arnaucube
/
thoughts
mirror of https://github.com/arnaucube/thoughts.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
5.0 MiB
Tree: 64882fc513
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '64882fc513'
${ noResults }
thoughts/node_modules/jsonwebtoken/README.md

260 lines
8.6 KiB
Raw Normal View History

get token for user, post users, get all users, post thought, get all thoughts. runs ok
8 years ago
  1. # jsonwebtoken [![Build Status](https://secure.travis-ci.org/auth0/node-jsonwebtoken.svg?branch=master)](http://travis-ci.org/auth0/node-jsonwebtoken)[![Dependency Status](https://david-dm.org/auth0/node-jsonwebtoken.svg)](https://david-dm.org/auth0/node-jsonwebtoken)
  4. An implementation of [JSON Web Tokens](https://tools.ietf.org/html/rfc7519).
  6. This was developed against `draft-ietf-oauth-json-web-token-08`. It makes use of [node-jws](https://github.com/brianloveswords/node-jws)
  8. # Install
  10. ```bash
  11. $ npm install jsonwebtoken
  12. ```
  14. # Usage
  16. ### jwt.sign(payload, secretOrPrivateKey, options, [callback])
  18. (Asynchronous) If a callback is supplied, callback is called with the `err` or the JWT.
  20. (Synchronous) Returns the JsonWebToken as string
  22. `payload` could be an object literal, buffer or string. *Please note that* `exp` is only set if the payload is an object literal.
  24. `secretOrPrivateKey` is a string or buffer containing either the secret for HMAC algorithms, or the PEM
  25. encoded private key for RSA and ECDSA.
  27. `options`:
  29. * `algorithm` (default: `HS256`)
  30. * `expiresIn`: expressed in seconds or a string describing a time span [rauchg/ms](https://github.com/rauchg/ms.js). Eg: `60`, `"2 days"`, `"10h"`, `"7d"`
  31. * `notBefore`: expressed in seconds or a string describing a time span [rauchg/ms](https://github.com/rauchg/ms.js). Eg: `60`, `"2 days"`, `"10h"`, `"7d"`
  32. * `audience`
  33. * `issuer`
  34. * `jwtid`
  35. * `subject`
  36. * `noTimestamp`
  37. * `header`
  39. If `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`.
  41. There are no default values for `expiresIn`, `notBefore`, `audience`, `subject`, `issuer`. These claims can also be provided in the payload directly with `exp`, `nbf`, `aud` and `sub` respectively, but you can't include in both places.
  44. The header can be customized via the `option.header` object.
  46. Generated jwts will include an `iat` (issued at) claim by default unless `noTimestamp` is specified. If `iat` is inserted in the payload, it will be used instead of the real timestamp for calculating other things like `exp` given a timespan in `options.expiresIn`.
  48. Example
  50. ```js
  51. // sign with default (HMAC SHA256)
  52. var jwt = require('jsonwebtoken');
  53. var token = jwt.sign({ foo: 'bar' }, 'shhhhh');
  54. //backdate a jwt 30 seconds
  55. var older_token = jwt.sign({ foo: 'bar', iat: Math.floor(Date.now() / 1000) - 30 }, 'shhhhh');
  57. // sign with RSA SHA256
  58. var cert = fs.readFileSync('private.key'); // get private key
  59. var token = jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256'});
  61. // sign asynchronously
  62. jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256' }, function(err, token) {
  63. console.log(token);
  64. });
  65. ```
  67. ### jwt.verify(token, secretOrPublicKey, [options, callback])
  69. (Asynchronous) If a callback is supplied, function acts asynchronously. Callback passed the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will be passed the error.
  71. (Synchronous) If a callback is not supplied, function acts synchronously. Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will throw the error.
  73. `token` is the JsonWebToken string
  75. `secretOrPublicKey` is a string or buffer containing either the secret for HMAC algorithms, or the PEM
  76. encoded public key for RSA and ECDSA.
  78. `options`
  80. * `algorithms`: List of strings with the names of the allowed algorithms. For instance, `["HS256", "HS384"]`.
  81. * `audience`: if you want to check audience (`aud`), provide a value here
  82. * `issuer` (optional): string or array of strings of valid values for the `iss` field.
  83. * `ignoreExpiration`: if `true` do not validate the expiration of the token.
  84. * `ignoreNotBefore`...
