Installations
npm install ms-tokenDeveloper
makeomatic
Developer Guide
Module System
CommonJS
Min. Node Version
Typescript Support
Yes
Node Version
22.9.0
NPM Version
10.8.3
Statistics
2 Stars
43 Commits
1 Forks
8 Watching
2 Branches
10 Contributors
Updated on 23 Oct 2024
Languages
TypeScript (89.7%)
Lua (7.82%)
JavaScript (2.48%)
Total Downloads
Cumulative downloads
Total Downloads
19,636
Last day
0%
2
Compared to previous day
Last week
-13.6%
19
Compared to previous week
Last month
-48.3%
136
Compared to previous month
Last year
-43.2%
2,148
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
1
Dev Dependencies
23
Token Orchestrator
There is a common task that requires one to request challenges to be performed for a specific action. Imagine user, who wants to register for you service and you need to validate an email, or you want to issue an invitation and remove the burden of activation from a user, as well as supply extra meta information with that token. Furthermore, you often need to throttle specific requests and make sure they are not performed more than once in a certain time span. All of these tasks are easily handled by this module
Install me
npm i ms-token -S
API
Module API is pretty simple and contains only 4 functions alongside initialization.
When reading docs, keep in mind that anything in [] is an optional prop.
new TokenManager(args)
args.backend:name: supported backends include:redisconnection: appropriate connector,ioredisinstance forredisprefix: optional, used inredisbackend as key prefix
args.encrypt, used incrypto.createCipher(algorithm, password)when encoding long tokens:algorithm: one ofopenssl list-cipher-algorithms, example:aes192sharedSecret: The password is used to derive the cipher key and initialization vector (IV). The value must be either a 'binary' encoded string or a Buffer.
1const TokenManager = require('ms-token'); 2const Redis = require('ioredis'); 3const tokenManager = new TokenManager({ 4 backend: { 5 name: 'redis', 6 connection: new Redis(), 7 prefix: 'ms-token:', 8 }, 9 encrypt: { 10 algorithm: 'aes256', 11 sharedSecret: Buffer.from('incredibly-long-secret-ooooohooo'), 12 }, 13});
tokenManager.create(args)
Use this to create challenge token, which should be sent to user for verification purposes.
Accepts:
args.action: unique action name, non-empty stringargs.id: unique request identification. For instance, if you are going to send this to an email, useemailas id. If this is going to be a token sent to the phone - use normalized phone number. Combination ofaction&idgrants access tosecret, whilesecretgrants access to all associated metadata[args.ttl]: token expiration, inseconds[args.throttle]:true: would be equal toargs.ttl, in that casettlmust be definedNumber: do not allow creating token forargs.{action,id}combo forNumberamount ofseconds. Sometimes you want throttle to be small (60 seconds), and ttl to be 15 mins (text messages), or 2 hours and 24 hours (emails)
[args.metadata]: Mixed content, must be able toJSON.stringifyit[args.secret]:true, default. in that case secret would be automatically generated and would include encrypted public data + generated secretfalse, do not generate secret. In that case it would simply useaction + idfor verification/unlockingObject:type: enumerable, acceptable values are:alphabet,number,uuid(defaultuuid)[alphabet]: string containing characters that are allowed to be used in the secret. Only used inalphabetmode[length]: length of generated secret, only used inalphabetandnumbermode[encrypt]: defaults totrueforuuid. Iftrue- then returned token includesaction,id& generatedsecretencrypted in it. That token alone is enough for verification function. Iffalse- it returns plain text generated secret, you must passaction,idandsecretto verification function in order for it to succeed
[args.regenerate]: defauls tofalse. If set totruewould allow usage of.regenerate()API by returninguidof this challenge
Returns Object:
id: id fromargsaction: action fromargs[uid]: token unique identificator, whenregenerateis true[secret]: send secret to user for completing challenge (for instance via SMS). Secret is not present if was set to false
tokenManager.info(args)
Returns associated data for an already created token. It doesn't perform any verifications. This action should be considered a system action, which could be used for debugging purposes.
Input:
args, must have one ofuid,args.actionandargs.idcombo orargs.secret+args.encryptcomboargs.uid:Stringargs.action:Stringargs.id:Stringargs.secret:Stringargs.encrypt:Boolean-trueis secret must be encrypted,falseotherwise. Iffalsethenidandactionmust be supplied alongside secret
Response:
Object: associated metadata with a given input
tokenManager.regenerate(uid)
Works with both uid OR action& id combo. Sometimes challenge token might not reach the user and the user would want to ask
for another challenge token. Idea of this is to accept public challenge uid, which would use previous data passed in .create(args)
and generate new secret based on this. Can only be used when regenerate was set to true on the .create(args) action
Input:
uid- uid from.create(args), whenregeneratewas set totrue
Response:
String: newly generated secret, either plain-text or encrypted based on what was passed earlier in.create(args)
tokenManager.verify(args, [opts])
Used for completing challenge by verifying user input.
Accepts:
argsasString, we would attempt to decode & verify in according with encryption settingsargsasObject:args.action- action from.create()args.id- id from.create()args.token- secret from.crete()return value
[opts]asObject:opts.erase: Defaults totrue. iftrue, when verification succeeds - associatedthrottleis removed, as well as any notion of this tokenopts.log: iftrue, logs attempt time.opts.control: verifies that decrypted args contains same valuesopts.id-> checks idopts.action-> checks action
Response, always Object in case of successful verification:
idactionuidsecretcreatedsettingsmetadataisFirstVerification- whether this was a first successful verificationverified- timestamp when it was verified
Otherwise rejects promise with an error
tokenManager.remove(args)
argsasString, we would attempt to decode & verify in according with encryption settingsargsasObject:args.uid- eitheruidORaction&idcombinationargs.action- action from.create()args.id- id from.create()
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
2 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
Reason
3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Reason
Found 3/29 approved changesets -- score normalized to 1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
license file not detected
Details
- Warn: project does not have a license file
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 5 are checked with a SAST tool
Score
2.7
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More