
Security News
Create React App Officially Deprecated Amid React 19 Compatibility Issues
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.
HMAC token generation and verification with time-based limitation on validity
Basic ideas:
Token is just a small wrapper around sha512 HMAC hashes.
token
has the following configuration options:
The server that generates the token, and the server that verifies the token have to agree on these two values. For example:
var token = require('token');
token.defaults.secret = 'AAB';
token.defaults.timeStep = 24 * 60 * 60; // 24h in seconds
Note that tokens from the previous and next time step are accepted, e.g. tokens can be valid up to three time steps from when they were issued. This allows for 1) the token to expire lazily and 2) for the servers to disagree on time (e.g. even if the generating server is ahead, the token will be accepted).
Caching: only the verification code uses a simple cache. Hashes are looked up from memory, and only computed if they were not previously computed. Up to 500 hashes are stored and when the cache is full, it is emptied completely.
The idea is that you can take any arbitrary data, and make it part of the token hash.
This allows you to make sure that the token is valid and that the data associated with the token is trustworthy.
For example, you might generate a token like this:
JSON.stringify( { id: 1, role: 'admin', auth: token.generate('1|admin') });
Then, to verify that token, you need the id and role attributes as well as the actual token hash.
The token will only validate if the id and role match (and the token timestamp is up to date, which is implicitly included):
function isValid(json) {
return token.verify(json.id+'|'+json.role, json.auth);
}
Note that if you put data in the token, you will need to recreate the data argument when you verify the token.
Expiry is lax: tokens from the previous time step are accepted.
The reason for having lax expiry is that it makes clients simpler: assuming that the token expiry is sufficiently long, clients do not need to handle edge cases around when the token expires.
Instead, when the clients send tokens that are old (e.g. expired one time step ago), the tokens are still accepted but the client is warned that it should get a new token soon.
FAQs
HMAC token generation and verification with time-based limitation on validity
The npm package token receives a total of 358 weekly downloads. As such, token popularity was classified as not popular.
We found that token demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.
Security News
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
Security News
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.