-
Notifications
You must be signed in to change notification settings - Fork 0
/
package.json
81 lines (81 loc) · 11.4 KB
/
package.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
{
"_args": [
[
{
"raw": "jsonwebtoken@https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-7.1.9.tgz",
"scope": null,
"escapedName": "jsonwebtoken",
"name": "jsonwebtoken",
"rawSpec": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-7.1.9.tgz",
"spec": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-7.1.9.tgz",
"type": "remote"
},
"C:\\Users\\gilfo\\OneDrive\\Documentos\\GitHub\\Firebase-Authentication-on-Websites\\functions\\node_modules\\firebase-admin"
]
],
"_from": "jsonwebtoken@7.1.9",
"_id": "jsonwebtoken@7.1.9",
"_inCache": true,
"_location": "/firebase-admin/jsonwebtoken",
"_phantomChildren": {},
"_requested": {
"raw": "jsonwebtoken@https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-7.1.9.tgz",
"scope": null,
"escapedName": "jsonwebtoken",
"name": "jsonwebtoken",
"rawSpec": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-7.1.9.tgz",
"spec": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-7.1.9.tgz",
"type": "remote"
},
"_requiredBy": [
"/firebase-admin"
],
"_resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-7.1.9.tgz",
"_shasum": "847804e5258bec5a9499a8dc4a5e7a3bae08d58a",
"_shrinkwrap": null,
"_spec": "jsonwebtoken@https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-7.1.9.tgz",
"_where": "C:\\Users\\gilfo\\OneDrive\\Documentos\\GitHub\\Firebase-Authentication-on-Websites\\functions\\node_modules\\firebase-admin",
"author": {
"name": "auth0"
},
"bugs": {
"url": "https://github.com/auth0/node-jsonwebtoken/issues"
},
"dependencies": {
"joi": "^6.10.1",
"jws": "^3.1.3",
"lodash.once": "^4.0.0",
"ms": "^0.7.1",
"xtend": "^4.0.1"
},
"description": "JSON Web Token implementation (symmetric and asymmetric)",
"devDependencies": {
"atob": "^1.1.2",
"chai": "^1.10.0",
"conventional-changelog": "~1.1.0",
"mocha": "^2.1.0",
"sinon": "^1.15.4"
},
"engines": {
"node": ">=0.12",
"npm": ">=1.4.28"
},
"homepage": "https://github.com/auth0/node-jsonwebtoken#readme",
"keywords": [
"jwt"
],
"license": "MIT",
"main": "index.js",
"name": "jsonwebtoken",
"optionalDependencies": {},
"readme": "# jsonwebtoken [![Build Status](https://secure.travis-ci.org/auth0/node-jsonwebtoken.svg?branch=master)](http://travis-ci.org/auth0/node-jsonwebtoken)[![Dependency Status](https://david-dm.org/auth0/node-jsonwebtoken.svg)](https://david-dm.org/auth0/node-jsonwebtoken)\n\n\nAn implementation of [JSON Web Tokens](https://tools.ietf.org/html/rfc7519).\n\nThis was developed against `draft-ietf-oauth-json-web-token-08`. It makes use of [node-jws](https://github.com/brianloveswords/node-jws)\n\n# Install\n\n```bash\n$ npm install jsonwebtoken\n```\n\n# Usage\n\n### jwt.sign(payload, secretOrPrivateKey, options, [callback])\n\n(Asynchronous) If a callback is supplied, callback is called with the `err` or the JWT.\n\n(Synchronous) Returns the JsonWebToken as string\n\n`payload` could be an object literal, buffer or string. *Please note that* `exp` is only set if the payload is an object literal.\n\n`secretOrPrivateKey` is a string or buffer containing either the secret for HMAC algorithms, or the PEM\nencoded private key for RSA and ECDSA.\n\n`options`:\n\n* `algorithm` (default: `HS256`)\n* `expiresIn`: expressed in seconds or a string describing a time span [rauchg/ms](https://github.com/rauchg/ms.js). Eg: `60`, `\"2 days\"`, `\"10h\"`, `\"7d\"`\n* `notBefore`: expressed in seconds or a string describing a time span [rauchg/ms](https://github.com/rauchg/ms.js). Eg: `60`, `\"2 days\"`, `\"10h\"`, `\"7d\"`\n* `audience`\n* `issuer`\n* `jwtid`\n* `subject`\n* `noTimestamp`\n* `header`\n\nIf `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`.