|
1 | | -var jws = require('jws'); |
2 | | -var ms = require('ms'); |
3 | | -var JWT = module.exports; |
4 | | - |
5 | | -var JsonWebTokenError = JWT.JsonWebTokenError = require('./lib/JsonWebTokenError'); |
6 | | -var NotBeforeError = module.exports.NotBeforeError = require('./lib/NotBeforeError'); |
7 | | -var TokenExpiredError = JWT.TokenExpiredError = require('./lib/TokenExpiredError'); |
8 | | - |
9 | | -JWT.decode = function (jwt, options) { |
10 | | - options = options || {}; |
11 | | - var decoded = jws.decode(jwt, options); |
12 | | - if (!decoded) { return null; } |
13 | | - var payload = decoded.payload; |
14 | | - |
15 | | - //try parse the payload |
16 | | - if(typeof payload === 'string') { |
17 | | - try { |
18 | | - var obj = JSON.parse(payload); |
19 | | - if(typeof obj === 'object') { |
20 | | - payload = obj; |
21 | | - } |
22 | | - } catch (e) { } |
23 | | - } |
24 | | - |
25 | | - //return header if `complete` option is enabled. header includes claims |
26 | | - //such as `kid` and `alg` used to select the key within a JWKS needed to |
27 | | - //verify the signature |
28 | | - if (options.complete === true) { |
29 | | - return { |
30 | | - header: decoded.header, |
31 | | - payload: payload, |
32 | | - signature: decoded.signature |
33 | | - }; |
34 | | - } |
35 | | - return payload; |
36 | | -}; |
37 | | - |
38 | | -JWT.sign = require('./sign'); |
39 | | - |
40 | | -JWT.verify = function(jwtString, secretOrPublicKey, options, callback) { |
41 | | - if ((typeof options === 'function') && !callback) { |
42 | | - callback = options; |
43 | | - options = {}; |
44 | | - } |
45 | | - |
46 | | - if (!options) options = {}; |
47 | | - |
48 | | - var done; |
49 | | - |
50 | | - if (callback) { |
51 | | - done = function() { |
52 | | - var args = Array.prototype.slice.call(arguments, 0); |
53 | | - return process.nextTick(function() { |
54 | | - callback.apply(null, args); |
55 | | - }); |
56 | | - }; |
57 | | - } else { |
58 | | - done = function(err, data) { |
59 | | - if (err) throw err; |
60 | | - return data; |
61 | | - }; |
62 | | - } |
63 | | - |
64 | | - if (!jwtString){ |
65 | | - return done(new JsonWebTokenError('jwt must be provided')); |
66 | | - } |
67 | | - |
68 | | - var parts = jwtString.split('.'); |
69 | | - |
70 | | - if (parts.length !== 3){ |
71 | | - return done(new JsonWebTokenError('jwt malformed')); |
72 | | - } |
73 | | - |
74 | | - var hasSignature = parts[2].trim() !== ''; |
75 | | - |
76 | | - if (!hasSignature && secretOrPublicKey){ |
77 | | - return done(new JsonWebTokenError('jwt signature is required')); |
78 | | - } |
79 | | - |
80 | | - if (hasSignature && !secretOrPublicKey) { |
81 | | - return done(new JsonWebTokenError('secret or public key must be provided')); |
82 | | - } |
83 | | - |
84 | | - if (!hasSignature && !options.algorithms) { |
85 | | - options.algorithms = ['none']; |
86 | | - } |
87 | | - |
88 | | - if (!options.algorithms) { |
89 | | - options.algorithms = ~secretOrPublicKey.toString().indexOf('BEGIN CERTIFICATE') || |
90 | | - ~secretOrPublicKey.toString().indexOf('BEGIN PUBLIC KEY') ? |
91 | | - [ 'RS256','RS384','RS512','ES256','ES384','ES512' ] : |
92 | | - ~secretOrPublicKey.toString().indexOf('BEGIN RSA PUBLIC KEY') ? |
93 | | - [ 'RS256','RS384','RS512' ] : |
94 | | - [ 'HS256','HS384','HS512' ]; |
95 | | - |
96 | | - } |
97 | | - |
98 | | - var decodedToken; |
99 | | - try { |
100 | | - decodedToken = jws.decode(jwtString); |
101 | | - } catch(err) { |
102 | | - return done(new JsonWebTokenError('invalid token')); |
103 | | - } |
104 | | - |
105 | | - if (!decodedToken) { |
106 | | - return done(new JsonWebTokenError('invalid token')); |
107 | | - } |
108 | | - |
109 | | - var header = decodedToken.header; |
110 | | - |
