Skip to content

borderless/web-jwt

BranchesTags

Repository files navigation

Web JWT

NPM version NPM downloads Build status Test coverage

Small JWT library using the Web Crypto API.

Installation

npm install @borderless/web-jwt --save

Usage

import {
  encodeJwt,
  decodeJwt,
  verifyJwt,
  NOOP_JWT,
  NONE_KEY,
} from "@borderless/web-jwt";

// Create a web crypto key.
const key = crypto.subtle.importKey(
  "jwk",
  {
    kty: "oct",
    k: "4Vulge0qgl6janNxYmrYk-sao2wR5tpyKkh_sTLY2CQ",
    alg: "HS256",
  },
  { name: "HMAC", hash: "SHA-256" },
  false,
  ["sign", "verify"]
);

// Create a JWT and sign using the key.
await encodeJwt(
  {
    alg: "HS256",
  },
  {
    test: true,
  },
  key
); //=> "eyJhbGciOiJIUzI1NiJ9.eyJ0ZXN0Ijp0cnVlfQ.pQM0RvgTKjtAC1XmMnCK4vhgGycbg0vVLn0rsiE8BGc"

// Decode the JWT.
const jwt = await decodeJwt(
  "eyJhbGciOiJIUzI1NiJ9.eyJ0ZXN0Ijp0cnVlfQ.pQM0RvgTKjtAC1XmMnCK4vhgGycbg0vVLn0rsiE8BGc"
); //=> { header, payload, ... }

// Verify the decoded JWT _before_ trusting!
const valid = await verifyJwt(jwt); //=> true

Notes:

  • decodeJwt will return a NOOP_JWT when decoding an invalid JWT. No errors are thrown on invalid data.
  • alg: none is only supported by using the NONE_KEY symbol exported by the package.
  • The JWT alg header is ignored and the crypto key algorithm is used instead. This avoids attacks using the alg header.

TypeScript

This project is written using TypeScript and publishes the definitions directly to NPM.

License

MIT

About

Small JWT library using the Web Crypto API

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

9 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases 5

Remove spec files from package Latest
Aug 7, 2023
+ 4 releases

Packages

No packages published

Languages