  85. * `subject`: if you want to check subject (`sub`), provide a value here
  86. * `clockTolerance`: number of second to tolerate when checking the `nbf` and `exp` claims, to deal with small clock differences among different servers
  89. ```js
  90. // verify a token symmetric - synchronous
  91. var decoded = jwt.verify(token, 'shhhhh');
  92. console.log(decoded.foo) // bar
  94. // verify a token symmetric
  95. jwt.verify(token, 'shhhhh', function(err, decoded) {
  96. console.log(decoded.foo) // bar
  97. });
  99. // invalid token - synchronous
  100. try {
  101. var decoded = jwt.verify(token, 'wrong-secret');
  102. } catch(err) {
  103. // err
  104. }
  106. // invalid token
  107. jwt.verify(token, 'wrong-secret', function(err, decoded) {
  108. // err
  109. // decoded undefined
  110. });
  112. // verify a token asymmetric
  113. var cert = fs.readFileSync('public.pem'); // get public key
  114. jwt.verify(token, cert, function(err, decoded) {
  115. console.log(decoded.foo) // bar
  116. });
  118. // verify audience
  119. var cert = fs.readFileSync('public.pem'); // get public key
  120. jwt.verify(token, cert, { audience: 'urn:foo' }, function(err, decoded) {
  121. // if audience mismatch, err == invalid audience
  122. });
  124. // verify issuer
  125. var cert = fs.readFileSync('public.pem'); // get public key
  126. jwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer' }, function(err, decoded) {
  127. // if issuer mismatch, err == invalid issuer
  128. });
  130. // verify jwt id
  131. var cert = fs.readFileSync('public.pem'); // get public key
  132. jwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer', jwtid: 'jwtid' }, function(err, decoded) {
  133. // if jwt id mismatch, err == invalid jwt id
  134. });
  136. // verify subject
  137. var cert = fs.readFileSync('public.pem'); // get public key
  138. jwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer', jwtid: 'jwtid', subject: 'subject' }, function(err, decoded) {
  139. // if subject mismatch, err == invalid subject
  140. });
  142. // alg mismatch
  143. var cert = fs.readFileSync('public.pem'); // get public key
  144. jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {
  145. // if token alg != RS256, err == invalid signature
  146. });
  148. ```
  150. ### jwt.decode(token [, options])
  152. (Synchronous) Returns the decoded payload without verifying if the signature is valid.
  154. __Warning:__ This will __not__ verify whether the signature is valid. You should __not__ use this for untrusted messages. You most likely want to use `jwt.verify` instead.
  156. `token` is the JsonWebToken string
  158. `options`:
  160. * `json`: force JSON.parse on the payload even if the header doesn't contain `"typ":"JWT"`.
  161. * `complete`: return an object with the decoded payload and header.
  163. Example
  165. ```js
  166. // get the decoded payload ignoring signature, no secretOrPrivateKey needed
  167. var decoded = jwt.decode(token);
  169. // get the decoded payload and header
  170. var decoded = jwt.decode(token, {complete: true});
  171. console.log(decoded.header);
  172. console.log(decoded.payload)
  173. ```
  175. ## Errors & Codes
  176. Possible thrown errors during verification.
  177. Error is the first argument of the verification callback.
  179. ### TokenExpiredError
  181. Thrown error if the token is expired.
  183. Error object:
  185. * name: 'TokenExpiredError'
  186. * message: 'jwt expired'
  187. * expiredAt: [ExpDate]
  189. ```js
  190. jwt.verify(token, 'shhhhh', function(err, decoded) {
  191. if (err) {
  192. /*
  193. err = {
  194. name: 'TokenExpiredError',
  195. message: 'jwt expired',
  196. expiredAt: 1408621000
  197. }
  198. */
  199. }
  200. });
  201. ```
  203. ### JsonWebTokenError
  204. Error object:
  206. * name: 'JsonWebTokenError'
  207. * message:
  208. * 'jwt malformed'
  209. * 'jwt signature is required'
  210. * 'invalid signature'
  211. * 'jwt audience invalid. expected: [OPTIONS AUDIENCE]'
  212. * 'jwt issuer invalid. expected: [OPTIONS ISSUER]'
  213. * 'jwt id invalid. expected: [OPTIONS JWT ID]'
  214. * 'jwt subject invalid. expected: [OPTIONS SUBJECT]'
  216. ```js
  217. jwt.verify(token, 'shhhhh', function(err, decoded) {
  218. if (err) {
  219. /*
  220. err = {
  221. name: 'JsonWebTokenError',
  222. message: 'jwt malformed'
  223. }
  224. */
  225. }
  226. });
  227. ```
  229. ## Algorithms supported
  231. Array of supported algorithms. The following algorithms are currently supported.
  233. alg Parameter Value | Digital Signature or MAC Algorithm
  234. ----------------|----------------------------
  235. HS256 | HMAC using SHA-256 hash algorithm
  236. HS384 | HMAC using SHA-384 hash algorithm
  237. HS512 | HMAC using SHA-512 hash algorithm
  238. RS256 | RSASSA using SHA-256 hash algorithm
  239. RS384 | RSASSA using SHA-384 hash algorithm
  240. RS512 | RSASSA using SHA-512 hash algorithm
  241. ES256 | ECDSA using P-256 curve and SHA-256 hash algorithm
  242. ES384 | ECDSA using P-384 curve and SHA-384 hash algorithm
  243. ES512 | ECDSA using P-521 curve and SHA-512 hash algorithm
  244. none | No digital signature or MAC value included
  246. # TODO
  248. * X.509 certificate chain is not checked
  250. ## Issue Reporting
  252. If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
  254. ## Author
  256. [Auth0](https://auth0.com)
  258. ## License
  260. This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.