secure-web-token 1.2.9 → 1.2.10

package/README.md

@@ -2,9 +2,13 @@
 
 > **The secure alternative to JWT** — encrypted, device-bound, and built for production security.
 
-[![npm version](https://img.shields.io/npm/v/secure-web-token)](https://www.npmjs.com/package/secure-web-token)
-[![npm downloads](https://img.shields.io/npm/dm/secure-web-token)](https://www.npmjs.com/package/secure-web-token)
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![npm total downloads](https://img.shields.io/npm/dt/secure-web-token?color=orange&logo=npm&label=total%20downloads)](https://www.npmjs.com/package/secure-web-token)
+[![GitHub stars](https://img.shields.io/github/stars/your-username/secure-web-token?style=flat&logo=github&color=yellow)](https://github.com/your-username/secure-web-token/stargazers)
+[![Node.js version](https://img.shields.io/node/v/secure-web-token?logo=node.js&color=green)](https://www.npmjs.com/package/secure-web-token)
+[![TypeScript](https://img.shields.io/badge/TypeScript-Ready-3178C6?logo=typescript)](https://www.npmjs.com/package/secure-web-token)
+[![Encryption](https://img.shields.io/badge/Encryption-AES--256--GCM-brightgreen)](https://github.com/your-username/secure-web-token)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen)](https://github.com/your-username/secure-web-token/pulls)
+[![Snyk Vulnerabilities](https://snyk.io/test/github/your-username/secure-web-token/badge.svg)](https://snyk.io/test/github/your-username/secure-web-token)
 
 ```bash
 npm install secure-web-token
@@ -16,13 +20,13 @@ npm install secure-web-token
 
 **JWT has well-known, unfixed security flaws.** If you are using JWT in a security-critical app and have not thought about these, you should stop and read this:
 
-| Problem | JWT | SWT (Secure Web Token) |
-|---|---|---|
-| Payload encryption | ❌ Base64 only (readable by anyone) | ✅ AES-256-GCM encrypted |
-| Device binding | ❌ Token works on any device | ✅ Bound to one device/session |
-| True logout | ❌ Tokens stay valid after logout | ✅ Server-side revocation |
-| Token theft impact | ❌ Stolen token = full account access | ✅ Stolen token is useless on another device |
-| Sensitive data in token | ❌ Visible in browser devtools | ✅ Encrypted, never exposed |
+| Problem                 | JWT                                   | SWT (Secure Web Token)                       |
+| ----------------------- | ------------------------------------- | -------------------------------------------- |
+| Payload encryption      | ❌ Base64 only (readable by anyone)   | ✅ AES-256-GCM encrypted                     |
+| Device binding          | ❌ Token works on any device          | ✅ Bound to one device/session               |
+| True logout             | ❌ Tokens stay valid after logout     | ✅ Server-side revocation                    |
+| Token theft impact      | ❌ Stolen token = full account access | ✅ Stolen token is useless on another device |
+| Sensitive data in token | ❌ Visible in browser devtools        | ✅ Encrypted, never exposed                  |
 
 > **If you are storing user roles, permissions, or any sensitive identifiers in a JWT — they are readable by anyone with the token.** SWT fixes this.
 
@@ -66,15 +70,11 @@ import { sign } from "secure-web-token";
 
 const SECRET = "your-256-bit-secret";
 
-const { token, sessionId } = sign(
-  { userId: 1, role: "admin" },
-  SECRET,
-  {
-    fingerprint: true,   // bind to device
-    store: "memory",     // server-side session store
-    expiresIn: 3600,     // 1 hour
-  }
-);
+const { token, sessionId } = sign({ userId: 1, role: "admin" }, SECRET, {
+  fingerprint: true, // bind to device
+  store: "memory", // server-side session store
+  expiresIn: 3600, // 1 hour
+});
 
 // Send `token` to client, store `sessionId` in HttpOnly cookie
 ```
@@ -85,7 +85,7 @@ const { token, sessionId } = sign(
 import { verify, getStore } from "secure-web-token";
 
 const store = getStore("memory");
-const session = store.getSession(sessionId);  // from HttpOnly cookie
+const session = store.getSession(sessionId); // from HttpOnly cookie
 
 const payload = verify(token, SECRET, {
   sessionId,
@@ -199,12 +199,12 @@ If a JWT is stolen via XSS or network interception, the attacker has full access
 
 ### How SWT Fixes Every One of These
 
-| JWT Flaw | SWT Solution |
-|---|---|
-| Readable payload | AES-256-GCM encryption — payload is unreadable without the server secret |
-| No device binding | Device fingerprint stored in server session — token only valid on original device |
-| Logout doesn't work | Server-side session deletion — revocation is instant and permanent |
-| Token theft | Stolen token cannot be used without matching device fingerprint + server session |
+| JWT Flaw            | SWT Solution                                                                      |
+| ------------------- | --------------------------------------------------------------------------------- |
+| Readable payload    | AES-256-GCM encryption — payload is unreadable without the server secret          |
+| No device binding   | Device fingerprint stored in server session — token only valid on original device |
+| Logout doesn't work | Server-side session deletion — revocation is instant and permanent                |
+| Token theft         | Stolen token cannot be used without matching device fingerprint + server session  |
 
 ---
 
@@ -289,4 +289,4 @@ MIT
 ---
 
 > **Stop using JWT for sensitive user sessions. Your users deserve better.**  
-> `npm install secure-web-token`
+> `npm install secure-web-token`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-web-token",
-  "version": "1.2.9",
+  "version": "1.2.10",
   "description": "A secure web token utility",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",