@techiev2/vajra 1.3.1 → 1.4.1

package/README

@@ -14,15 +14,38 @@ Vajra draws from the Rigvedic thunderbolt weapon of Indra — crafted from the b
 Like the Vajra, this server delivers maximum power in minimal form.
 
 
-[![npm version](https://img.shields.io/npm/v/vajra.svg?style=flat-square)](https://www.npmjs.com/package/vajra)
-[![npm downloads](https://img.shields.io/npm/dm/vajra.svg?style=flat-square)](https://www.npmjs.com/package/vajra)
-[![Node.js version](https://img.shields.io/node/v/vajra.svg?style=flat-square)](https://nodejs.org)
-[![License](https://img.shields.io/npm/l/vajra.svg?style=flat-square)](LICENSE)
+[![npm version](https://img.shields.io/npm/v/@techiev2/vajra.svg?style=flat-square)](https://www.npmjs.com/package/@techiev2/vajra)
+[![npm downloads](https://img.shields.io/npm/dm/vajra.svg?style=flat-square)](https://www.npmjs.com/package/@techiev2/vajra)
+[![Node.js version](https://img.shields.io/node/v/@techiev2/vajra.svg?style=flat-square)](https://nodejs.org)
+[![License](https://img.shields.io/npm/l/@techiev2/vajra.svg?style=flat-square)](LICENSE)
+
+
+## Changelog
+
+### 1.4.1 (Current)
+- Added support to handle drift in system time after signing
+
+### 1.4.0 (2025-12-31)
+- Added full HS256 JWT support (`@techiev2/vajra/libs/auth/jwt.js`)
+  - Ultra-minimal, zero-dependency implementation
+  - Key and header caching for maximum performance
+  - Robust base64url handling
+  - Numeric exp validation and expiration checks
+
+### 1.3.0 (2025-12-30)
+- Performance improvements to routing in bare routes
+
+### 1.2.0 (2025-12-30)
+- Adds cookie support
+
+### 1.0.0 (2025-12-25)
+- Initial release
 
 ## Features
 
 - Zero external dependencies
 - Built-in routing with named parameters (`:id`)
+- Asynchronous batched logging for performance
 - Global middleware support with `next()` chaining
 - JSON, urlencoded, and **multipart/form-data** body parsing
 - Fast HTML templating with loops, nested objects, and simple array headers
@@ -59,14 +82,17 @@ async function getUsers(query = {}) {
   return (await fetch(`https://jsonplaceholder.typicode.com/users?${encode(query)}`)).json()
 }
 
-const { get, post, use, start, setProperty } = Vajra.create();
+const { get, post, use, start, setProperty, log } = Vajra.create();
 
 setProperty({ viewsRoot: `${import.meta.url}/views` })
 // Or as a key-value pair
 // setProperty('viewsRoot', `${import.meta.url}/views`)
 
 use((req, res, next) => {
-  console.log(`${req.method} ${req.url}`);
+  // Vajra provides an async batched logger to provide a balance between 100% log coverage and performance.
+  // If you prefer blocking immediate logs, you can switch to console.log
+  // or any other library of your choice.
+  log(`${req.method} ${req.url}`);
   next();
 });
 
@@ -156,6 +182,7 @@ app.setProperty('viewRoot', './views');
 - `use(middleware)`
 - `start({ port, host }, callback?)`
 - `setProperty(key, value)` or `setProperty({ key: value })`
+- `log(message)`
 
 
 #### Response helpers:

package/README.md

@@ -19,6 +19,28 @@ Like the Vajra, this server delivers maximum power in minimal form.
 [![Node.js version](https://img.shields.io/node/v/@techiev2/vajra.svg?style=flat-square)](https://nodejs.org)
 [![License](https://img.shields.io/npm/l/@techiev2/vajra.svg?style=flat-square)](LICENSE)
 
