secure-web-token 1.0.2 β†’ 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/README.md +90 -68
  2. package/dist/verify.d.ts +1 -1
  3. package/dist/verify.d.ts.map +1 -1
  4. package/dist/verify.js +3 -7
  5. package/package.json +1 -1
package/README.md CHANGED
@@ -1,126 +1,148 @@
1
1
  # πŸ” Secure Web Token (SWT)
2
2
 
3
- **Secure Web Token (SWT)** is a lightweight Node.js authentication package designed to make token-based authentication **more secure than traditional JWTs** by binding tokens to **device fingerprints**.
3
+ ## 1. About the Package
4
4
 
5
- Unlike JWTs, SWT:
6
- - **Encrypts the payload** (can’t be decoded without the secret)
7
- - Allows **device-level access control**
8
- - Prevents token misuse across multiple devices
5
+ **Secure Web Token (SWT)** is a Node.js authentication package that provides a more secure alternative to JWT by **encrypting token payloads** and **binding tokens to specific devices** using fingerprints.
6
+
7
+ It is designed for applications where security and device-level access control matter.
9
8
 
10
9
  ---
11
10
 
12
- ## ✨ Features
11
+ ## 2. What Problem Does It Solve?
13
12
 
14
- - πŸ” Encrypted payload (AES-256-GCM)
15
- - πŸ“± Device fingerprint support (single or multiple)
16
- - ⏱ Token expiration
17
- - ⚑ Lightweight & fast
18
- - 🧠 TypeScript + IntelliSense support
19
- - βœ… CommonJS compatible
13
+ Traditional JWT has some well-known issues:
20
14
 
21
- ---
15
+ - JWT payloads are **Base64 encoded**, not encrypted
16
+ - Anyone can decode the payload using online tools without the secret
17
+ - If a token leaks, it can be reused on **any device**
18
+ - No built-in way to restrict tokens to a specific device
22
19
 
23
- ## πŸ“¦ Installation
20
+ **Secure Web Token (SWT)** solves these problems by:
24
21
 
25
- ```bash
26
- npm install secure-web-token
27
- ```
22
+ - Encrypting the payload using **AES-256-GCM**
23
+ - Making payload data **completely unreadable without the secret**
24
+ - Allowing tokens to be bound to **one or more device fingerprints**
25
+ - Preventing token reuse from unauthorized devices
26
+ - Supporting auto-generated device IDs for stronger protection
28
27
 
29
- ---
28
+ This makes SWT especially useful for:
29
+ - Course platforms (anti-piracy)
30
+ - SaaS dashboards
31
+ - Admin panels
32
+ - Device-restricted systems
30
33
 
31
- ## πŸ“₯ Import
34
+ ---
32
35
 
33
- ```js
34
- const { sign, verify } = require("secure-web-token");
35
- ```
36
+ ## 3. Available Functions
36
37
 
37
- ---
38
+ ### `sign()`
39
+ Creates an encrypted and signed token.
38
40
 
39
- ## 🧠 What is a Fingerprint?
41
+ **Features:**
42
+ - Encrypts payload
43
+ - Adds expiry (`iat`, `exp`)
44
+ - Supports device fingerprint binding
45
+ - Can auto-generate a device ID
40
46
 
41
- A fingerprint is any identifier that represents a device.
47
+ ---
42
48
 
43
- Examples:
44
- - Browser + OS (`Chrome-Linux`)
45
- - Device ID
46
- - IP address
47
- - Any custom unique string
49
+ ### `verify()`
50
+ Verifies and decrypts a token.
48
51
 
49
- You can allow **one or multiple fingerprints** per token.
52
+ **Checks performed:**
53
+ - Token format
54
+ - Signature integrity
55
+ - Token expiry
56
+ - Device fingerprint validation
50
57
 
