Gathering detailed insights and metrics for gtoken
Gathering detailed insights and metrics for gtoken
Installations
npm install gtokenDeveloper
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
>=14.0.0
Typescript Support
Yes
Node Version
14.21.3
NPM Version
6.14.18
Statistics
111 Stars
384 Commits
42 Forks
46 Watching
86 Branches
126 Contributors
Updated on 27 Nov 2024
Languages
TypeScript (89.36%)
JavaScript (8.44%)
Python (2.2%)
Total Downloads
Cumulative downloads
Total Downloads
1,580,252,459
Last day
0.5%
2,238,390
Compared to previous day
Last week
3.2%
11,962,903
Compared to previous week
Last month
11.1%
49,911,050
Compared to previous month
Last year
58.6%
540,446,859
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
node-gtoken
Node.js Google Authentication Service Account Tokens
This is a low level utility library used to interact with Google Authentication services. In most cases, you probably want to use the google-auth-library instead.
Installation
1npm install gtoken
Usage
Use with a .pem or .json key file:
1const { GoogleToken } = require('gtoken');
2const gtoken = new GoogleToken({
3 keyFile: 'path/to/key.pem', // or path to .json key file
4 email: 'my_service_account_email@developer.gserviceaccount.com',
5 scope: ['https://scope1', 'https://scope2'], // or space-delimited string of scopes
6 eagerRefreshThresholdMillis: 5 * 60 * 1000
7});
8
9gtoken.getToken((err, tokens) => {
10 if (err) {
11 console.log(err);
12 return;
13 }
14 console.log(tokens);
15 // {
16 // access_token: 'very-secret-token',
17 // expires_in: 3600,
18 // token_type: 'Bearer'
19 // }
20});You can also use the async/await style API:
1const tokens = await gtoken.getToken() 2console.log(tokens);
Or use promises:
1gtoken.getToken() 2 .then(tokens => { 3 console.log(tokens) 4 }) 5 .catch(console.error);
Use with a service account .json key file:
1const { GoogleToken } = require('gtoken');
2const gtoken = new GoogleToken({
3 keyFile: 'path/to/key.json',
4 scope: ['https://scope1', 'https://scope2'], // or space-delimited string of scopes
5 eagerRefreshThresholdMillis: 5 * 60 * 1000
6});
7
8gtoken.getToken((err, tokens) => {
9 if (err) {
10 console.log(err);
11 return;
12 }
13 console.log(tokens);
14});Pass the private key as a string directly:
1const key = '-----BEGIN RSA PRIVATE KEY-----\nXXXXXXXXXXX...';
2const { GoogleToken } = require('gtoken');
3const gtoken = new GoogleToken({
4 email: 'my_service_account_email@developer.gserviceaccount.com',
5 scope: ['https://scope1', 'https://scope2'], // or space-delimited string of scopes
6 key: key,
7 eagerRefreshThresholdMillis: 5 * 60 * 1000
8});Options
Various options that can be set when creating initializing the
gtokenobject.
options.email or options.iss: The service account email address.options.scope: An array of scope strings or space-delimited string of scopes.options.sub: The email address of the user requesting delegated access.options.keyFile: The filename of.jsonkey or.pemkey.options.key: The raw RSA private key value, in place of usingoptions.keyFile.options.additionalClaims: Additional claims to include in the JWT when requesting a token.options.eagerRefreshThresholdMillis: How long must a token be valid for in order to return it from the cache. Defaults to 0.
.getToken(callback)
Returns the cached tokens or requests a new one and returns it.
1gtoken.getToken((err, token) => { 2 console.log(err || token); 3 // gtoken.rawToken value is also set 4});
.getCredentials('path/to/key.json')
Given a keyfile, returns the key and (if available) the client email.
1const creds = await gtoken.getCredentials('path/to/key.json');Properties
Various properties set on the gtoken object after call to
.getToken().
gtoken.idToken: The OIDC token returned (if any).gtoken.accessToken: The access token.gtoken.expiresAt: The expiry date as milliseconds since 1970/01/01gtoken.key: The raw key value.gtoken.rawToken: Most recent raw token data received from Google.
.hasExpired()
Returns true if the token has expired, or token does not exist.
1const tokens = await gtoken.getToken(); 2gtoken.hasExpired(); // false
.revokeToken()
Revoke the token if set.
1await gtoken.revokeToken(); 2console.log('Token revoked!');
Downloading your private .json key from Google
- Open the Google Developer Console.
- Open your project and under "APIs & auth", click Credentials.
- Generate a new
.jsonkey and download it into your project.
Converting your .p12 key to a .pem key
If you'd like to convert to a .pem for use later, use OpenSSL if you have it installed.
1$ openssl pkcs12 -in key.p12 -nodes -nocerts > key.pem
Don't forget, the passphrase when converting these files is the string 'notasecret'
License
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 12/13 approved changesets -- score normalized to 9
Reason
SAST tool is not run on all commits -- score normalized to 3
Details
- Warn: 10 commits out of 30 are checked with a SAST tool
Reason
2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/ci.yaml:1
- Warn: no topLevel permission defined: .github/workflows/response.yaml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/ci.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/response.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/response.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/response.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/response.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/response.yaml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/response.yaml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/response.yaml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/googleapis/node-gtoken/response.yaml/main?enable=pin
- Warn: npmCommand not pinned by hash: .kokoro/docs.sh:23
- Warn: npmCommand not pinned by hash: .kokoro/lint.sh:23
- Warn: npmCommand not pinned by hash: .kokoro/lint.sh:29
- Warn: npmCommand not pinned by hash: .kokoro/publish.sh:29
- Warn: npmCommand not pinned by hash: .kokoro/release/docs-devsite.sh:27
- Warn: npmCommand not pinned by hash: .kokoro/release/docs-devsite.sh:28
- Warn: npmCommand not pinned by hash: .kokoro/release/docs.sh:27
- Warn: npmCommand not pinned by hash: .kokoro/release/docs.sh:31
- Warn: npmCommand not pinned by hash: .kokoro/samples-test.sh:35
- Warn: npmCommand not pinned by hash: .kokoro/samples-test.sh:40
- Warn: npmCommand not pinned by hash: .kokoro/system-test.sh:34
- Warn: npmCommand not pinned by hash: .kokoro/test.sh:23
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:48
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:57
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:23
- Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:26
- Info: 0 out of 12 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 16 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
5.7
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More