@sourceregistry/node-jwt 1.4.0 → 1.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +36 -0
- package/package.json +5 -2
package/README.md
CHANGED
|
@@ -166,6 +166,42 @@ const keyObject = JWKS.toKeyObject(jwks, jwk.kid);
|
|
|
166
166
|
|
|
167
167
|
---
|
|
168
168
|
|
|
169
|
+
## 🔏 ECDSA Signature Format: DER vs JOSE (New)
|
|
170
|
+
|
|
171
|
+
For **ECDSA** algorithms (`ES256`, `ES384`, `ES512`, `ES256K`) there are two common signature encodings:
|
|
172
|
+
|
|
173
|
+
- **DER** (ASN.1) — what Node.js produces by default
|
|
174
|
+
- **JOSE** (`r || s` raw signature) — required by the JWT/JWS spec and used by systems like **VAPID/Web Push (WNS)**
|
|
175
|
+
|
|
176
|
+
### Default behavior
|
|
177
|
+
By default, this library outputs **DER** signatures for `ES*` algorithms to match Node.js/OpenSSL defaults.
|
|
178
|
+
|
|
179
|
+
### Enable JOSE output
|
|
180
|
+
To generate spec-compliant JOSE ECDSA signatures, set:
|
|
181
|
+
|
|
182
|
+
- `signatureFormat: "jose"` in `sign()`
|
|
183
|
+
|
|
184
|
+
```ts
|
|
185
|
+
import { sign, verify } from "@sourceregistry/node-jwt";
|
|
186
|
+
|
|
187
|
+
const token = sign(
|
|
188
|
+
{ sub: "123", iat: Math.floor(Date.now() / 1000) },
|
|
189
|
+
ecPrivateKey,
|
|
190
|
+
{ alg: "ES256", signatureFormat: "jose" }
|
|
191
|
+
);
|
|
192
|
+
|
|
193
|
+
// Verify JOSE-signed token
|
|
194
|
+
const result = verify(token, ecPublicKey, { signatureFormat: "jose" });
|
|
195
|
+
````
|
|
196
|
+
|
|
197
|
+
### Auto-detect verification (optional)
|
|
198
|
+
|
|
199
|
+
If enabled in your version, `verify()` can also validate JOSE ECDSA signatures without specifying `signatureFormat` (it will try DER first, then JOSE).
|
|
200
|
+
If you want strict behavior, pass `signatureFormat: "der"` or `signatureFormat: "jose"` explicitly.
|
|
201
|
+
|
|
202
|
+
> 💡 For VAPID/Web Push (e.g. Windows WNS endpoints), you typically need `ES256` with `signatureFormat: "jose"`.
|
|
203
|
+
|
|
204
|
+
|
|
169
205
|
## 📚 API Reference
|
|
170
206
|
|
|
171
207
|
### `sign(payload, secret, options?)`
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sourceregistry/node-jwt",
|
|
3
|
-
"version": "1.4.
|
|
3
|
+
"version": "1.4.1",
|
|
4
4
|
"description": "A lightweight, zero-dependency TypeScript library for creating, verifying and decoding JSON Web Tokens (JWT).",
|
|
5
5
|
"main": "./dist/index.cjs.js",
|
|
6
6
|
"module": "./dist/index.es.js",
|
|
@@ -38,7 +38,10 @@
|
|
|
38
38
|
"authentication",
|
|
39
39
|
"security",
|
|
40
40
|
"typescript",
|
|
41
|
-
"zero-dependency"
|
|
41
|
+
"zero-dependency",
|
|
42
|
+
"vapid",
|
|
43
|
+
"jose",
|
|
44
|
+
"der"
|
|
42
45
|
],
|
|
43
46
|
"author": "A.P.A. Slaa (a.p.a.slaa@projectsource.nl)",
|
|
44
47
|
"license": "Apache-2.0",
|