npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

jw3t

v1.0.10

Published

A library to create and validate json web3 tokens.

Downloads

105

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hamidrahamidra

Keywords

Readme

:warning: This library is not audited and the spec is still a work in process and likely to change .

What is Json Web3 Token

Json Web3 Token (JW3T) is a self-contained json token, inspired by Json Web Token standard RFC 7519 with some adaptations to make it work for the web3 authentications and authorization usecases.

JW3T vs JWT?

The main difference between a "Json Web3 Token" and "Json Web Token" is in the issuance and verification procedures. In web3 world, the identities are self-sovereign and each user owns the signing keys of their accounts, hence the Json Web3 Tokens are issued by the users themselves and are signed by the user account's private key. This means that the issuer and the subject of a JW3T are the same which makes the fields redundant. Also another characteristic of web3 accounts is that the address of an account can be derived from the signature (using the public key). Considering these chracteristics we can replace the issuer and subject fields with an account address field. So for jw3t:

  • The token includes an address claim in the payload.
  • The token is signed by the private key of the claimed address.
  • The token is considered to be valid if it has a valid signature, and the signature address matches the claimed address in the payload.

Why JW3T?

Why do we need a token for web3 where all messages can be signed by the owner accounts. If we are developing decentralized apps then who are these tokens issued for?

The advantage the Json Web3 Tokens provide is the better user experience for scenarios that there is a trusted middle layer between the user and decentralized network. This can happen when there are some hybrid scenarios that might require to access some off-chain services and data as well as onchain transactions.

E.g in the case of NFTs there are minting platforms that provide an e2e UX for minting and managing NFTs which let the user upload the resources to IPFS and set the metadata fields on the chain. In these scenarios the platform needs to authneticate the users accounts to be able to let them manage their off-chain resources. JW3T can provide a self-contained and self-sovereign solution for the user to authenticate and authorize their off-chain resources.

How JW3T is issued?

Similar to Json Web Tokens, Json Web3 Tokens consist of the same three parts (Header, Payload, Signature) encoded in Base64URI and separated by dots (.)

The final token format would look like below:
xxxxx.yyyyy.zzzzz

Header:

The header includes the signing scheme specified by "algorithm" field and the address type specified by "address_type" field and the token type specified by "token_type" which is always set to "JW3T" for web3 tokens.

e.g.

{
  "algorithm": "sr25519",
  "address_type": "ss58",
  "token_type": "JW3T"
}

specifies that the token is a Json Web3 Token that is using sr25519 signing schema and the address type is a substrate address.

Payload:

The payload of the token is a json object which includes a required address claim that species the address of the account that has issued the token as well as some suggested claim fields:

  • "address" (Address) Claim: specifies the address of the account that has signed the token. This field is used during the token verification and if it is not a valid address of the type that is specified in the header {"address_type":} the token verification should fail.
  • "audience" (Audience) Claim :
    The "audience" claim identifies the recipients that the JW3T is intended for. The audience is usually a uri that specifies the web resource or website that the token is issued for.
  • "expires_at" (Expiration Time) Claim:
    The "expires_at" (expiration time) claim identifies the expiration time on or after which the JW3T MUST NOT be accepted for processing. The processing of the "expires_at" claim requires that the current date/time MUST be before the expiration date/time listed in the "expires_at" claim.
  • "not_before" (Not Before) Claim:
    The "not_before" claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the "not_before" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "not_before" claim.

Signature:

The signature is generated by signing the header (as a JSON string) concatenated by a "." concatenated by the payload (as a JSON string) using the signing algorithm that is specified in the token header {"algorithm":}.

signature = sign(header + '.' + payload)

Note: Unlike JWT, that the signer signes the header and payload as a Base64URI encoded message, the header and payload in JW3T are signed as a JSON string to let the signer apps and wallets present them as json string so the user can see what message they are signing.

The token is then generated by Base64URI encoding each part and then concatenating them together separated by a ".". So the final token will be as:

jw3t =
  Base64URI.encode(header) +
  '.' +
  Base64URI.encode(payload) +
  '.' +
  Base64URI.encode(signature);

How JW3T is verified?

To verify if a JW3T is valid, two verifications must be performed:

  • the signatur should be verified to make sure it is a valid signature of the header + "." + payload.

  • the address claim in the payload payload.address should be a valid address of the address type that is specified in the header header.address_type and match the address of the account that has signed the message signature.address

How to use this package?

How to install:

yarn:
yarn add jw3t

npm:
npm i jw3t

How to use:

The package already includes a polkadotJS signer/verifier that can be used for token signing and verification.

ESM import

import * as jw3t from 'jw3t'

CJS require

const jw3t = require('jw3t')

e.g. to create a token signed by a substarte account:

// create a signing account
let keyring = new Keyring({ type: 'sr25519' });
let mnemonic = mnemonicGenerate();
let account = keyring.createFromUri(mnemonic);
let signingAccount = { account };
let address = account.address;

let header = {
  algorithm: 'sr25519',
  token_type: 'JW3T',
  address_type: 'ss58',
};

let payload = {
  address: address,
};

// set expire to 24 hours
let expires_at = Math.floor(Date.now() / 1000) + 24 * 3600;

let content = new jw3t.JW3TContent(header, payload)
  .setAudience('uri:test')
  .setExpiration(expires_at);

let polkaJsSigner = new jw3t.PolkaJsSigner(signingAccount);
let signer = new jw3t.JW3TSigner(polkaJsSigner, content);
let { base64Content, base64Sig } = await signer.getSignature();
let token = `${base64Content}.${base64Sig}`;

to verify a token is valid.

let token =
  'ewogImFsZ29yaXRobSI6ICJzcjI1NTE5IiwKICJ0b2tlbl90eXBlIjogIkpXM1QiLAogImFkZHJlc3NfdHlwZSI6ICJzczU4Igp9.ewogImFkZHJlc3MiOiAiNUdyd3ZhRUY1elhiMjZGejlyY1FwRFdTNTdDdEVSSHBOZWhYQ1BjTm9IR0t1dFFZIiwKICJub25jZSI6ICJmNzdiNzAiLAogIm9uX2JlaGFsZl9vZiI6ICI1RkhuZVc0NnhHWGdzNW1VaXZlVTRzYlR5R0J6bXN0VXNwWkM5MlVoakpNNjk0dHkiLAogInByb3h5X3R5cGUiOiAiZ292ZXJuYW5jZSIsCiAiYXVkaWVuY2UiOiAidXJpOnRlc3QiLAogImV4cGlyZXNfYXQiOiAxNjYwMDY3NDQ1Cn0.-GH6igp_L_egG0tJj18-hlZbllG0WliFa6JTEvLxa3RRvmVSD2gBHbFpNd0jaOTXLTpZ1asKCObtLYFw7jObhA';

let polkaJsVerifier = new jw3t.PolkaJsVerifier();
let verifier = new jw3t.JW3TVerifier(polkaJsVerifier);
let isValid = verifier.verify(token);