leojpod/elm-jwt

Release 1.0.0

Decode, encode, verify JSON web tokens

Repository Elm Elm Download

License
GPL-3.0
Install
elm-package install leojpod/elm-jwt 1.0.0

Documentation

JWT

Parse and verify JSON Web Tokens.

Scope

The general plan is to have a fully RFC compliant, robust and reliable library that can parse, build, and verify JWS and JWE, using all supported algorithms.

This library's current scope is to be used in Auth0 client. But the other use-cases are happily accepted.

Since Auth0 currently only uses JWS with two possible algorithms: HS256 and RS256, no more algorithms will be implemented in the nearest future. In fact, currently the only supported algorithm is HS256 since there is no PKCS1 elm library which is required to verify RSA-based signatures. Same for ECC (ellyptic curve cryptography) based algorithms. PRs are welcome!

Example

import JWT
import Time

token = case JWT.fromString "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjIsIm5hbWUiOiJKb2huIERvZSIsInN1YiI6IjEyMzQ1Njc4OTAifQ.fdOPQ05ZfRhkST2-rIWgUpbqUsVhkkNVNcuG7Ki0s-8" of
    Ok t ->
        t
    Err err ->
        Debug.todo "Handle error" err

verifyOptions =
    { issuer = Nothing
    , subject = Just "1234567890"
    , audience = Nothing
    , jwtID = Nothing
    , leeway = 0
    }
    
now =
    Time.millisToPosix 1558855500000
    
isValid =
    JWT.isValid verifyOptions "your-256-bit-secret" now token

-- Can also verify as a task:
verify =
    JWT.verify verifyOptions "your-256-bit-secret" token

Parsing and verification are intentionally two different steps so you can still parse tokens signed with unsupported algorithms. You just won't be able to verify them using this library, but you can implement your own verifiers.

Why not...

simonh1000/elm-jwt

  • Parses only the JWS claims (payload). There is a function to get the header, but it's not used by the library itself.
  • The token's signature is silently ignored.
  • Verification only considers the exp field, although there are other fields worth considering.
  • Requires the user to provide a payload type with encoders and decoders, even if some fields are well-known and can be parsed without user's action.

JonRowe/elm-jwt

  • This is a fork of the previous library, removing HTTP support. Same concerns are applied.

ktonon/elm-jsonwebsocket

  • Requires the user to provide a payload type with encoders and decoders, even if some fields are well-known and can be parsed without user's action.
  • Verifies the signature (which is good!), but using only HMAC-based algorithms.
  • Does not verify the exp and other useful fields.

License

This library is licensed under GNU Public License v3.

Please, consider purchasing a proprietary license if you want to use it in your closed-source project without disclosing the code.

Stats

Dependencies
9
Dependent packages
0
Dependent repositories
0
Total releases
1
Latest release
First release
Stars
0
Forks
0
Watchers
0
Contributors
0
Repository size
35.2 KB
SourceRank
7

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

1.0.0

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-03-10 00:10:02 UTC

Login to resync this project