npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

skajs

v0.1.3

Published

Sign- and validate- data (dictionaries, strings) using symmetric-key algorithm.

Downloads

89

Readme

ska

Lets you easily sign data, using symmetric-key algorithm encryption. Allows you to validate signed data and identify possible validation errors. Uses sha/hmac for signature encryption. Comes with shortcut functions for signing (and validating) dictionaries.

NPM Version Supported NodeJS versions Build Status Coverage Status License

Key concepts

Hosts, that communicate with each other, share the Secret Key, which is used to sign data (requests). Secret key is never sent around.

One of the cases is signing of HTTP requests. Each (HTTP) request is signed on the sender side using the shared Secret Key and as an outcome produces the triple (signature, auth_user, valid_until) which are used to sign the requests.

  • signature (string): Signature generated.
  • auth_user (string): User making the request. Can be anything.
  • valid_until (float or string): Signature expiration time (Unix timestamp).

On the recipient side, (HTTP request) data is validated using the shared Secret Key. It's being checked whether signature is valid and not expired.

    ┌─────────────┐           Data              ┌─────────────┐
    │   Host 1    ├────────────────────────────>│   Host 2    │
    │ ─────────── │                             │ ─────────── │
    │ secret key  │                             │ secret key  │
    │ 'my-secret' │<────────────────────────────┤ 'my-secret' │
    └─────────────┘           Data              └─────────────┘

Features

  • Sign URLs.
  • Sign dictionaries.
  • Validate signed dictionaries.

Eco-system

Need ska for other languages? Check the following affiliated projects:

  • ska: ska implementation for Python. This was the first implementation from which current project originated.
  • skaphp: ska implementation for PHP (>= 7.2).

Generated signatures are intercompatible between Python, NodeJS and PHP implementations.

Installation

Latest stable version from NPM registry:

npm install skajs

Usage examples

Usage example are present for both CommonJS and ESM.

CommonJS

node examples.js

ESM

node examples.mjs

Basic usage

Sender side

Signing dictionaries and URLs is as simple as follows.

Required imports.

CommonJS

const { signatureToDict, signURL } = require("skajs");

ESM

import { signatureToDict, signURL } from "skajs";
Sign data

Sample usage, sign a dictionary:

const signatureDict = signatureToDict("user", "your-secret_key");

Sample output:

{
  signature: 'sf40lBWO5CquFfHr6jSXxhl2oW0=',
  auth_user: 'user',
  valid_until: '1631827551.6',
  extra: ''
}

Adding of additional data to the signature works in the same way:

const signatureDict = signatureToDict(
    "user",
    "your-secret_key",
    {
        "email": "[email protected]",
        "first_name": "John",
        "last_name": "Doe",
    }
);

Sample output:

{
  signature: 'B0sscS+xXWU+NR+9dBCoGFnDtlw=',
  auth_user: 'user',
  valid_until: '1631827551.6',
  extra: 'email,first_name,last_name',
  email: '[email protected]',
  first_name: 'John',
  last_name: 'Doe',
}

Sample usage, sign a URL:

const signedURL = signURL("user", "your-secret_key", "http://e.com/api/");

Sample output:

'http://e.com/api/?valid_until=1378045287.0&auth_user=user&signature=YlZpLFsjUKBalL4x5trhkeEgqE8%3D'

Options and defaults:

The signatureToDict function accepts an optional options argument.

Default value for the validUntil in the options is 10 minutes from now. If you want it to be different, set validUntil in the options of the signatureToDict function.

Default lifetime of a signature is 10 minutes (600 seconds). If you want it to be different, set lifetime in the options of the signatureToDict function.

Default name of the (GET) param holding the generated signature value is signature. If you want it to be different,set the signatureParam in the options of the signatureToDict function.

Default name of the (GET) param holding the authUser value is auth_user. If you want it to be different, set authUserParam in the options of the signatureToDict function.

Default name of the (GET) param holding the validUntil value is valid_until. If you want it to be different, set the validUntilParam in the options of the signatureToDict function.

Default name of the (GET) param holding the extra value is extra. If you want it to be different, set the extraParam in the options of the signatureToDict function.

Default hashing algorithm is SHA1. If you want it to be different, set the signatureCls in the options of the signatureToDict function. Supported classes are HMACSHA1Signature (alias of Signature), HMACSHA256Signature and HMACSHA512Signature.

signedData = signatureToDict(
    "user",
    "your-secret_key",
    {
        email: "[email protected]",
        first_name: "John",
        last_name: "Doe",
    },
    {
        authUserParam: "webshop_id",
    }
);

Sample output:

{
    webshop_id: "user",
    email: "[email protected]",
    extra: "email,first_name,last_name",
    first_name: "John",
    last_name: "Doe",
    signature: "nu0Un+05z/cNOFnLwQnigoW/KmA=",
    valid_until: 1631799172.0
}

Recipient side

Validating the signed request data is as simple as follows.

Required imports

CommonJS

const { validateSignedRequestData } = require("skajs");

ESM

import { validateSignedRequestData } from "skajs";
Validate signed requests

Validating the signed request data. Note, that data value is expected to be a dictionary; request.POST is given as an example.

validationResult = validateSignedRequestData(
    request.POST, // Note, that ``request.POST`` is given as example.
    "your-secret_key"
);

In case of signed URLs, it could look as follows:

validationResult = validateSignedRequestData(
    request.GET, // Note, that ``request.GET`` is given as example.
    "your-secret_key"
);

Options and defaults:

Similarly to signatureToDict function, the validateSignedRequestData also accepts a number of optional arguments (which have been described above):

  • signatureParam
  • authUserParam
  • validUntilParam
  • extraParam
  • signatureCls

With some customizations, it would look as follows:

validationResult = validateSignedRequestData(
    request.GET,
    "your-secret_key",
    {
        authUserParam: "webshop_id",
    }
);

Testing

Simply type:

npm test

Code style

The Prettier is used.

npx prettier --write .

License

MIT

Support

For any issues contact me at the e-mail given in the Author section.

Author

Artur Barseghyan [email protected]