@techiev2/vajra 1.3.0 → 1.4.0

package/README

@@ -14,15 +14,35 @@ Vajra draws from the Rigvedic thunderbolt weapon of Indra — crafted from the b
 Like the Vajra, this server delivers maximum power in minimal form.
 
 
-[![npm version](https://img.shields.io/npm/v/vajra.svg?style=flat-square)](https://www.npmjs.com/package/vajra)
-[![npm downloads](https://img.shields.io/npm/dm/vajra.svg?style=flat-square)](https://www.npmjs.com/package/vajra)
-[![Node.js version](https://img.shields.io/node/v/vajra.svg?style=flat-square)](https://nodejs.org)
-[![License](https://img.shields.io/npm/l/vajra.svg?style=flat-square)](LICENSE)
+[![npm version](https://img.shields.io/npm/v/@techiev2/vajra.svg?style=flat-square)](https://www.npmjs.com/package/@techiev2/vajra)
+[![npm downloads](https://img.shields.io/npm/dm/vajra.svg?style=flat-square)](https://www.npmjs.com/package/@techiev2/vajra)
+[![Node.js version](https://img.shields.io/node/v/@techiev2/vajra.svg?style=flat-square)](https://nodejs.org)
+[![License](https://img.shields.io/npm/l/@techiev2/vajra.svg?style=flat-square)](LICENSE)
+
+
+## Changelog
+
+### 1.4.0 (Current)
+- Added full HS256 JWT support (`@techiev2/vajra/libs/auth/jwt.js`)
+  - Ultra-minimal, zero-dependency implementation
+  - Key and header caching for maximum performance
+  - Robust base64url handling
+  - Numeric exp validation and expiration checks
+
+### 1.3.0 (2025-12-30)
+- Performance improvements to routing in bare routes
+
+### 1.2.0 (2025-12-30)
+- Adds cookie support
+
+### 1.0.0 (2025-12-25)
+- Initial release
 
 ## Features
 
 - Zero external dependencies
 - Built-in routing with named parameters (`:id`)
+- Asynchronous batched logging for performance
 - Global middleware support with `next()` chaining
 - JSON, urlencoded, and **multipart/form-data** body parsing
 - Fast HTML templating with loops, nested objects, and simple array headers
@@ -59,14 +79,17 @@ async function getUsers(query = {}) {
   return (await fetch(`https://jsonplaceholder.typicode.com/users?${encode(query)}`)).json()
 }
 
-const { get, post, use, start, setProperty } = Vajra.create();
+const { get, post, use, start, setProperty, log } = Vajra.create();
 
 setProperty({ viewsRoot: `${import.meta.url}/views` })
 // Or as a key-value pair
 // setProperty('viewsRoot', `${import.meta.url}/views`)
 
 use((req, res, next) => {
-  console.log(`${req.method} ${req.url}`);
+  // Vajra provides an async batched logger to provide a balance between 100% log coverage and performance.
+  // If you prefer blocking immediate logs, you can switch to console.log
+  // or any other library of your choice.
+  log(`${req.method} ${req.url}`);
   next();
 });
 
@@ -156,6 +179,7 @@ app.setProperty('viewRoot', './views');
 - `use(middleware)`
 - `start({ port, host }, callback?)`
 - `setProperty(key, value)` or `setProperty({ key: value })`
+- `log(message)`
 
 
 #### Response helpers:

package/README.md

@@ -19,6 +19,25 @@ Like the Vajra, this server delivers maximum power in minimal form.
 [![Node.js version](https://img.shields.io/node/v/@techiev2/vajra.svg?style=flat-square)](https://nodejs.org)
 [![License](https://img.shields.io/npm/l/@techiev2/vajra.svg?style=flat-square)](LICENSE)
 
+
+## Changelog
+
+### 1.4.0 (Current)
+- Added full HS256 JWT support (`@techiev2/vajra/libs/auth/jwt.js`)
+  - Ultra-minimal, zero-dependency implementation
+  - Key and header caching for maximum performance
+  - Robust base64url handling
+  - Numeric exp validation and expiration checks
+
+### 1.3.0 (2025-12-30)
+- Performance improvements to routing in bare routes
+
+### 1.2.0 (2025-12-30)
+- Adds cookie support
+
+### 1.0.0 (2025-12-25)
+- Initial release
+
 ## Features
 
