secure-web-token 1.2.7 โ 1.2.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -11
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
#
|
|
1
|
+
# Secure Web Token (SWT)
|
|
2
2
|
|
|
3
3
|
A **secure, device-bound authentication token system** for Node.js applications.
|
|
4
4
|
|
|
@@ -10,28 +10,28 @@ A **secure, device-bound authentication token system** for Node.js applications.
|
|
|
10
10
|
|
|
11
11
|
Unlike JWTs (which are only Base64 encoded), SWT uses **full encryption + server-side session binding**, making stolen tokens useless on other devices.
|
|
12
12
|
|
|
13
|
-
### Key Highlights
|
|
13
|
+
### Key Highlights
|
|
14
14
|
|
|
15
|
-
-
|
|
16
|
-
-
|
|
17
|
-
-
|
|
18
|
-
-
|
|
19
|
-
-
|
|
20
|
-
-
|
|
21
|
-
-
|
|
15
|
+
- **AES-256-GCM encrypted payloads**
|
|
16
|
+
- **Device-bound tokens (single-device login)**
|
|
17
|
+
- **Server-side session management**
|
|
18
|
+
- **HttpOnly session cookies**
|
|
19
|
+
- **Expiry support (`iat`, `exp`)**
|
|
20
|
+
- Simple API: `sign()` and `verify()`
|
|
21
|
+
- Memory store (Redis-ready design)
|
|
22
22
|
|
|
23
23
|
---
|
|
24
24
|
|
|
25
25
|
## 2. What Problem Does It Solve?
|
|
26
26
|
|
|
27
|
-
### Problems with JWT
|
|
27
|
+
### Problems with JWT
|
|
28
28
|
|
|
29
29
|
- Payloads are readable (Base64 โ encryption)
|
|
30
30
|
- Tokens can be reused on any device
|
|
31
31
|
- No native device binding
|
|
32
32
|
- Logout does not truly invalidate tokens
|
|
33
33
|
|
|
34
|
-
### How SWT Solves This
|
|
34
|
+
### How SWT Solves This
|
|
35
35
|
|
|
36
36
|
- Encrypts payload using **AES-256-GCM**
|
|
37
37
|
- Binds tokens to **server-managed device sessions**
|