\n\nThere are no default values for `expiresIn`, `notBefore`, `audience`, `subject`, `issuer`. These claims can also be provided in the payload directly with `exp`, `nbf`, `aud` and `sub` respectively, but you can't include in both places.\n\n\nThe header can be customized via the `option.header` object.\n\nGenerated jwts will include an `iat` (issued at) claim by default unless `noTimestamp` is specified. If `iat` is inserted in the payload, it will be used instead of the real timestamp for calculating other things like `exp` given a timespan in `options.expiresIn`.\n\nExample\n\n```js\n// sign with default (HMAC SHA256)\nvar jwt = require('jsonwebtoken');\nvar token = jwt.sign({ foo: 'bar' }, 'shhhhh');\n//backdate a jwt 30 seconds\nvar older_token = jwt.sign({ foo: 'bar', iat: Math.floor(Date.now() / 1000) - 30 }, 'shhhhh');\n\n// sign with RSA SHA256\nvar cert = fs.readFileSync('private.key'); // get private key\nvar token = jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256'});\n\n// sign asynchronously\njwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256' }, function(err, token) {\n console.log(token);\n});\n```\n\n### jwt.verify(token, secretOrPublicKey, [options, callback])\n\n(Asynchronous) If a callback is supplied, function acts asynchronously. Callback passed the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will be passed the error.\n\n(Synchronous) If a callback is not supplied, function acts synchronously. Returns the payload decoded if the signature (and optionally expiration, audience, issuer) are valid. If not, it will throw the error.\n\n`token` is the JsonWebToken string\n\n`secretOrPublicKey` is a string or buffer containing either the secret for HMAC algorithms, or the PEM\nencoded public key for RSA and ECDSA.\n\n`options`\n\n* `algorithms`: List of strings with the names of the allowed algorithms. For instance, `[\"HS256\", \"HS384\"]`.\n* `audience`: if you want to check audience (`aud`), provide a value here\n* `issuer` (optional): string or array of strings of valid values for the `iss` field.\n* `ignoreExpiration`: if `true` do not validate the expiration of the token.\n* `ignoreNotBefore`...\n* `subject`: if you want to check subject (`sub`), provide a value here\n* `clockTolerance`: number of second to tolerate when checking the `nbf` and `exp` claims, to deal with small clock differences among different servers\n\n\n```js\n// verify a token symmetric - synchronous\nvar decoded = jwt.verify(token, 'shhhhh');\nconsole.log(decoded.foo) // bar\n\n// verify a token symmetric\njwt.verify(token, 'shhhhh', function(err, decoded) {\n console.log(decoded.foo) // bar\n});\n\n// invalid token - synchronous\ntry {\n var decoded = jwt.verify(token, 'wrong-secret');\n} catch(err) {\n // err\n}\n\n// invalid token\njwt.verify(token, 'wrong-secret', function(err, decoded) {\n // err\n // decoded undefined\n});\n\n// verify a token asymmetric\nvar cert = fs.readFileSync('public.pem'); // get public key\njwt.verify(token, cert, function(err, decoded) {\n console.log(decoded.foo) // bar\n});\n\n// verify audience\nvar cert = fs.readFileSync('public.pem'); // get public key\njwt.verify(token, cert, { audience: 'urn:foo' }, function(err, decoded) {\n // if audience mismatch, err == invalid audience\n});\n\n// verify issuer\nvar cert = fs.readFileSync('public.pem'); // get public key\njwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer' }, function(err, decoded) {\n // if issuer mismatch, err == invalid issuer\n});\n\n// verify jwt id\nvar cert = fs.readFileSync('public.pem'); // get public key\njwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer', jwtid: 'jwtid' }, function(err, decoded) {\n // if jwt id mismatch, err == invalid jwt id\n});\n\n// verify subject\nvar cert = fs.readFileSync('public.pem'); // get public key\njwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer', jwtid: 'jwtid', subject: 'subject' }, function(err, decoded) {\n // if subject mismatch, err == invalid subject\n});\n\n// alg mismatch\nvar cert = fs.readFileSync('public.pem'); // get public key\njwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {\n // if token alg != RS256, err == invalid signature\n});\n\n```\n\n### jwt.decode(token [, options])\n\n(Synchronous) Returns the decoded payload without verifying if the signature is valid.\n\n__Warning:__ This will __not__ verify whether the signature is valid. You should __not__ use this for untrusted messages. You most likely want to use `jwt.verify` instead.\n\n`token` is the JsonWebToken string\n\n`options`:\n\n* `json`: force JSON.parse on the payload even if the header doesn't contain `\"typ\":\"JWT\"`.\n* `complete`: return an object with the decoded payload and header.\n\nExample\n\n```js\n// get the decoded payload ignoring signature, no secretOrPrivateKey needed\nvar decoded = jwt.decode(token);\n\n// get the decoded payload and header\nvar decoded = jwt.decode(token, {complete: true});\nconsole.log(decoded.header);\nconsole.log(decoded.payload)\n```\n\n## Errors & Codes\nPossible thrown errors during verification.\nError is the first argument of the verification callback.\n\n### TokenExpiredError\n\nThrown error if the token is expired.\n\nError object:\n\n* name: 'TokenExpiredError'\n* message: 'jwt expired'\n* expiredAt: [ExpDate]\n\n```js\njwt.verify(token, 'shhhhh', function(err, decoded) {\n if (err) {\n /*\n err = {\n name: 'TokenExpiredError',\n message: 'jwt expired',\n expiredAt: 1408621000\n }\n */\n }\n});\n```\n\n### JsonWebTokenError\nError object:\n\n* name: 'JsonWebTokenError'\n* message:\n * 'jwt malformed'\n * 'jwt signature is required'\n * 'invalid signature'\n * 'jwt audience invalid. expected: [OPTIONS AUDIENCE]'\n * 'jwt issuer invalid. expected: [OPTIONS ISSUER]'\n * 'jwt id invalid. expected: [OPTIONS JWT ID]'\n * 'jwt subject invalid. expected: [OPTIONS SUBJECT]'\n\n```js\njwt.verify(token, 'shhhhh', function(err, decoded) {\n if (err) {\n /*\n err = {\n name: 'JsonWebTokenError',\n message: 'jwt malformed'\n }\n */\n }\n});\n```\n\n## Algorithms supported\n\nArray of supported algorithms. The following algorithms are currently supported.\n\nalg Parameter Value | Digital Signature or MAC Algorithm\n----------------|----------------------------\nHS256 | HMAC using SHA-256 hash algorithm\nHS384 | HMAC using SHA-384 hash algorithm\nHS512 | HMAC using SHA-512 hash algorithm\nRS256 | RSASSA using SHA-256 hash algorithm\nRS384 | RSASSA using SHA-384 hash algorithm\nRS512 | RSASSA using SHA-512 hash algorithm\nES256 | ECDSA using P-256 curve and SHA-256 hash algorithm\nES384 | ECDSA using P-384 curve and SHA-384 hash algorithm\nES512 | ECDSA using P-521 curve and SHA-512 hash algorithm\nnone | No digital signature or MAC value included\n\n# TODO\n\n* X.509 certificate chain is not checked\n\n## Issue Reporting\n\nIf you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.\n\n## Author\n\n[Auth0](https://auth0.com)\n\n## License\n\nThis project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.\n",
"readmeFilename": "README.md",
"repository": {
"type": "git",
"url": "git+https://github.com/auth0/node-jsonwebtoken.git"
},
"scripts": {
"test": "mocha --require test/util/fakeDate"
},
"version": "7.1.9"
}