forked from auth0/node-jsonwebtoken
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.js
132 lines (99 loc) · 3.24 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
var jws = require('jws');
var JsonWebTokenError = module.exports.JsonWebTokenError = require('./lib/JsonWebTokenError');
var TokenExpiredError = module.exports.TokenExpiredError = require('./lib/TokenExpiredError');
module.exports.decode = function (jwt, options) {
var decoded = jws.decode(jwt, options);
return decoded && decoded.payload;
};
module.exports.sign = function(payload, secretOrPrivateKey, options) {
options = options || {};
var header = ((typeof options.headers === 'object') && options.headers) || {};
if (typeof payload === 'object') {
header.typ = 'JWT';
}
header.alg = options.algorithm || 'HS256';
if (options.header) {
Object.keys(options.header).forEach(function (k) {
header[k] = options.header[k];
});
}
if (!options.noTimestamp) {
payload.iat = Math.floor(Date.now() / 1000);
}
if (options.expiresInMinutes) {
var ms = options.expiresInMinutes * 60;
payload.exp = payload.iat + ms;
}
if (options.audience)
payload.aud = options.audience;
if (options.issuer)
payload.iss = options.issuer;
if (options.subject)
payload.sub = options.subject;
var signed = jws.sign({header: header, payload: payload, secret: secretOrPrivateKey});
return signed;
};
module.exports.verify = function(jwtString, secretOrPublicKey, options, callback) {
if ((typeof options === 'function') && !callback) {
callback = options;
options = {};
}
if (!options) options = {};
var done;
if (callback) {
done = function() {
var args = Array.prototype.slice.call(arguments, 0);
return process.nextTick(function() {
callback.apply(null, args);
});
};
} else {
done = function(err, data) {
if (err) throw err;
return data;
};
}
if (!jwtString){
return done(new JsonWebTokenError('jwt must be provided'));
}
var parts = jwtString.split('.');
if (parts.length !== 3){
return done(new JsonWebTokenError('jwt malformed'));
}
if (parts[2].trim() === '' && secretOrPublicKey){
return done(new JsonWebTokenError('jwt signature is required'));
}
var valid;
try {
valid = jws.verify(jwtString, secretOrPublicKey);
} catch (e) {
return done(e);
}
if (!valid)
return done(new JsonWebTokenError('invalid signature'));
var payload;
try {
payload = this.decode(jwtString);
} catch(err) {
return done(err);
}
if (typeof payload.exp !== 'undefined') {
if (typeof payload.exp !== 'number') {
return done(new JsonWebTokenError('invalid exp value'));
}
if (Math.floor(Date.now() / 1000) >= payload.exp)
return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000)));
}
if (options.audience) {
var audiences = Array.isArray(options.audience)? options.audience : [options.audience];
var target = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
var match = target.some(function(aud) { return audiences.indexOf(aud) != -1; });
if (!match)
return done(new JsonWebTokenError('jwt audience invalid. expected: ' + payload.aud));
}
if (options.issuer) {
if (payload.iss !== options.issuer)
return done(new JsonWebTokenError('jwt issuer invalid. expected: ' + payload.iss));
}
return done(null, payload);
};