+
+## Changelog
+
+### 1.4.1 (Current)
+- Added support to handle drift in system time after signing
+
+### 1.4.0 (2025-12-31)
+- Added full HS256 JWT support (`@techiev2/vajra/libs/auth/jwt.js`)
+  - Ultra-minimal, zero-dependency implementation
+  - Key and header caching for maximum performance
+  - Robust base64url handling
+  - Numeric exp validation and expiration checks
+
+### 1.3.0 (2025-12-30)
+- Performance improvements to routing in bare routes
+
+### 1.2.0 (2025-12-30)
+- Adds cookie support
+
+### 1.0.0 (2025-12-25)
+- Initial release
+
 ## Features
 
 - Zero external dependencies

package/libs/auth/jwt.js

@@ -0,0 +1,25 @@
+import { subtle } from 'node:crypto';const hasBuffer = typeof Buffer !== 'undefined';
+const DATA = { encoder: new TextEncoder(), decoder: new TextDecoder(), keys: {}, headers: { sign: { alg: 'HS256', typ: 'JWT' }, verify: { name: 'HMAC', hash: 'SHA-256' } } };
+const ENCODED_HEADERS = {}
+function encode(buf) { if (hasBuffer) return Buffer.from(buf).toString('base64url'); let s = ''; for (let i = 0; i < buf.length; i++) s += String.fromCharCode(buf[i]); return btoa(s).replace(/\+/g,'-').replace(/\//g,'_').replace(/=+$/,''); }
+function decode(str) { if (hasBuffer) return Buffer.from(str, 'base64url'); str = str.replace(/-/g,'+').replace(/_/g,'/'); while (str.length % 4) str += '='; const bin = atob(str); const out = new Uint8Array(bin.length); for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i); return out;}
+async function populateKeyCache(secret) {
+  let { sign: signKey, verify: verifyKey } = DATA.keys[`${secret}`] || {};
+  if (!signKey || !verifyKey) { [signKey, verifyKey] = await Promise.all([subtle.importKey('raw', DATA.encoder.encode(secret), DATA.headers.verify, false, ['sign']), subtle.importKey('raw', DATA.encoder.encode(secret), DATA.headers.verify, false, ['verify'])]); Object.assign(DATA.keys, { [secret]: { sign: signKey, verify: verifyKey } }) }
+  return { signKey, verifyKey }
+}
+export async function sign(payload, secret, options = {}) {
+  if (!payload || typeof payload !== 'object') throw new Error("Payload to sign must be an object"); if (typeof secret !== 'string') throw new Error("Secret must be a string")
+  const { signKey } = await populateKeyCache(secret); const { alg = 'HS256' } = options;
+  ENCODED_HEADERS[alg] = ENCODED_HEADERS[alg] || DATA.encoder.encode({ ...DATA.headers.sign, alg }); const encodedPayload = encode(DATA.encoder.encode(JSON.stringify({ ...payload, _gen_ts: Math.floor(Date.now() / 1000) })))
+  const encodedSignature = encode(await subtle.sign('HMAC', signKey, DATA.encoder.encode(`${ENCODED_HEADERS[alg]}.${encodedPayload}`))); return `${ENCODED_HEADERS[alg]}.${encodedPayload}.${encodedSignature}`;
+}
+export async function verify(token, secret) {
+  if (!token || typeof token != 'string') throw new Error("Token must be a string"); if (!secret || typeof secret !== "string") throw new Error("Secret must be a string")
+  const [encodedHeader, encodedPayload, encodedSignature, ..._] = token.split('.'); if (!encodedPayload || !encodedSignature || _.length) throw new Error('Invalid token format');
+  const { verifyKey } = await populateKeyCache(secret); const valid = await subtle.verify('HMAC', verifyKey, decode(encodedSignature), DATA.encoder.encode(`${encodedHeader}.${encodedPayload}`));
+  if (!valid) throw new Error('Invalid signature'); const payload = JSON.parse(DATA.decoder.decode(decode(encodedPayload)));
+  const genTs = payload._gen_ts; const now = Math.floor(Date.now() / 1000); const maxBackwardDrift = 300;
+  if (typeof genTs === 'number' && (now + maxBackwardDrift < genTs)) { throw new Error('System clock appears to have moved backward — token rejected'); }
+  delete payload._gen_ts; if (payload.exp && isNaN(+payload.exp)) throw new Error("Expiry must be numeric."); if (payload.exp && Date.now() >= payload.exp * 1000) { throw new Error('Token expired'); } return payload;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@techiev2/vajra",
-  "version": "1.3.1",
+  "version": "1.4.1",
   "description": "Blazing-fast, zero-dependency Node.js server with routing, middleware, multipart uploads, and templating. 111 lines · ~95k req/s · ~52 MB idle.",
   "keywords": [
     "http-server",

