Hi, just wanted to say thanks for the initial version of this library you've provided. I took inspiration from it, but wanted a version that was more secure, both in its use of cryptography, and in runtime validation. I like the approach, and I also found inspiration in this blog post: https://fly.io/blog/api-tokens-a-tedious-survey/
I've taken the liberty to fork this repo and rewrite it. This would also address the #1, #2, and #4 issues.
Major changes:
- New nomenclature,
prefix, id, secret and verifier
- Now supports usage in Deno, serverless environments, and browser, in addition to Node.js. Examples provided.
- Prefix is strictly required and validated for shape.
id is now a Base32 encoded ULID (suitable for primary key, url safe, 128 bit UUID equiv, with timestamp)secret is now required to be a 32 Byte (256 bit) random Uint8Array. It is now Base58Check encoded which adds a 4 byte partial hash checksum to help detect and avoid typos or key corruption.id and secret are now cryptographically bound. Both are concatenated as the payload of a HMAC-SHA256 to create the verifier stored on the server.- A 32 Byte (256 bit) random
Uint8Array is required to be provided as the HMAC signing key.
- The public API is reduced in surface area. It is more intentional about the naming and structure to make clear what is destined for the end user client (
key) and what shall remain server side (id, verifier).
- The
id embedded key creation time now allows for rejection of keys created before, after, or outside a specific time window.
- 100 % test suite coverage. Deep runtime validation using Zod of all inputs and types to exported functions.
A sample of the new key:
mycompany_key_01GVDPRNNV4P4593VH1A0DR7RN_1372dpVKCbEvLfM6nMsDL75GrspAj2osNVyp5RLM2s5oTjiBm
This is of course, no longer compatible, hence the hard fork and not a pull-request.
Any feedback appreciated. I'll be publishing it shortly.
https://github.com/truestamp/prefixed-api-key
Cheers.
Hi, just wanted to say thanks for the initial version of this library you've provided. I took inspiration from it, but wanted a version that was more secure, both in its use of cryptography, and in runtime validation. I like the approach, and I also found inspiration in this blog post: https://fly.io/blog/api-tokens-a-tedious-survey/
I've taken the liberty to fork this repo and rewrite it. This would also address the #1, #2, and #4 issues.
Major changes:
prefix,id,secretandverifieridis now a Base32 encoded ULID (suitable for primary key, url safe, 128 bit UUID equiv, with timestamp)secretis now required to be a 32 Byte (256 bit) randomUint8Array. It is now Base58Check encoded which adds a 4 byte partial hash checksum to help detect and avoid typos or key corruption.idandsecretare now cryptographically bound. Both are concatenated as the payload of aHMAC-SHA256to create theverifierstored on the server.Uint8Arrayis required to be provided as the HMAC signing key.key) and what shall remain server side (id,verifier).idembeddedkeycreation time now allows for rejection of keys created before, after, or outside a specific time window.A sample of the new key:
This is of course, no longer compatible, hence the hard fork and not a pull-request.
Any feedback appreciated. I'll be publishing it shortly.
https://github.com/truestamp/prefixed-api-key
Cheers.