Use @node-rs/jsonwebtoken to verify JWT faster

[pasha-vuiko]

Hey! First of all, thank you for creating this awesome library.

Recently I found the package: https://www.npmjs.com/package/@node-rs/jsonwebtoken I was thinking, maybe you would consider to use this to verify JWT instead of node:crypto, as the package uses Rust bindings to verify JWT, and it works 3x faster than node:crypto. What do you think?

[ilteoood]

We have that library in our benchmarks (see this PR).

At the moment, we are still investigating what benefits we could have by generally including Rust in our toolchain.

[pasha-vuiko]

I got it, thank you!

I think you would benefit from Rust bindings, because it much faster than node:crypto

[HsinHeng]

https://www.npmjs.com/package/@node-rs/jsonwebtoken

We may consider sodium-native to replace node:crypto which is used by fastify/secure-session.

and i found someone who implement sodium version: https://www.npmjs.com/package/@mgcrea/node-sodium-jwt.

[pasha-vuiko]

Wow, interesting, I'll check this out

[simoneb]

Based on the outcome of the benchmarks, and although I'm surprised that performance benefits change so much depending on the signing algorithm, at the moment we're not considering to integrate this library out of the box. My understanding is that it would be a replacement for this library anyway, so I'm not sure what we would do about it really. It's more an alternative to this library.

[pasha-vuiko]

Based on the outcome of the benchmarks, and although I'm surprised that performance benefits change so much depending on the signing algorithm, at the moment we're not considering to integrate this library out of the box. My understanding is that it would be a replacement for this library anyway, so I'm not sure what we would do about it really. It's more an alternative to this library.

For example the Rust based library lacks LRU cache that fast-jwt has, so in my opinion it still worth it 🙂