package/tests/tests.js

@@ -1,7 +1,10 @@
 import assert from 'node:assert';
 import { encode } from 'node:querystring';
+import { afterEach, beforeEach, suite, test } from 'node:test';
+import { randomBytes, randomUUID } from 'node:crypto';
+
 import pkg from '../package.json' with {type: 'json'}
-import { suite, test } from 'node:test';
+import { sign, verify } from '../libs/auth/jwt.js';
 
 async function getResponse(url, method = 'GET', body) {
   return (await fetch(url, !!body ?
@@ -14,6 +17,7 @@ async function getJSON(url, method = 'GET', body) {
   return (await getResponse(url, method, body)).json()
 }
 
+
 suite('Test HTTP API at port 4002', () => {
   const BASE_URL = 'http://localhost:4002'
   suite('Test HTTP GET', () => {
@@ -59,3 +63,240 @@ suite('Test HTTP API at port 4002', () => {
     })
   })
 })
+
+suite('Tests for library functions', () => {
+  const encoder = new TextEncoder(); const signHeaders = { alg: 'HS256', typ: 'JWT' }; let timeOffsetMs = 0;
+  // const originalDateNow = Date.now;
+  // Date.now = function () { return originalDateNow() + timeOffsetMs; };
+  function setupMockTimer(timing) {
+    const originalNow = globalThis.Date.now
+    let timeDelta = timing
+    globalThis.Date.now = () => { return originalNow() + (timeDelta || 0) }
+  }
+  async function withMockTimer(timeDelta, fn) {
+    setupMockTimer(timeDelta)
+    await fn()
+  }
+  test('Verify that JWT helper returns the right token', async () => {
+    const secret = randomBytes(16).toString('hex')
+    const data = {
+      now: new Date().getTime(),
+      id: randomUUID()
+    }
+    const token = await sign(data, secret)
+    assert.strictEqual(!!token, true)
+    const verified = await verify(token, secret)
+    assert.strict.deepEqual(data, verified)
+  })
+
+  test('Verify that JWT helper throws an expired token error with exp set to gen time', async () => {
+    const secret = randomBytes(16).toString('hex')
+    let exp = Date.now() / 1000
+    const data = {
+      now: new Date().getTime(),
+      exp,
+      id: randomUUID()
+    }
+    const token = await sign(data, secret)
+    assert.strictEqual(!!token, true)
+    assert.rejects(verify.bind(null, token, secret), Error);
+  })
+
+  test('rejects malformed token formats', async () => {
+    const secret = 's';
+    await assert.rejects(verify('', secret),);
+    await assert.rejects(verify('a', secret),);
+    await assert.rejects(verify('a.b', secret),);
+    await assert.rejects(verify('a.b.c.d', secret),);
+    await assert.rejects(verify('a..c', secret),);
+    await assert.rejects(verify('a.b.', secret),);
+  });
+
+  test('rejects tampered signature', async () => {
+    const token = await sign({a:1}, 'secret');
+    const tampered = token.slice(0, -1) + (token.at(-1) === 'A' ? 'B' : 'A');
+    await assert.rejects(verify(tampered, 'secret'), /Invalid signature/);
+  });
+
+  test('rejects tampered payload', async () => {
+    const token = await sign({a:1}, 'secret');
+    const parts = token.split('.');
+    parts[1] = parts[1].slice(0, -1) + 'X';
+    await assert.rejects(verify(parts.join('.'), 'secret'), /Invalid signature/);
+  });
+
+  test('allows token without exp claim', async () => {
+    const secret = 's';
+    const payload = { sub: '123', iat: Math.floor(Date.now() / 1000) };
+    const token = await sign(payload, secret);
+    const verified = await verify(token, secret);
+    assert.deepStrictEqual(verified, payload);
+  });
+
+  test('rejects token with future exp after clock advances', async () => {
