Added nbf and exp support

Cleaned up
2021-05-23 22:41:35 +02:00 · 2021-05-23 18:33:04 +02:00
3 changed files with 80 additions and 46 deletions
--- a/README.md
+++ b/README.md
@@ -6,6 +6,7 @@ A lightweight JWT implementation with ZERO dependencies for Cloudflare Workers.

 - [Install](#install)
 - [Usage](#usage)
+- [Examples](#examples)

 ## Install

@@ -15,22 +16,6 @@ npm i @tsndr/cloudflare-worker-jwt

 ## Usage

-### Simple Example
-
-```javascript
-const jwt = require('@tsndr/cloudflare-worker-jwt')
-
-// Creating a token
-const token = jwt.sign({ name: 'John Doe', email: 'john.doe@gmail.com' }, 'secret')
-
-// Verifing token
-const isValid = jwt.verify(token, 'secret')
-
-// Decoding token
-const payload = jwt.decode(token)
-
-```
-
 <hr>

 ### `jwt.sign(payload, secret, [algorithm])`
@@ -41,7 +26,7 @@ Signs a payload and returns the token.

 Argument    | Type     | Satus    | Default | Description
 ----------- | -------- | -------- | ------- | -----------
-`payload`   | `object` | required | -       | The payload object
+`payload`   | `object` | required | -       | The payload object. To use `nbf` (Not Before) and/or `exp` (Expiration Time) add `nbf` and/or `exp` to the payload.
 `secret`    | `string` | required | -       | A string which is used to sign the payload.
 `algorithm` | `string` | optional | `HS256` | The algorithm used to sign the payload, possible values: `HS256` or `HS512`

@@ -61,17 +46,58 @@ Argument    | Type     | Satus    | Default | Description
 `algorithm` | `string` | optional | `HS256` | The algorithm used to sign the payload, possible values: `HS256` or `HS512`

 #### `return`
-returns `boolean`
+Returns `true` if signature, `nbf` (if set) and `exp` (if set) are valid, otherwise returns `false`. 

 <hr>

 ### `jwt.decode(token)`

-Returns the payload without verifying the integrity of the token.
+Returns the payload **without** verifying the integrity of the token. Please use `jwt.verify()` first to keep your application secure!

 Argument    | Type     | Satus    | Default | Description
 ----------- | -------- | -------- | ------- | -----------
 `token`     | `string` | required | -       | The token string generated by `jwt.sign()`.

