npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

crypto-auth

v1.0.0

Published

API Authentication Middleware based on Signed-Certificates (SHA-256) and Token based session with limited TTL.

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

rpavezrpavez

Keywords

apiauthenticationauthenticationauthmiddlewarekey-paircertificatecryptoauth

Readme

node-crypto-auth

API Authentication Middleware based on Signed-Certificates (SHA-256) and Token based sessions.

The basic idea is distributing signed-certificates files to protect your API instead of use a classic api key. You'll as many api clients as certificates you generate, each of them may have different expiration date.

Why? Certificates provide the chance to set expiration date flexibility. You can generate new certificates offline. Companies who communicate each others demand extremely secure APIs. Sharing an API-KEY for infinite length its just not good.

HOW IT WORKS

  1. You generate a custom self-signed certificate
  2. You sign one or more certificates and distribute to users you want to have access this service
  3. They execute a REST call sending this certificate in order to get a temporary access token.
  4. They can safely use this token to execute requests

THIS INTENDED TO USE ADDITIONALLY TO HTTPS FOR IMPROVED SECURITY

HOW GENERATE THE CERTIFICATES

Generate Private key and Self-Signed Certificate

openssl req -nodes -sha256 -newkey rsa:2048 -keyout auth.key -out auth.csr openssl req -new -key auth.key -out auth.csr

Generate New Signed Certificates

openssl x509 -req -days 365 -in auth.csr -signkey auth.key -out auth.crt (You can also include -startdate YYMMDDHHMMSSZ - The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure)

USAGE (Using Express)

var authProvider = require('./crypto-auth')( { debug: true, jsonTokenStore: false, privateKey: require('path').resolve(__dirname,'certificates','auth.key') });

app.post('/api/requestToken',authProvider.requestToken);

app.post('/api/check',authProvider.auth ,function(req,res){ return res.json({success: true}); });

TESTING (WITH CURL)

(Go to crypto-auth and run node express-example.js to launch the example ) curl -F certificate=@certificates/auth.crt -X POST http://localhost:3000/api/requestToken curl -H "token: 123456789" -X POST http://localhost:3000/api/check

SCRIPTS TESTING

Run npm test (It will verify scripts work and OpenSSL is correctly installed.)

NOTES

I know storing requestsTokens in memory can be a problem, for now you can use jsonTokenStore: true to store it on a temporary file. Further release will allow use custom stores.

FOR EXTREME SECURITY

Give your clients a bash script to let them generate new certificates to send as a password and validate their identity. Avoiding reuse of certificates would make every request connection unique making every new request require a new certificate to validate. This would be good for NON-HTTPS connections. Problem, added complexity.