From 8d9f70ca3642d1988e794f8129068605425a9687 Mon Sep 17 00:00:00 2001 From: Tobias Schneider Date: Sun, 23 May 2021 22:41:35 +0200 Subject: [PATCH] Added `nbf` and `exp` support --- README.md | 65 +++++++++++++++++++++++++++++++++++++--------------- index.js | 58 ++++++++++++++++++++++++++-------------------- package.json | 2 +- 3 files changed, 80 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index 5a153ed..c10cd99 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ A lightweight JWT implementation with ZERO dependencies for Cloudflare Workers. - [Install](#install) - [Usage](#usage) +- [Examples](#examples) ## Install @@ -15,21 +16,6 @@ npm i @tsndr/cloudflare-worker-jwt ## Usage -### Simple Example - -```javascript -const jwt = require('@tsndr/cloudflare-worker-jwt') - -// Creating a token -const token = jwt.sign({ name: 'John Doe', email: 'john.doe@gmail.com' }, 'secret') - -// Verifing token -const isValid = jwt.verify(token, 'secret') - -// Decoding token -const payload = jwt.decode(token) -``` -
### `jwt.sign(payload, secret, [algorithm])` @@ -40,7 +26,7 @@ Signs a payload and returns the token. Argument | Type | Satus | Default | Description ----------- | -------- | -------- | ------- | ----------- -`payload` | `object` | required | - | The payload object +`payload` | `object` | required | - | The payload object. To use `nbf` (Not Before) and/or `exp` (Expiration Time) add `nbf` and/or `exp` to the payload. `secret` | `string` | required | - | A string which is used to sign the payload. `algorithm` | `string` | optional | `HS256` | The algorithm used to sign the payload, possible values: `HS256` or `HS512` @@ -60,17 +46,58 @@ Argument | Type | Satus | Default | Description `algorithm` | `string` | optional | `HS256` | The algorithm used to sign the payload, possible values: `HS256` or `HS512` #### `return` -returns `boolean` +Returns `true` if signature, `nbf` (if set) and `exp` (if set) are valid, otherwise returns `false`.
### `jwt.decode(token)` -Returns the payload without verifying the integrity of the token. +Returns the payload **without** verifying the integrity of the token. Please use `jwt.verify()` first to keep your application secure! Argument | Type | Satus | Default | Description ----------- | -------- | -------- | ------- | ----------- `token` | `string` | required | - | The token string generated by `jwt.sign()`. #### `return` -returns payload `object` \ No newline at end of file +Returns payload `object`. + +## Examples + +### Basic Example + +```javascript +async () => { + const jwt = require('@tsndr/cloudflare-worker-jwt') + + // Creating a token + const token = await jwt.sign({ name: 'John Doe', email: 'john.doe@gmail.com' }, 'secret') + + // Verifing token + const isValid = await jwt.verify(token, 'secret') + + // Decoding token + const payload = jwt.decode(token) +} +``` + +### Restrict Timeframe + +```javascript +async () => { + const jwt = require('@tsndr/cloudflare-worker-jwt') + + // Creating a token + const token = await jwt.sign({ + name: 'John Doe', + email: 'john.doe@gmail.com', + nbf: Math.floor(Date.now() / 1000) + (60 * 60), // Not before: Now + 1h + exp: Math.floor(Date.now() / 1000) + (2 * (60 * 60)) // Expires: Now + 2h + }, 'secret') + + // Verifing token + const isValid = await jwt.verify(token, 'secret') // false + + // Decoding token + const payload = jwt.decode(token) // { name: 'John Doe', email: 'john.doe@gmail.com', ... } +} +``` \ No newline at end of file diff --git a/index.js b/index.js index 46f3236..3e6827b 100644 --- a/index.js +++ b/index.js @@ -26,9 +26,28 @@ class JWT { } } } - utf8ToUint8Array(str) { + _utf8ToUint8Array(str) { return Base64URL.parse(btoa(unescape(encodeURIComponent(str)))) } + _decodePayload(raw) { + switch (raw.length % 4) { + case 0: + break + case 2: + raw += '==' + break + case 3: + raw += '=' + break + default: + throw new Error('Illegal base64url string!') + } + try { + return JSON.parse(decodeURIComponent(escape(atob(raw)))) + } catch { + return null + } + } async sign(payload, secret, algorithm = 'HS256') { if (payload === null || typeof payload !