npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

cf-jwt

v1.0.4

Published

A simple JWT library for Cloudflare Workers that complies with RFC 7519.

Downloads

634

Readme

huntr Known Vulnerabilities

CF-JWT

CF-JWT

A JWT library for Cloudflare Workers. Compliant with RFC 7519.

What are JWTs?

JWTs (or "JSON Web Tokens") are an easy way to issue and verify information tokens on-the-fly. JWTs can be signed by one party (an "issuer"), then verified by another (the "audience").

What are JWTs good for?

  • Most short-lived one-use authentication tokens.
  • Long-lives tokens that can be revoked or blacklisted.
  • General data storage where data should not be editable by the user.

What should JWTs NOT be used for?

  • Long-lived authentication tokens, or authentication tokens that can be reused.
  • Any type of authentication token that cannot be revoked or blacklisted.
  • To store any sensitive data - unless you are encrypting the JWT. If you are, you should be OK.

How do I use this library?

Importing the library

import JWT from 'cf-jwt';
// or, if you're still old-school:
const JWT = require('cf-jwt');

Creating a JWT

const jwt = await JWT.sign({
    hello: 'world!',
    some: 'lovely data',
    that: 'i can sign!',
}, 'what-a-lovely-secret', {
    algorithm: 'HS256',
    expiresAt: new Date(Date.now() + 60000), // 60 seconds
});
// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6IndvcmxkISIsInNvbWUiOiJsb3ZlbHkgZGF0YSIsInRoYXQiOiJpIGNhbiBzaWduISIsImlhdCI6MTY1ODQzMzEyNywiZXhwIjoxNjU4NDMzMTg4fQ.u5ejuvjb_t0F2uQUcOGfwtcxUpgIdpQEBQEdwDF7gQE

Verifying a JWT

const jwt = await JWT.verify(jwtString, 'what-a-lovely-secret', {
    algorithms: ['HS256'],
});
/**
 * {
 *     hello: 'world!',
 *     some: 'lovely data',
 *     that: 'i can sign!',
 *     iat: 2022-07-21T19:54:55.000Z,
 *     exp: 2022-07-21T19:55:56.000Z
 * }
 */

API Reference

JWT.sign(payload: any, secret: string, options: JWTSignOptions): Promise<string>

JWT.signSync(payload: any, secret: string, options: JWTSignOptions): string

Signs an object and returns a JWT string.

const uuid = crypto.randomUUID();
const signedJWT = await JWT.sign({
    grant: 'access to my cookie jar',
}, 'chocolate chip cookies!!!!!', {
    algorithm: 'HS256', // in most cases, this should be sufficient
    expiresAt: new Date(Date.now() + (60000 * 60)), // expires in 60 minutes
    notBefore: new Date(Date.now() + 30000), // becomes valid in 30 seconds
    audience: 'the entire world of course!',
    issuer: 'me :D',
    jwtid: uuid, // make sure this is random!
    subject: 'my best friend',
});
// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJncmFudCI6ImFjY2VzcyB0byBteSBjb29raWUgamFyIiwiaWF0IjoxNjU4NDM0MDk1LCJleHAiOjE2NTg0Mzc2OTYsIm5iZiI6MTY1ODQzNDEyNSwiYXVkIjoidGhlIGVudGlyZSB3b3JsZCBvZiBjb3Vyc2UhIiwiaXNzIjoibWUgOkQiLCJqdGkiOiI0OGY3ODg4Yy1mMmVkLTRhODAtOWNjMS1hZmQzYzI0ZGY0ZTMiLCJzdWIiOiJteSBiZXN0IGZyaWVuZCJ9.-IaNMkkf2lYyMGQC737Ig1yxr0K6bh3POraBAToDSAc

Parameters

  • payload (Object): The object to sign.
  • secret (string): The secret to use to sign the object.
  • options (Object): An object containing options for the JWT.
  • options.algorithm (string): The algorithm to use to sign the object. Available options are HS256 (SHA-256), HS384 (SHA-384) and HS512 (SHA-512).
  • options.expiresAt? (Date): The time at which the JWT should expire. Compliant libraries and clients should reject the JWT if it is used AFTER this date. Defaults to null.
  • options.notBefore? (Date): The time before which the JWT should not be accepted. Compliant libraries and clients should reject the JWT if it is used BEFORE this date. Defaults to null.
  • options.audience? (string): The audience of the JWT. This is used to tell compliant libraries and clients who the JWT is meant to be accepted by. Defaults to null.
  • options.issuer? (string): The issuer of the JWT. This is used to tell compliant libraries and clients who created the JWT. Defaults to null.
  • options.jwtid? (string): The JWT's unique identifier. If set, you should ensure this value is unique. Defaults to null.
  • options.subject? (string): The subject of the JWT. Defaults to null.

Returns: The new JWT string. Throws: An error if one or more incorrect parameters are provided.

JWT.verify(jwt: string, secret: string, options: JWTSignOptions): Promise<any>

JWT.verifySync(jwt: string, secret: string, options: JWTSignOptions): any

Verifies a JWT string and returns the payload as an object.

const jwt = await JWT.verify(signedJWT, 'chocolate chip cookies!!!!!', {
    algorithms: ['HS256'], // list all the algorithms you want to allow
    audience: ['the entire world of course!'], // list all the audiences you want to allow
    issuer: ['me :D'], // list all the issuers you want to allow
    jwtid: [uuid], // list all the jwtids you want to allow
    subject: ['my best friend'], // list all the subjects you want to allow
});

Parameters

  • jwt (string): The JWT to verify.
  • secret (string): The secret to use to verify the JWT.
  • options (Object): An object containing options for the verification process.
  • options.algorithms (string[]): A list of all algorithms to allow. Available options are HS256 (SHA-256), HS384 (SHA-384) and HS512 (SHA-512).
  • options.audience? (string | string[]): The audiences to allow for this JWT.
  • options.issuer? (string | string[]): The issuers to allow for this JWT.
  • options.jwtid? (string | string[]): The allowed set of JWT IDs.
  • options.subject? (string | string[]): The subjects allowed for this JWT.

Returns: The payload of the JWT. Throws: An error if one or more issues are found with the JWT.

BSD-3 License

Copyright (c) 2022, knokbak
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.