+    const secret = 's';
+    const past = Math.floor(Date.now() / 1000) - 3600;
+    const payload = { exp: past };
+    const token = await sign(payload, secret);
+    await assert.rejects(verify(token, secret), /Token expired/);
+  });
+
+  test('handles large payload without truncation', async () => {
+    const secret = 's';
+    const large = { data: 'x'.repeat(5000), arr: Array(100).fill(42) };
+    const token = await sign(large, secret);
+    const verified = await verify(token, secret);
+    assert.deepStrictEqual(verified, large);
+  });
+
+  test('rejects invalid JSON in payload segment', async () => {
+    const header = encode(encoder.encode(JSON.stringify(signHeaders)));
+    const badPayload = encode(encoder.encode('{"broken'));
+    const fakeSig = 'AAAA';
+    const badToken = `${header}.${badPayload}.${fakeSig}`;
+    await assert.rejects(verify(badToken, 'secret'), /Invalid signature/);
+  });
+
+  test('rejects non-object payload on sign', async () => {
+    await assert.rejects(sign('string', 'secret'));
+    await assert.rejects(sign(null, 'secret'));
+    await assert.rejects(sign(123, 'secret'));
+  });
+
+  // Add to existing suite
+  test('rejects non-numeric exp claim', async () => {
+    const secret = 's';
+    const payload = { exp: 'invalid', sub: '123' };
+    const token = await sign(payload, secret);
+    await assert.rejects(verify(token, secret), /Expiry must be numeric/);
+  });
+
+  test('handles clock skew edge case', async () => {
+    const secret = 's';
+    const now = Math.floor(Date.now() / 1000);
+    const payload = { exp: now + 1 }; // Expires in 1s
+    const token = await sign(payload, secret);
+    await new Promise(resolve => setTimeout(resolve, 2000)); // Wait 2s
+    await assert.rejects(verify(token, secret), /Token expired/);
+  });
+
+  test('rejects malformed base64url segments', async () => {
+    const secret = 's';
+    const header = encode(encoder.encode(JSON.stringify(signHeaders)));
+    const validPayload = encode(encoder.encode('{"sub":"123"}'));
+    const badSegment = '!!invalid@@';
+    await assert.rejects(verify(`${header}.${badSegment}.AAAA`, secret), /Invalid signature/);
+    await assert.rejects(verify(`${header}.${validPayload}.!!invalid@@`, secret), /Invalid signature/);
+  });
+
+  test('handles empty payload object', async () => {
+    const secret = 's';
+    const payload = {};
+    const token = await sign(payload, secret);
+    const verified = await verify(token, secret);
+    assert.deepStrictEqual(verified, payload);
+  });
+
+  test('rejects very weak secret', async () => {
+    const secret = 'a'; // Short but still works (crypto allows it)
+    const payload = { sub: '123' };
+    const token = await sign(payload, secret);
+    const verified = await verify(token, secret);
+    assert.deepStrictEqual(verified, payload);
+  });
+
+  test('clock drift: expired token should NOT become valid when clock moves backward', async () => {
+    const secret = randomBytes(16).toString('hex');
+    const issueTime = Date.now();
+    const payload = { sub: 'test-user', exp: Math.floor((issueTime + 5000) / 1000) }; // Set expiry of 5 seconds
+    const token = await sign(payload, secret);
+    setupMockTimer(10000)
+    await assert.rejects(verify(token, secret), /Token expired/);
+    setupMockTimer(-3000000)
+    await assert.rejects(verify(token, secret), /System clock appears to have moved backward/);
+  });
+
