": "4.3.4", | ||
| "description": "authenticate socket.io connections using JWTs", | ||
@@ -5,0 +5,0 @@ "main": "lib/index.js", |
@@ -105,3 +105,28 @@ [](https://travis-ci.org/auth0/socketio-jwt) | ||
| ``` | ||
| ## Getting the secret dynamically | ||
| You can pass a function instead of an string when configuring secret. | ||
| This function receives the request, the decoded token and a callback. This | ||
| way, you are allowed to use a different secret based on the request and / or | ||
| the provided token. | ||
| __Server side__: | ||
| ```javascript | ||
| var SECRETS = { | ||
| 'user1': 'secret 1', | ||
| 'user2': 'secret 2' | ||
| } | ||
| io.use(socketioJwt.authorize({ | ||
| secret: function(request, decodedToken, callback) { | ||
| // SECRETS[decodedToken.userId] will be used a a secret or | ||
| // public key for connection user. | ||
| callback(null, SECRETS[decodedToken.userId]); | ||
| }, | ||
| handshake: false | ||
| })); | ||
| ``` | ||
| ## Contribute | ||
@@ -116,5 +141,12 @@ | ||
| ## Issue Reporting | ||
| If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. | ||
| ## Author | ||
| [Auth0](auth0.com) | ||
| ## License | ||
| Licensed under the MIT-License. | ||
| 2013 AUTH10 LLC. | ||
| This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info. |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 3 instances in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by37.33%
35054
- Number of package files
- increased by33.33%
24
- Lines of code
- increased by57.18%
690
- Number of lines in readme file
- increased by26.89%
151
Worsened metrics
- Number of low supply chain risk alerts
- increased byInfinity%
3
- Number of medium supply chain risk alerts
- increased by33.33%
4
No dependency changes