Authentication Provider for JWT
Basic Usage
Note: It is always recommended to somehow configure the provider, either by supplying configuration arguments or using environment variables (see below)
import { JwtProvider } from "@cran/lib.auth.jwt";
const provider = new JwtProvider();
const token = provider.sign({ claim: 1, });
const { payload } = provider.verify(token);
const newToken = provider.exchange(token);
Inline Configuration
import { JwtProvider } from "@cran/lib.auth.jwt";
const configureAsymmetric = {
algorithm: `${"RS" | "ES" | "PS"}${256 | 384 | 512}`,
privateKey: fs.readFileSync("private.pem"),
publicKey: fs.readFileSync("public.pem"),
};
const provideAsymmetric = new JwtProvider(configureAsymmetric);
const configureSymmetric = {
algorithm: `${"HS"}${256 | 384 | 512}`,
secret: "development",
};
const provideSymmetric = new JwtProvider(configureSymmetric)
Environment Configuration
Note: If
JWT_ALGORITHM
is not supplied it is assumed to be symmetric HS256 by default as perjsonwebtoken
and JWT_SECRET will be read accordingly
Note: If
JWT_SECRET
is required and not supplied it will default to a random UUID which is not secure and should never be used in a production deployment
Note: If
JWT_PRIVATE_KEY
orJWT_PUBLIC_KEY
are required and not supplied a development key will be generated in memory which is not secure and should never be used in a production deployment
# Asymmetric configuration
export JWT_ALGORITHM=RS256 # May be any asymmetric algorithm
export JWT_PRIVATE_KEY=`cat private.pem`
export JWT_PUBLIC_KEY=`cat public.pem`
# Symmetric configuration
export JWT_ALGORITHM=HS256 # May be any symmetric algorithm
export JWT_SECRET="my_secret"
import { JwtProvider } from "@cran/lib.auth.jwt";
// Note: This is the default, it is more likely
// you will want to override these values locally
// via `{ ...JwtProvider.env(), /* overrides */ }`
const provider = new JwtProvider(JwtProvider.env());
Security Considerations
Important: While this library attempts to prevent security compromises and enforce best practices it is alwyas strongly recommended to read appropriate literature to ensure your usage is accurate
In keeping with the above literature, the following have been implemented
- The
none
option is not accepted as a valid algorithm - Generated keypairs use 2048 bits by default