Gathering detailed insights and metrics for ts-jose
Gathering detailed insights and metrics for ts-jose
Installations
npm install ts-joseDeveloper
evan361425
Developer Guide
BETA
Module System
ESM
Min. Node Version
>=14
Typescript Support
Yes
Node Version
18.20.4
NPM Version
10.7.0
Statistics
3 Stars
266 Commits
1 Watching
2 Branches
1 Contributors
Updated on 21 Oct 2024
Languages
TypeScript (99.44%)
Shell (0.56%)
Total Downloads
Cumulative downloads
Total Downloads
169,755
Last day
-42.5%
1,665
Compared to previous day
Last week
0.9%
11,975
Compared to previous week
Last month
12.6%
50,787
Compared to previous month
Last year
628%
139,102
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
TS JOSE
Wrap functions of JOSE in steady interface.
[!Note]
This package's version will FOLLOW the version of JOSE
JWT
verify
Additional options
| name | Description |
|---|---|
| kid | Using specific key in JWKS |
| jti | Verify payload jti |
1// `key` must be JWK or JWKS. 2await JWT.verify(token, key, options); 3// Use embedded key instead given one. 4await JWT.verify(token, undefined, options);
sign
Using JOSE options
| name | Referrer |
|---|---|
| issuer | setIssuer |
| audience | setAudience |
| subject | setSubject |
| exp | setExpirationTime |
| jti | setJti |
| notBefore | setNotBefore |
| iat | setIssuedAt |
| typ | Header |
| kid | Header |
| alg | Header |
Additional options
| name | type | default | description |
|---|---|---|---|
| jwk | boolean | false | Whether embedded key to header |
1await JWT.sign(payload, key, options); // key must be JWK or JWKS
decrypt
Additional options
| name | Description |
|---|---|
| kid | Using specific key in JWKS |
| enc | Encrypt algorithm |
| alg | Key management algorithm |
1await JWT.decrypt(cypher, key, options);encrypt
Using JOSE options
| name | Referrer |
|---|---|
| issuer | setIssuer |
| audience | setAudience |
| subject | setSubject |
| exp | setExpirationTime |
| jti | setJti |
| notBefore | setNotBefore |
| iat | setIssuedAt |
| typ | Header |
| kid | Header |
| enc | Header |
| alg | Header |
1await JWT.encrypt(payload, key, options);JWS
You can sign pure string.
verify
1await JWS.verify(data, key, options);
sign
Only using below JWT.sign's options:
typkidalgjwk
1await JWS.sign('some-data', key, options);
JWE
You can encrypt pure string.
decrypt
Additional options
Same as JWT.decrypt
1await JWE.decrypt(cypher, key, options);encrypt
Only using below JWT.encrypt's options:
kidalgenc
1await JWE.encrypt('some-data', key, options);
JWK
1// generate key 2const key: JWK = await JWK.generate('ES256', { 3 kid: 'some-id', 4 use: 'sig', 5 // crv: string, some algorithms need to add curve - EdDSA 6 // modulusLength: number, some algorithms need to add length - RSA 7}); 8 9// object to JWK 10const key: JWK = await JWK.fromObject({ 11 kid: 'some-id', 12 alg: 'ES256', 13 kty: 'EC', 14 crv: 'P-256', 15 x: '123', 16 y: '456', 17 d: '789', 18}); 19 20// JWK to object 21const keyObject: JWKObject = key.toObject(false); // true to output private object, default: false 22 23// private JWK to public JWK 24const newKey: JWK = await key.toPublic(); 25 26// get key's status 27key.isPrivate; 28 29// check key "id", "use", "alg" 30try { 31 // return `this` if all pass 32 key.getKey({ kid: 'some-id', use: 'sig', alg: 'ES256' }); 33} catch (err) { 34 // throw error if this key has different metadata from options 35}
JWKS
1// object to JWKS 2const keys = await JWKS.fromObject({ 3 keys: [ 4 { 5 alg: 'ES256', 6 kty: 'EC', 7 x: '123', 8 y: '456', 9 }, 10 ], 11}); 12 13// get key from store in specific options 14try { 15 const key: JWK = keys.getKey({ kid: 'some-id', use: 'sig', alg: 'ES256' }); 16} catch (err) { 17 // throw error if not found 18} 19const key: JWK = keys.getKeyByKid('some-id'); 20const key: JWK = keys.getKeyByUse('sig'); 21const key: JWK = keys.getKeyByAlg('ES256'); 22const publicKeys = await keys.toPublic();
No vulnerabilities found.
Reason
12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish-to-npm.yml:16
Reason
Found 0/23 approved changesets -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/publish-to-npm.yml:1
- Warn: no topLevel permission defined: .github/workflows/sync-jose.yaml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npm.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/publish-to-npm.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-to-npm.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/publish-to-npm.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:121: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:146: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-jose.yaml:163: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/sync-jose.yaml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/test.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/evan361425/ts-jose/test.yml/master?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/publish-to-npm.yml:41
- Warn: npmCommand not pinned by hash: .github/workflows/sync-jose.yaml:108
- Warn: npmCommand not pinned by hash: .github/workflows/sync-jose.yaml:109
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:34
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:51
- Info: 0 out of 10 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 9 third-party GitHubAction dependencies pinned
- Info: 0 out of 5 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 7 are checked with a SAST tool
Score
5.2
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More