+  test('clock drift: small backward drift does not falsely reject', async () => {
+    const secret = randomBytes(16).toString('hex');
+    const issueTime = Date.now();
+    const payload = { sub: 'test', exp: Math.floor((issueTime + 3600000) / 1000) };
+    const token = await sign(payload, secret);
+    setupMockTimer(-120000)
+    const verified = await verify(token, secret);
+    assert.strictEqual(verified.sub, 'test');
+  });
+
+  test('clock drift: small backward drift within leeway should be tolerated', async () => {
+    const secret = randomBytes(16).toString('hex');
+    const issueTime = Date.now();
+    const payload = { exp: Math.floor((issueTime + 5000) / 1000) };
+    const token = await sign(payload, secret);
+    setupMockTimer(-30000)
+    assert.deepStrictEqual(await verify(token, secret), payload);
+  });
+
+  test('clock drift: large backward jump should reject even non-expired token', async () => {
+    const secret = randomBytes(16).toString('hex');
+    const issueTime = Date.now();
+    const payload = { sub: 'drift-test', exp: Math.floor((issueTime + 3600000) / 1000) };
+    const token = await sign(payload, secret);
+    setupMockTimer(1000)
+    const verified = await verify(token, secret);
+    assert.strictEqual(verified.sub, 'drift-test');
+    setupMockTimer(-8640000);
+    await assert.rejects(
+      verify(token, secret),
+      /System clock appears to have moved backward — token rejected/
+    );
+  });
+  
+  test('clock drift: forward jump should not falsely expire valid token', async () => {
+    const secret = randomBytes(16).toString('hex');
+    const issueTime = Date.now();
+    const payload = { exp: Math.floor((issueTime + 3600000) / 1000) }; // 1 hour valid
+    const token = await sign(payload, secret);
+    // Jump forward 30 minutes — should still be valid
+    setupMockTimer(1800000)
+    const verified = await verify(token, secret);
+    assert.ok(verified);
+  });
+
+  test('clock drift: large rollback rejects all tokens regardless of individual exp', async () => {
+    const secret = randomBytes(16).toString('hex');
+    const baseTime = Date.now();
+    const payloads = [
+      { id: 'expired', exp: Math.floor((baseTime + 5000) / 1000) },
+      { id: 'valid', exp: Math.floor((baseTime + 3600000) / 1000) }
+    ];
+    const [expiredToken, validToken] = await Promise.all([
+      sign(payloads[0], secret),
+      sign(payloads[1], secret)
+    ]);
+    await withMockTimer(-720000, async () => {
+      await Promise.all([
+        assert.rejects(verify(expiredToken, secret), /System clock appears to have moved backward/),
+        assert.rejects(verify(validToken, secret), /System clock appears to have moved backward/)
+      ])
+    })
+  })
+
+  test('clock drift: large rollback rejects all tokens regardless of individual exp', async () => {
+    const secret = randomBytes(16).toString('hex');
+    const baseTime = Date.now();
+    const payloads = [
+      { id: 'expired', exp: Math.floor((baseTime + 5000) / 1000) },
+      { id: 'valid', exp: Math.floor((baseTime + 3600000) / 1000) }
+    ];
+    const [expiredToken, validToken] = await Promise.all([
+      sign(payloads[0], secret),
+      sign(payloads[1], secret)
+    ]);
+    await withMockTimer(-1000000, async () => {
+      await Promise.all([
+        assert.rejects(verify(expiredToken, secret), /System clock appears to have moved backward/),
+        assert.rejects(verify(validToken, secret), /System clock appears to have moved backward/)
+      ])
+    })
+  });
+
+})