npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

rewt

v3.0.0

Published

JWT with Redis as the source of a shared secret for easy/fast rotation

Downloads

2,319

Readme

rewt

This module provides a simplified wrapper for signing and verify JWT tokens while sourcing a shared secret from Redis. This has the advantage of also being able to set a TTL on the key to allow for automated secret rotation.

See this blog post introducing Rewt.

Install

$ npm install rewt

or

$ npm install rewt --save

Usage

Initialization

To use rewt, we first need to tell it where our Redis connection is:

const redis = require('redis');
const Rewt = require('rewt');

let rewt = new Rewt({
  redisConn: redis.createClient('redis://localhost:6379'),
});

Constructor options

We can also provide a custom namespace and key TTL. If we don't provide these, rewt defaults to using rewt as the default namespace and one day as the default TTL.

let rewt = new Rewt({
  redisConn: redis.createClient('redis://localhost:6379'),
  redisNamespace: 'foobar',
  ttl: 60 * 60, // One hour in seconds
});

Signing payloads

To sign a payload, we simply give it the object to sign and a callback. Note that we can also pass either a buffer or string to sign instead of an object.

rewt.sign({ username: '[email protected]' }, (err, signed) => {
  console.log(`signed payload: ${signed}`);
});

Verifying a payload

Verifying a payload is equally as simple, just provide the token to verify and a callback.

rewt.verify(token, (err, payload) => {
  console.log(`verifyed payload: ${JSON.stringify(payload, null, '  ')}`;
});

Running Tests

Unit Tests

To run the unit tests:

$ npm test

Integration Tests

To run the integration tests:

$ npm run test:all

Use docker-compose to start redis.

$ docker-compose up -d

Use-case

Why use this module? When signing a JWT you need some sort of secret that can be used by both send and receiver to verify that a token was signed by someone that we trust. Our use case was to use JWTs to verify internal server-to-server communication.

By using Redis as the source of storage for the shared secret, we can have it automatically rotated by setting a TTL on the key (rewt handles recreating a new psuedo-random one if the old key has expired). It also allows us to quickly invalidate a currently shared secret if it becomes compromised by simply updating the key in Redis as all new signing and verification requests will use the new secret. This does mean that requests in flight will fail verification, but this is an acceptable trade-off as the window for signing a payload before a secret invalidation is incredibly small.