Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
validate-github-token
Advanced tools
validate-github-token is a npm package to validate GitHub API OAuth token.
This package can validate the given token
and returns the following information as the result of validation:
See GitHub official authentication document for more details.
This package aims to make a human-friendly error before actually calling GitHub APIs. It is useful for validating inputs of GitHub Action if you're making a JavaScript Action.
npm install --save validate-github-token
const { validateGitHubToken, ValidationError } = require('validate-github-token');
(async () => {
try {
const validated = await validateGitHubToken(
'your-secret-api-token',
{
scope: {
// Checks 'public_repo' scope is added to the token
included: ['public_repo']
}
}
);
console.log('Token scopes:', validated.scopes);
console.log('API rate limit remaining:', validated.rateLimit.remaining);
} catch(err) {
if (err instanceof ValidationError) {
console.error(`Validation failed!: ${err.message}`);
} else {
throw err;
}
}
})();
import { validateGitHubToken, ValidationError } from 'validate-github-token';
// Types for TypeScript
import { ValidateOptions, RateLimit, Validated } from 'validate-github-token';
interface ValidateOptions
A TypeScript interface for configuring the validation behavior. It's keys are as follows:
userName: string
: GitHub user name like "rhysd"
for @rhysd. If this value is set, the endpoint will
check the token against the user Optionalscope: Object
: Scope validation behavior Optional
included: Array<string>
: Scope names which should be added to the token Optionalexcluded: Array<string>
: Scope names which should NOT be added to the token Optionalexact: Array<string>
: Scope names should exactly match to scopes of the token Optionalagent: https.Agent
: Node.js HTTPS agent. For example please pass https-proxy-agent for proxy support OptionalendpointUrl: string
: Custom API endpoint URL. Default value is "https://api.github.com"
Optionale.g.
import {ValidateOptions} from 'validate-github-token';
const opts: ValidateOptions = {
scope: {
included: ['public_repo'],
excluded: ['user'],
},
endpointUrl: 'https://github.your.company.com/api/v3',
};
async function validateGitHubToken(token, options?)
A function which validates the given token for the given user. Validation behavior can be configured
with the 3rd parameter. It returns the information given from API endpoint.
Validation failure is thrown as ValidationError
.
token: string
: API token to be validated Requiredoptions: Object
: Objects to configure validation behavior OptionalPromise<Validated>
Returns a promise which is resolved to Validated
interface object. Please read following 'interface Validated'
section for more details.
ValidationError
: Thrown when the given token is actually not authorized or its scopes don't meet options.scope
option valueError
: Thrown when unexpected errors such as network error happeninterface Validated
A TypeScript interface contains the all information returned from API endpoint.
scopes: Array<string>
: An array of scope names added to the API tokenrateLimit: RateLimit
: Rate limit informationinterface RateLimit
A TypeScript interface contains the rate limit information returned from an API endpoint. Please read GitHub's official rate limit documentation for more details.
limit: number
: Max rate limit countremaining: number
: Remaining rate limit countreset: Date
: The date when the rate limit count is resetDistributed under the MIT license.
FAQs
Validation for GitHub API token
The npm package validate-github-token receives a total of 36 weekly downloads. As such, validate-github-token popularity was classified as not popular.
We found that validate-github-token demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.