 - Zero external dependencies

package/index.js

@@ -31,6 +31,7 @@ export default class Vajra {
     process.on('exit', logOut); function log(message) { _queue.push(`${message}\n`); if (_queue.length >= LOG_QUEUE_SIZE) { logOut(); _queue.length = 0; } }
     Vajra.#MAX_FILE_SIZE = !+MAX_FILE_SIZE ? +maxFileSize * 1024 * 1024 : MAX_FILE_SIZE
     Vajra.#app.on('request', async (req, res) => {
+      if (+(req.headers['Content-Length'] || req.headers['content-length']) > Vajra.#MAX_FILE_SIZE) { return default_413(res) }
       res.sent = false;
       res.status = (/**@type{code} Number*/ code) => {
         if (!+code || +code < 100 || +code > 599) { throw new Error(`Invalid status code ${code}`) }

package/libs/auth/jwt.js

@@ -0,0 +1,23 @@
+import { subtle } from 'node:crypto';const hasBuffer = typeof Buffer !== 'undefined';
+const DATA = { encoder: new TextEncoder(), decoder: new TextDecoder(), keys: {}, headers: { sign: { alg: 'HS256', typ: 'JWT' }, verify: { name: 'HMAC', hash: 'SHA-256' } } };
+const ENCODED_HEADERS = {}
+function encode(buf) { if (hasBuffer) return Buffer.from(buf).toString('base64url'); let s = ''; for (let i = 0; i < buf.length; i++) s += String.fromCharCode(buf[i]); return btoa(s).replace(/\+/g,'-').replace(/\//g,'_').replace(/=+$/,''); }
+function decode(str) { if (hasBuffer) return Buffer.from(str, 'base64url'); str = str.replace(/-/g,'+').replace(/_/g,'/'); while (str.length % 4) str += '='; const bin = atob(str); const out = new Uint8Array(bin.length); for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i); return out;}
+async function populateKeyCache(secret) {
+  let { sign: signKey, verify: verifyKey } = DATA.keys[`${secret}`] || {};
+  if (!signKey || !verifyKey) { [signKey, verifyKey] = await Promise.all([subtle.importKey('raw', DATA.encoder.encode(secret), DATA.headers.verify, false, ['sign']), subtle.importKey('raw', DATA.encoder.encode(secret), DATA.headers.verify, false, ['verify'])]); Object.assign(DATA.keys, { [secret]: { sign: signKey, verify: verifyKey } }) }
+  return { signKey, verifyKey }
+}
+export async function sign(payload, secret, options = {}) {
+  if (!payload || typeof payload !== 'object') throw new Error("Payload to sign must be an object"); if (typeof secret !== 'string') throw new Error("Secret must be a string")
+  const { signKey } = await populateKeyCache(secret); const { alg = 'HS256' } = options;
+  ENCODED_HEADERS[alg] = ENCODED_HEADERS[alg] || DATA.encoder.encode({ ...DATA.headers.sign, alg }); const encodedPayload = encode(DATA.encoder.encode(JSON.stringify(payload)))
+  const encodedSignature = encode(await subtle.sign('HMAC', signKey, DATA.encoder.encode(`${ENCODED_HEADERS[alg]}.${encodedPayload}`))); return `${ENCODED_HEADERS[alg]}.${encodedPayload}.${encodedSignature}`;
+}
+export async function verify(token, secret) {
+  if (!token || typeof token != 'string') throw new Error("Token must be a string"); if (!secret || typeof secret !== "string") throw new Error("Secret must be a string")
+  const [encodedHeader, encodedPayload, encodedSignature, ..._] = token.split('.'); if (!encodedPayload || !encodedSignature || _.length) throw new Error('Invalid token format');
+  const { verifyKey } = await populateKeyCache(secret); const valid = await subtle.verify('HMAC', verifyKey, decode(encodedSignature), DATA.encoder.encode(`${encodedHeader}.${encodedPayload}`));
+  if (!valid) throw new Error('Invalid signature'); const payload = JSON.parse(DATA.decoder.decode(decode(encodedPayload)));
+  if (payload.exp && isNaN(+payload.exp)) throw new Error("Expiry must be numeric."); if (payload.exp && Date.now() >= payload.exp * 1000) { throw new Error('Token expired'); } return payload;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@techiev2/vajra",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Blazing-fast, zero-dependency Node.js server with routing, middleware, multipart uploads, and templating. 111 lines · ~95k req/s · ~52 MB idle.",
   "keywords": [
     "http-server",

package/tests/tests.js

@@ -1,7 +1,10 @@
 import assert from 'node:assert';
 import { encode } from 'node:querystring';
-import pkg from '../package.json' with {type: 'json'}
 import { suite, test } from 'node:test';
+import { randomBytes, randomUUID } from 'node:crypto';
+
+import pkg from '../package.json' with {type: 'json'}
+import { sign, verify } from '../libs/auth/jwt.js';
 