== 'object') throw new Error('payload must be an object') @@ -39,11 +58,12 @@ class JWT { const importAlgorithm = this.algorithms[algorithm] if (!importAlgorithm) throw new Error('algorithm not found') + payload.iat = Math.floor(Date.now() / 1000) const payloadAsJSON = JSON.stringify(payload) - const partialToken = `${Base64URL.stringify(this.utf8ToUint8Array(JSON.stringify({ alg: algorithm, typ: 'JWT' })))}.${Base64URL.stringify(this.utf8ToUint8Array(payloadAsJSON))}` - const key = await crypto.subtle.importKey('raw', this.utf8ToUint8Array(secret), importAlgorithm, false, ['sign']) + const partialToken = `${Base64URL.stringify(this._utf8ToUint8Array(JSON.stringify({ alg: algorithm, typ: 'JWT' })))}.${Base64URL.stringify(this._utf8ToUint8Array(payloadAsJSON))}` + const key = await crypto.subtle.importKey('raw', this._utf8ToUint8Array(secret), importAlgorithm, false, ['sign']) const characters = payloadAsJSON.split('') - const it = this.utf8ToUint8Array(payloadAsJSON).entries() + const it = this._utf8ToUint8Array(payloadAsJSON).entries() let i = 0 const result = [] let current @@ -51,7 +71,7 @@ class JWT { result.push([current.value[1], characters[i]]) i++ } - const signature = await crypto.subtle.sign(importAlgorithm.name, key, this.utf8ToUint8Array(partialToken)) + const signature = await crypto.subtle.sign(importAlgorithm.name, key, this._utf8ToUint8Array(partialToken)) return `${partialToken}.${Base64URL.stringify(new Uint8Array(signature))}` } async verify(token, secret, algorithm = 'HS256') { @@ -67,33 +87,21 @@ class JWT { const importAlgorithm = this.algorithms[algorithm] if (!importAlgorithm) throw new Error('algorithm not found') - const keyData = this.utf8ToUint8Array(secret) + const keyData = this._utf8ToUint8Array(secret) const key = await crypto.subtle.importKey('raw', keyData, importAlgorithm, false, ['sign']) const partialToken = tokenParts.slice(0, 2).join('.') + const payload = this._decodePayload(tokenParts[1].replace(/-/g, '+').replace(/_/g, '/')) + if (payload.nbf && payload.nbf >= Math.floor(Date.now() / 1000)) + return false + if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) + return false const signaturePart = tokenParts[2] - const messageAsUint8Array = this.utf8ToUint8Array(partialToken) + const messageAsUint8Array = this._utf8ToUint8Array(partialToken) const res = await crypto.subtle.sign(importAlgorithm.name, key, messageAsUint8Array) return Base64URL.stringify(new Uint8Array(res)) === signaturePart } decode(token) { - let output = token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/') - switch (output.length % 4) { - case 0: - break - case 2: - output += '==' - break - case 3: - output += '=' - break - default: - throw new Error('Illegal base64url string!') - } - try { - return JSON.parse(decodeURIComponent(escape(atob(output)))) - } catch { - return null - } + return this._decodePayload(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')) } } diff --git a/package.json b/package.json index f1ae254..bd7a487 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@tsndr/cloudflare-worker-jwt", - "version": "1.0.8", + "version": "1.1.0", "description": "A lightweight JWT implementation with ZERO dependencies for Cloudflare Worker", "main": "index.js", "scripts": {