111 | | - if (!~options.algorithms.indexOf(header.alg)) { |
112 | | - return done(new JsonWebTokenError('invalid algorithm')); |
113 | | - } |
114 | | - |
115 | | - var valid; |
116 | | - |
117 | | - try { |
118 | | - valid = jws.verify(jwtString, header.alg, secretOrPublicKey); |
119 | | - } catch (e) { |
120 | | - return done(e); |
121 | | - } |
122 | | - |
123 | | - if (!valid) |
124 | | - return done(new JsonWebTokenError('invalid signature')); |
125 | | - |
126 | | - var payload; |
127 | | - |
128 | | - try { |
129 | | - payload = JWT.decode(jwtString); |
130 | | - } catch(err) { |
131 | | - return done(err); |
132 | | - } |
133 | | - |
134 | | - if (typeof payload.nbf !== 'undefined' && !options.ignoreNotBefore) { |
135 | | - if (typeof payload.nbf !== 'number') { |
136 | | - return done(new JsonWebTokenError('invalid nbf value')); |
137 | | - } |
138 | | - if (payload.nbf > Math.floor(Date.now() / 1000) + (options.clockTolerance || 0)) { |
139 | | - return done(new NotBeforeError('jwt not active', new Date(payload.nbf * 1000))); |
140 | | - } |
141 | | - } |
142 | | - |
143 | | - if (typeof payload.exp !== 'undefined' && !options.ignoreExpiration) { |
144 | | - if (typeof payload.exp !== 'number') { |
145 | | - return done(new JsonWebTokenError('invalid exp value')); |
146 | | - } |
147 | | - if (Math.floor(Date.now() / 1000) >= payload.exp + (options.clockTolerance || 0)) { |
148 | | - return done(new TokenExpiredError('jwt expired', new Date(payload.exp * 1000))); |
149 | | - } |
150 | | - } |
151 | | - |
152 | | - if (options.audience) { |
153 | | - var audiences = Array.isArray(options.audience)? options.audience : [options.audience]; |
154 | | - var target = Array.isArray(payload.aud) ? payload.aud : [payload.aud]; |
155 | | - |
156 | | - var match = target.some(function(aud) { return audiences.indexOf(aud) != -1; }); |
157 | | - |
158 | | - if (!match) |
159 | | - return done(new JsonWebTokenError('jwt audience invalid. expected: ' + audiences.join(' or '))); |
160 | | - } |
161 | | - |
162 | | - if (options.issuer) { |
163 | | - var invalid_issuer = |
164 | | - (typeof options.issuer === 'string' && payload.iss !== options.issuer) || |
165 | | - (Array.isArray(options.issuer) && options.issuer.indexOf(payload.iss) === -1); |
166 | | - |
167 | | - if (invalid_issuer) { |
168 | | - return done(new JsonWebTokenError('jwt issuer invalid. expected: ' + options.issuer)); |
169 | | - } |
170 | | - } |
171 | | - |
172 | | - if (options.subject) { |
173 | | - if (payload.sub !== options.subject) { |
174 | | - return done(new JsonWebTokenError('jwt subject invalid. expected: ' + options.subject)); |
175 | | - } |
176 | | - } |
177 | | - |
178 | | - if (options.jwtid) { |
179 | | - if (payload.jti !== options.jwtid) { |
180 | | - return done(new JsonWebTokenError('jwt jwtid invalid. expected: ' + options.jwtid)); |
181 | | - } |
182 | | - } |
183 | | - |
184 | | - if (options.maxAge) { |
185 | | - var maxAge = ms(options.maxAge); |
186 | | - if (typeof payload.iat !== 'number') { |
187 | | - return done(new JsonWebTokenError('iat required when maxAge is specified')); |
188 | | - } |
189 | | - if (Date.now() - (payload.iat * 1000) > maxAge + (options.clockTolerance || 0) * 1000) { |
190 | | - return done(new TokenExpiredError('maxAge exceeded', new Date(payload.iat * 1000 + maxAge))); |
191 | | - } |
192 | | - } |
193 | | - |
194 | | - return done(null, payload); |
| 1 | +module.exports = { |
| 2 | + decode: require('./decode'), |
| 3 | + verify: require('./verify'), |
| 4 | + sign: require('./sign'), |
| 5 | + JsonWebTokenError: require('./lib/JsonWebTokenError'), |
| 6 | + NotBeforeError: require('./lib/NotBeforeError'), |
| 7 | + TokenExpiredError: require('./lib/TokenExpiredError'), |
195 | 8 | }; |
0 commit comments