npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@weegl/signer

v1.0.0

Published

A secure and flexible HMAC signing module for Node.js, offering message signing, verification, and hashing with support for multiple algorithms and encodings.

Downloads

69

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

weeglweegl

Keywords

Readme

Node.js HMAC Signing Module

A secure and flexible HMAC signing module for Node.js, offering message signing, verification, and hashing with support for multiple algorithms and encodings.

Features

  • 🔐 Secure HMAC-based message signing and verification
  • 🎯 Support for multiple hash algorithms (sha256, sha512, sha1, md5)
  • 📝 Multiple output encodings (hex, base64, base64url, binary, utf8)
  • ⚡ Timing-safe signature comparison
  • ⚙️ Configurable default settings

Installation

npm install @weegl/signer

Usage

Basic Example

const signer = require('@weegl/signer');

// Sign a message
const message = "Hello, World!";
const secret = "your-secret-key";

async function example() {
    // Sign message
    const signed = await signer.sign(message, secret);
    // "Hello, World!.HMAC_SIGNATURE_HERE"
    
    // Verify signature
    const isValid = await signer.verify(signed, secret);
    // true
}

Direct Hashing

const signer = require('@weegl/signer');

// Generate HMAC hash
const hash = signer.hash("Hello, World!", "secret");

Configuration

Default Settings

The module comes with the following default settings:

  • Algorithm: sha256
  • Charset (encoding): base64
  • Separator: "." (dot)

Customizing Defaults

You can modify the default settings globally:

const signer = require('@weegl/signer');

// Change default algorithm
signer.setDefaultAlgorithm(signer.Algorithms.sha512);

// Change default charset
signer.setDefaultCharset(signer.Charsets.hex);

// Change default separator
signer.setDefaultSeparator('::');

Available Options

Algorithms

const { Algorithms } = require('@weegl/signer');

// Available algorithms
Algorithms.sha256  // ✅ Secure
Algorithms.sha512  // ✅ Secure
Algorithms.sha1    // ⚠️ Deprecated - Vulnerable to collisions
Algorithms.md5     // ⚠️ Deprecated - Vulnerable to collisions

Charsets (Encodings)

const { Charsets } = require('@weegl/signer');

// Available charsets
Charsets.hex       // ⚠️ Less efficient; use base64 instead
Charsets.base64    // ✅ Recommended
Charsets.base64url // ✅ Recommended for URLs
Charsets.binary    // ⚠️ May cause interoperability issues
Charsets.utf8      // ✅ Commonly used, but ensure proper handling

Custom Options Per Operation

You can override default settings for individual operations:

const signed = await signer.sign(message, secret, {
    algorithm: 'sha512',
    charset: 'hex',
    separator: '::'
});

const isValid = await signer.verify(signed, secret, {
    algorithm: 'sha512',
    charset: 'hex',
    separator: '::'
});

Security Considerations

Key Management

  • Keep your secret key secure and never expose it in your source code
  • Use environment variables or secure key management solutions
  • Use a strong, random secret key with sufficient entropy

Algorithm Choice

  • SHA256 (default) is recommended for most use cases
  • SHA512 provides additional security but with slightly higher computational cost
  • Avoid MD5 and SHA1 for new implementations as they are considered cryptographically weak

Timing Attacks Protection

This module uses Node.js's crypto.timingSafeEqual() for signature comparison to prevent timing attacks. Always use the provided verify() function instead of implementing your own comparison.

API Reference

sign(message, secret[, options])

Signs a message using HMAC.

  • message {string} - Message to sign
  • secret {string} - Secret key
  • options {Object} - Optional configuration
    • algorithm {string} - Hash algorithm to use
    • charset {string} - Output encoding
    • separator {string} - Separator between message and signature
  • Returns: {Promise} - Signed message

verify(signed, secret[, options])

Verify a signed message.

  • signed {string} - Signed message to verify
  • secret {string} - Secret key
  • options {Object} - Optional configuration (same as sign)
  • Returns: {Promise} - True if signature is valid

hash(message, secret[, options])

Generates an HMAC hash.

  • message {string} - Message to hash
  • secret {string} - Secret key
  • options {Object} - Optional configuration
    • algorithm {string} - Hash algorithm
    • charset {string} - Output encoding
  • Returns: {string} - Generated hash

📄 Licence

License MIT

Copyright (c) 2024 Weegl