 async function getResponse(url, method = 'GET', body) {
   return (await fetch(url, !!body ?
@@ -59,3 +62,135 @@ suite('Test HTTP API at port 4002', () => {
     })
   })
 })
+
+suite('Tests for library functions', () => {
+  const encoder = new TextEncoder(); const signHeaders = { alg: 'HS256', typ: 'JWT' }
+  test('Verify that JWT helper returns the right token', async () => {
+    const secret = randomBytes(16).toString('hex')
+    const data = {
+      now: new Date().getTime(),
+      id: randomUUID()
+    }
+    const token = await sign(data, secret)
+    assert.strictEqual(!!token, true)
+    const verified = await verify(token, secret)
+    assert.strict.deepEqual(data, verified)
+  })
+
+  test('Verify that JWT helper throws an expired token error with exp set to gen time', async () => {
+    const secret = randomBytes(16).toString('hex')
+    let exp = Date.now() / 1000
+    const data = {
+      now: new Date().getTime(),
+      exp,
+      id: randomUUID()
+    }
+    const token = await sign(data, secret)
+    assert.strictEqual(!!token, true)
+    assert.rejects(verify.bind(null, token, secret), Error);
+  })
+
+  test('rejects malformed token formats', async () => {
+    const secret = 's';
+    await assert.rejects(verify('', secret),);
+    await assert.rejects(verify('a', secret),);
+    await assert.rejects(verify('a.b', secret),);
+    await assert.rejects(verify('a.b.c.d', secret),);
+    await assert.rejects(verify('a..c', secret),);
+    await assert.rejects(verify('a.b.', secret),);
+  });
+  
+  test('rejects tampered signature', async () => {
+    const token = await sign({a:1}, 'secret');
+    const tampered = token.slice(0, -1) + (token.at(-1) === 'A' ? 'B' : 'A');
+    await assert.rejects(verify(tampered, 'secret'), /Invalid signature/);
+  });
+
+  test('rejects tampered payload', async () => {
+    const token = await sign({a:1}, 'secret');
+    const parts = token.split('.');
+    parts[1] = parts[1].slice(0, -1) + 'X';
+    await assert.rejects(verify(parts.join('.'), 'secret'), /Invalid signature/);
+  });
+
+  test('allows token without exp claim', async () => {
+    const secret = 's';
+    const payload = { sub: '123', iat: Math.floor(Date.now() / 1000) };
+    const token = await sign(payload, secret);
+    const verified = await verify(token, secret);
+    assert.deepStrictEqual(verified, payload);
+  });
+  
+  test('rejects token with future exp after clock advances', async () => {
+    const secret = 's';
+    const past = Math.floor(Date.now() / 1000) - 3600;
+    const payload = { exp: past };
+    const token = await sign(payload, secret);
+    await assert.rejects(verify(token, secret), /Token expired/);
+  });
+  
+  test('handles large payload without truncation', async () => {
+    const secret = 's';
+    const large = { data: 'x'.repeat(5000), arr: Array(100).fill(42) };
+    const token = await sign(large, secret);
+    const verified = await verify(token, secret);
+    assert.deepStrictEqual(verified, large);
+  });
+
+  test('rejects invalid JSON in payload segment', async () => {
+    const header = encode(encoder.encode(JSON.stringify(signHeaders)));
+    const badPayload = encode(encoder.encode('{"broken'));
+    const fakeSig = 'AAAA';
+    const badToken = `${header}.${badPayload}.${fakeSig}`;
+    await assert.rejects(verify(badToken, 'secret'), /Invalid signature/);
+  });
+  
+  test('rejects non-object payload on sign', async () => {
+    await assert.rejects(sign('string', 'secret'));
+    await assert.rejects(sign(null, 'secret'));
+    await assert.rejects(sign(123, 'secret'));
+  });
+  
+  // Add to existing suite
+  test('rejects non-numeric exp claim', async () => {
+    const secret = 's';
+    const payload = { exp: 'invalid', sub: '123' };
+    const token = await sign(payload, secret);
+    await assert.rejects(verify(token, secret), /Expiry must be numeric/);
+  });
+  
+  test('handles clock skew edge case', async () => {
+    const secret = 's';
+    const now = Math.floor(Date.now() / 1000);
+    const payload = { exp: now + 1 }; // Expires in 1s
+    const token = await sign(payload, secret);
+    await new Promise(resolve => setTimeout(resolve, 2000)); // Wait 2s
+    await assert.rejects(verify(token, secret), /Token expired/);
+  });
+  
+  test('rejects malformed base64url segments', async () => {
+    const secret = 's';
+    const header = encode(encoder.encode(JSON.stringify(signHeaders)));
+    const validPayload = encode(encoder.encode('{"sub":"123"}'));
+    const badSegment = '!!invalid@@';
+    await assert.rejects(verify(`${header}.${badSegment}.AAAA`, secret), /Invalid signature/);
+    await assert.rejects(verify(`${header}.${validPayload}.!!invalid@@`, secret), /Invalid signature/);
+  });
+  
+  test('handles empty payload object', async () => {
+    const secret = 's';
+    const payload = {};
+    const token = await sign(payload, secret);
+    const verified = await verify(token, secret);
+    assert.deepStrictEqual(verified, payload);
+  });
+  
+  test('rejects very weak secret', async () => {
+    const secret = 'a'; // Short but still works (crypto allows it)
+    const payload = { sub: '123' };
+    const token = await sign(payload, secret);
+    const verified = await verify(token, secret);
+    assert.deepStrictEqual(verified, payload);
+  });
+  
+})