nojwt

package module

v0.0.0-...-5aace79 Latest Latest Go to latest Published: Mar 17, 2021 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/antoniomo/nojwt

Links

Open Source Insights

README ¶

NoJWT

This is for now a simple proof of concept not a full-blown library, although if you are ok with using HS256 and parsing your own payloads, it's totally functional.

The idea is that in JWT we can't ever trust the alg header, and the typ and cty are very seldom needed when you control when and how you would be getting JWTs. This makes the JWT header totally unnecessary, so we could do without it making our tokens smaller.

Aside from being "headerless JWTs", the payload can be any []byte blob, not necessarily JSON content, and we only base64-encode it once (to produce the final token), not before at signature creation. This saves a bit of creation and verification time, although it's probably negligible.

Installation

go get -u github.com/antoniomo/nojwt

Sample usage

package main

import (
	"fmt"

	"github.com/antoniomo/nojwt"
)

func main() {
	payload := []byte(`{"hello": "world!"}`)
	secret := []byte("my secret")

	token := nojwt.SignHS256(payload, secret)
	fmt.Println(token)

	payload2, ok := nojwt.VerifyHS256(token, secret)
	fmt.Println(string(payload2), ok)

	// Lets tamper it!
	tamperedToken := []byte(token)
	tamperedToken[42] = 'x'
	fmt.Println(string(tamperedToken))

	payload3, ok := nojwt.VerifyHS256(string(tamperedToken), secret)
	fmt.Println(string(payload3), ok)

	// There's also unsafe nowjt.Parse for when we don't care about the
	// signature, but it test that it's valid nojwt format
	payload4, ok := nojwt.Parse(string(tamperedToken))
	fmt.Println(string(payload4), ok)
}

The output of that should be:

eyJoZWxsbyI6ICJ3b3JsZCEifQ.g8o_EQ3pOt9qBQ-Yz8vK_rSoqWO47ds5hUsbPf9eObU
{"hello": "world!"} <nil>
eyJoZWxsbyI6ICJ3b3JsZCEifQ.g8o_EQ3pOt9qBQ-xz8vK_rSoqWO47ds5hUsbPf9eObU
{"hello": "world!"} invalid nojwt signature
{"hello": "world!"} <nil>

CLI

There's a very minimal CLI included. It doesn't check all use cases, but it's good for experimentation purposes.

Check the help:

$ ./nojwt -h
nojwt command line tool.

Commands:
	sign	Signs a payload with a secret, prints token
	verify	Verifies a token with a secret, prints payload and possible error
	parse	Parses a token, prints payload

Usage:
	nojwt <command> [options]

Use "nojwt <command> --help" for more information about a given command.

$./nojwt sign -h
Usage of sign:
  -p string
    	Payload
  -s string
    	Signature

$./nojwt verify -h
Usage of verify:
  -s string
    	Signature
  -t string
    	Token

$./nojwt parse -h
Usage of parse:
  -t string
    	Token

Documentation ¶

Index ¶

Variables
func Parse(token string) ([]byte, error)
func SignHS256(payload, secret []byte) string
func VerifyHS256(token string, secret []byte) ([]byte, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrInvalidFormat    = errors.New("invalid nojwt format")
	ErrInvalidSignature = errors.New("invalid nojwt signature")
)

Functions ¶

func Parse ¶

func Parse(token string) ([]byte, error)

Parse doesn't verify signature.

func SignHS256 ¶

func SignHS256(payload, secret []byte) string

SignHS256 ...

func VerifyHS256 ¶

func VerifyHS256(token string, secret []byte) ([]byte, error)

VerifyHS256 ...

Types ¶

This section is empty.

Source Files ¶

View all Source files

nojwt.go

Directories ¶

Path	Synopsis
cmd
nojwt

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL