seveibar
commented
11 months ago A bit late on this, but nice fork! We should add a link in the README
Open grempe opened 1 year ago
seveibar
commented
11 months ago A bit late on this, but nice fork! We should add a link in the README
codetheweb
commented
9 months ago looks great! was going to try it out today but I think the package is either missing from NPM or private?
Hi, just wanted to say thanks for the initial version of this library you've provided. I took inspiration from it, but wanted a version that was more secure, both in its use of cryptography, and in runtime validation. I like the approach, and I also found inspiration in this blog post: https://fly.io/blog/api-tokens-a-tedious-survey/
I've taken the liberty to fork this repo and rewrite it. This would also address the #1, #2, and #4 issues.
Major changes:
prefix,id,secretandverifieridis now a Base32 encoded ULID (suitable for primary key, url safe, 128 bit UUID equiv, with timestamp)secretis now required to be a 32 Byte (256 bit) randomUint8Array. It is now Base58Check encoded which adds a 4 byte partial hash checksum to help detect and avoid typos or key corruption.idandsecretare now cryptographically bound. Both are concatenated as the payload of aHMAC-SHA256to create theverifierstored on the server.Uint8Arrayis required to be provided as the HMAC signing key.key) and what shall remain server side (id,verifier).idembeddedkeycreation time now allows for rejection of keys created before, after, or outside a specific time window.A sample of the new key:
This is of course, no longer compatible, hence the hard fork and not a pull-request.
Any feedback appreciated. I'll be publishing it shortly.
https://github.com/truestamp/prefixed-api-key
Cheers.