51
58
  ---
52
59
 
53
- ## ✍️ sign()
60
+ ## 4. Sample Code
54
61
 
55
- Creates a secure encrypted token.
62
+ ### Installation
56
63
 
57
- ### Syntax
58
-
59
- ```js
60
- sign(data, secret, options)
64
+ ```bash
65
+ npm install secure-web-token
61
66
  ```
62
67
 
63
- ### Options
64
-
65
- | Option | Type | Description |
66
- |------|------|------------|
67
- | expiresIn | number | Token expiry (seconds) |
68
- | fingerprint | true \| string \| string[] | Device fingerprint(s) |
68
+ ---
69
69
 
70
- ### Payload Structure
70
+ ### Import
71
71
 
72
72
  ```js
73
- {
74
- data: { ... },
75
- iat: number,
76
- exp: number,
77
- fp: string[]
78
- }
73
+ const { sign, verify } = require("secure-web-token");
79
74
  ```
80
75
 
81
- ### Example (Auto Device ID)
76
+ ---
77
+
78
+ ### Signing a Token (Auto Device Registration)
82
79
 
83
80
  ```js
81
+ const secret = "my-super-secret";
82
+
84
83
  const { token, deviceId } = sign(
85
84
  { userId: 1, role: "admin" },
86
- "my-secret",
85
+ secret,
87
86
  { fingerprint: true }
88
87
  );
89
88
 
90
- console.log(token, deviceId);
89
+ console.log("TOKEN:", token);
90
+ console.log("DEVICE ID:", deviceId);
91
91
  ```
92
92
 
93
93
  ---
94
94
 
95
- ## βœ… verify()
96
-
97
- Verifies token integrity, expiry, and fingerprint.
95
+ ### Verifying the Token
98
96
 
99
97
  ```js
100
- verify(token, secret, { fingerprint })
98
+ try {
99
+ const payload = verify(token, secret, {
100
+ fingerprint: deviceId
101
+ });
102
+
103
+ console.log("USER DATA:", payload.data);
104
+ } catch (err) {
105
+ console.error("AUTH ERROR:", err.message);
106
+ }
101
107
  ```
102
108
 
103
- ### Example
109
+ ---
110
+
111
+ ### Using Custom Fingerprints
104
112
 
105
113
  ```js
106
- const payload = verify(token, "my-secret", {
107
- fingerprint: deviceId
108
- });
114
+ const { token } = sign(
115
+ { userId: 2 },
116
+ secret,
117
+ {
118
+ expiresIn: 60,
119
+ fingerprint: ["Chrome-Linux", "192.168.1.10"]
120
+ }
121
+ );
109
122
 
110
- console.log(payload.data);
123
+ verify(token, secret, {
124
+ fingerprint: "Chrome-Linux"
125
+ });
111
126
  ```
112
127
 
113
128
  ---
114
129
 
115
- ## πŸ” Use Cases
130
+ ## Payload Structure (Internal)
116
131
 
117
- - Prevent account sharing
118
- - Device-restricted access
119
- - Secure SaaS authentication
120
- - Course/content protection
132
+ ```js
133
+ {
134
+ data: {
135
+ userId: 1,
136
+ role: "admin"
137
+ },
138
+ iat: 1768368114,
139
+ exp: 1768369014,
140
+ fp: ["device-id"]
141
+ }
142
+ ```
121
143
 
122
144
  ---
123
145
 
124
- ## πŸ“œ License
146
+ ## License
125
147
 
126
148
  MIT License
package/dist/verify.d.ts CHANGED
@@ -5,7 +5,7 @@ export interface VerifyOptions {
5
5
  /**
6
6
  * Device fingerprint(s) allowed to verify token
7
7
  */
8
- fingerprint?: string | string[];
8
+ fingerprint?: string;
9
9
  }
10
10
  /**
11
11
  * Verifies and decrypts a Secure Web Token.
package/dist/verify.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,CAAC,OAAO,UAAU,MAAM,CAC5B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,aAAkB,GAC1B,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAuDrB"}
1
+ {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,CAAC,OAAO,UAAU,MAAM,CAC5B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,aAAkB,GAC1B,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAmDrB"}
package/dist/verify.js CHANGED
@@ -69,13 +69,9 @@ function verify(token, secret, options = {}) {
69
69
  throw new Error("Invalid payload structure");
70
70
  }
71
71
  if (options.fingerprint) {
72
- const provided = Array.isArray(options.fingerprint)
73
- ? options.fingerprint
74
- : [options.fingerprint];
75
- const stored = Array.isArray(payload.fp)
76
- ? payload.fp
77
- : [];
78
- const matched = provided.some(fp => stored.includes(fp));
72
+ const provided = options.fingerprint;
73
+ const stored = payload.fp;
74
+ const matched = provided === stored;
79
75
  if (!matched) {
80
76
  throw new Error("Fingerprint mismatch");
81
77
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "secure-web-token",
3
- "version": "1.0.2",
3
+ "version": "1.0.3",
4
4
  "description": "A secure web token utility",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",