 #### `return`
-returns payload `object`
+Returns payload `object`.
+
+## Examples
+
+### Basic Example
+
+```javascript
+async () => {
+    const jwt = require('@tsndr/cloudflare-worker-jwt')
+
+    // Creating a token
+    const token = await jwt.sign({ name: 'John Doe', email: 'john.doe@gmail.com' }, 'secret')
+
+    // Verifing token
+    const isValid = await jwt.verify(token, 'secret')
+
+    // Decoding token
+    const payload = jwt.decode(token)
+}
+```
+
+### Restrict Timeframe
+
+```javascript
+async () => {
+    const jwt = require('@tsndr/cloudflare-worker-jwt')
+
+    // Creating a token
+    const token = await jwt.sign({
+        name: 'John Doe',
+        email: 'john.doe@gmail.com',
+        nbf: Math.floor(Date.now() / 1000) + (60 * 60),      // Not before: Now + 1h
+        exp: Math.floor(Date.now() / 1000) + (2 * (60 * 60)) // Expires: Now + 2h
+    }, 'secret')
+
+    // Verifing token
+    const isValid = await jwt.verify(token, 'secret') // false
+
+    // Decoding token
+    const payload = jwt.decode(token) // { name: 'John Doe', email: 'john.doe@gmail.com', ... }
+}
+```
--- a/index.js
+++ b/index.js
@@ -26,9 +26,28 @@ class JWT {
            }
        }
    }
-    utf8ToUint8Array(str) {
+    _utf8ToUint8Array(str) {
        return Base64URL.parse(btoa(unescape(encodeURIComponent(str))))
    }
+    _decodePayload(raw) {
+        switch (raw.length % 4) {
+            case 0:
+                break
+            case 2:
+                raw += '=='
+                break
+            case 3:
+                raw += '='
+                break
+            default:
+                throw new Error('Illegal base64url string!')
+        }
+        try {
+            return JSON.parse(decodeURIComponent(escape(atob(raw))))
+        } catch {
+            return null
+        }
+    }
    async sign(payload, secret, algorithm = 'HS256') {
        if (payload === null || typeof payload !== 'object')
            throw new Error('payload must be an object')
@@ -39,11 +58,12 @@ class JWT {
        const importAlgorithm = this.algorithms[algorithm]
        if (!importAlgorithm)
            throw new Error('algorithm not found')
+        payload.iat = Math.floor(Date.now() / 1000)
        const payloadAsJSON = JSON.stringify(payload)
-        const partialToken = `${Base64URL.stringify(this.utf8ToUint8Array(JSON.stringify({ alg: algorithm, typ: 'JWT' })))}.${Base64URL.stringify(this.utf8ToUint8Array(payloadAsJSON))}`
-        const key = await crypto.subtle.importKey('raw', this.utf8ToUint8Array(secret), importAlgorithm, false, ['sign'])
+        const partialToken = `${Base64URL.stringify(this._utf8ToUint8Array(JSON.stringify({ alg: algorithm, typ: 'JWT' })))}.${Base64URL.stringify(this._utf8ToUint8Array(payloadAsJSON))}`
+        const key = await crypto.subtle.importKey('raw', this._utf8ToUint8Array(secret), importAlgorithm, false, ['sign'])
        const characters = payloadAsJSON.split('')
-        const it = this.utf8ToUint8Array(payloadAsJSON).entries()
+        const it = this._utf8ToUint8Array(payloadAsJSON).entries()
        let i = 0
        const result = []
        let current
@@ -51,7 +71,7 @@ class JWT {
            result.push([current.value[1], characters[i]])
            i++
        }
-        const signature = await crypto.subtle.sign(importAlgorithm.name, key, this.utf8ToUint8Array(partialToken))
+        const signature = await crypto.subtle.sign(importAlgorithm.name, key, this._utf8ToUint8Array(partialToken))
        return `${partialToken}.${Base64URL.stringify(new Uint8Array(signature))}`
    }
    async verify(token, secret, algorithm = 'HS256') {
@@ -67,33 +87,21 @@ class JWT {
        const importAlgorithm = this.algorithms[algorithm]
        if (!importAlgorithm)
            throw new Error('algorithm not found')
-        const keyData = this.utf8ToUint8Array(secret)
+        const keyData = this._utf8ToUint8Array(secret)
        const key = await crypto.subtle.importKey('raw', keyData, importAlgorithm, false, ['sign'])
        const partialToken = tokenParts.slice(0, 2).join('.')
+        const payload = this._decodePayload(tokenParts[1].replace(/-/g, '+').replace(/_/g, '/'))
+        if (payload.nbf && payload.nbf >= Math.floor(Date.now() / 1000))
+            return false
+        if (payload.exp && payload.exp < Math.floor(Date.now() / 1000))
+            return false
        const signaturePart = tokenParts[2]
-        const messageAsUint8Array = this.utf8ToUint8Array(partialToken)
+        const messageAsUint8Array = this._utf8ToUint8Array(partialToken)
        const res = await crypto.subtle.sign(importAlgorithm.name, key, messageAsUint8Array)
        return Base64URL.stringify(new Uint8Array(res)) === signaturePart
    }
    decode(token) {
-        let output = token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')
-        switch (output.length % 4) {
-            case 0:
-                break
-            case 2:
-                output += '=='
-                break
-            case 3:
-                output += '='
-                break
-            default:
-                throw new Error('Illegal base64url string!')
-        }
-        try {
-            return JSON.parse(decodeURIComponent(escape(atob(output))))
-        } catch {
-            return null
-        }
+        return this._decodePayload(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/'))
    }
 }

--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@tsndr/cloudflare-worker-jwt",
-  "version": "1.0.8",
+  "version": "1.1.0",
  "description": "A lightweight JWT implementation with ZERO dependencies for Cloudflare Worker",
  "main": "index.js",
  "scripts": {
Author	SHA1	Message	Date
Tobias Schneider	8d9f70ca36	Added `nbf` and `exp` support	2021-05-23 22:41:35 +02:00
Tobias Schneider	e34e1aedab	Cleaned up	2021-05-23 18:33:04 +02:00