sign

A universal javascript library for signing strings to avoid tampering:

1import { sign, check } from 'sign';
2
3// Keep the secret long and safe! e.g., use `process.env.SECRET` or similar
4const signed = await sign('Francisco', '123456');
5
6console.log(signed);
7// Francisco.pACXHmIctuGrwvidl7vVNyh5uvZMEHmp+D3NQB3uXJ4
8
9// Only matches if the secret is the same used to sign
10console.log(await check(signed, '123456'));    // true
11console.log(await check(signed, 'badsecret')); // false
12
13// Prevent tampering on the client side since they don't know the secret
14const fakeCookie = await sign('Francisco', 'badsecret');
15console.log(await check(fakeCookie, '123456')); // false
16

It works on Node.js, the browser and Cloudflare Workers.

It is used to make sure that only those with the secret have modified the message. This is ideal to sign session cookies, since those are created and modified only by the server, but can be used for many more things.

Note that this does no encrypt the messages, just checks whether the message has been modified by someone who knows the secret. The message remains in plain text.

API

sign(message, secret)

Both the message and secret must be plain strings. Make sure that the secret has high entropy and remains in a safe location, e.g.:

1const signed = sign('Francisco', process.env.SECRET);

The result looks like {MESSAGE}.{SIGNATURE}.

check(signed, secret)

Check whether the message has been signed with this secret. The signed message looks like {MESSAGE}#{SIGNATURE}:

1// Signed with '123456'
2const signed = "Francisco.pACXHmIctuGrwvidl7vVNyh5uvZMEHmp+D3NQB3uXJ4";
3
4expect(await check(signed, '123456')).toBe(true);
5expect(await check(signed, 'fake')).toBe(false);