phish108 / node-jose-tools Goto Github PK
View Code? Open in Web Editor NEWCommand line tools for node-jose's features
Home Page: https://www.npmjs.com/package/node-jose-tools
License: MIT License
Command line tools for node-jose's features
Home Page: https://www.npmjs.com/package/node-jose-tools
License: MIT License
It would be nice to have an introspection tool that reads a JWT and prints the type and basic header information.
in addition to the *key tools, a more mnemonic version of the tools would be nice, so one can call
jose key new -u sig -R -s 2048
jose key add -j keystore
jose key ls -j keystore
jose key rm -j keystore
jose key find -j keystore some_kid
jose key export -j keystore --format pem
jose key publish -j keystore
This requires the sanitizer
to check more than one arguments.
Maybe it even makes sense to split the tools as such:
Hi,
Running on MacOS with node v13.8.0 and the latest node-jose-tools, and I get the error "unknown tool name" whenever I run any command.
I installed it as per the docs:
npm install -g node-jose-tools
The simplest demonstration is this:
jose encrypt
it returns:
unknown tool name
As a globally installed node module, I expect to be able to run jose
from any working directory.
Rather than run the documented jose
command, it instead can run as follows:
cd /usr/local/lib/node_modules/node-jose-tools
node index.js encrypt ...
Digging into the code, I see that sanitize.js
looks for the file .lib/${toolname}.js
.
I think the use of .
is the root cause. I put console.log(fs.realpathSync('.'))
into sanitize.js
to debug what .
is, and I get the current PWD of my shell, and not the root of the project as it expects.
in newkey
line 35 the key type is set to RSA instead of EC. The tests should fail, but pass.
If jose
is called without any tool, then the available tools should be listed.
If jose --help
is called, then a basic usage and the tools should be presented.
The mock stdin tests randomly fail with timeout errors on macos.
Use #patch instead
The tool tries to load support functions from a non existent helpers folder instead from helper.
provide inline help directly from the CLI
Use two values hold
and release
.
hold
if only files in .github
have changedhold
if only files in tests
have changedpackage.json
and package-lock.json
have changed
dependencies
and devDependencies
in package.json
package.json
hold
if only devDependencies have changed.release
otherwiseAll tools are nicely suited for creating simple JWT, but having the configs for multiple recipients on one command line is tricky at best.
What we should have is a token
tool that consumes a JSON or YAML file for the different parameters of our token. The tool would have a configuration parameter and accept payload and thats it. This allows one to declare the JWT outcome separately from running the command.
The following example illustrates how a declaration might look like:
jose:
format: compact
# global claims and defaults
iat: now
exp: 1h
jwks: my/jwks/default.jwks
sign:
- jwks: my/jwks/file.jwks
kid: mysignkey
alg: RS256
# other parameters
aud: for your eyes only
claims:
# application specific claims
- kid: mydefaultkeyid
alg: ES256
enc:
recipients:
- jwks: my/friends.jwks
kid: freds_key
alg: RSA-OAEP
# other parameters
claims:
# application specific claims
- jwks: my/friends.jwks
kid: lauras_key
alg: RSA-OAEP
# other parameters
claims:
# application specific claims
This will allow users to declare what their token should look like and the tool will create a suitable token.
Currently the only way to pass a JWS into the verify tool is either via STDIN or via a file.
It would be handy, if the tool would accept the token string directly from input.
This could be done by using a dedicated parameter -T or --JWT or --JWS to pass the string. In this case the tool must not try to read the token from stdin or a file. This way we do not need to verify whether a string is a token or a filename.
Add basic and extended support via the --crit
option
Basic support should accept a comma separated list of header claims.
Extended support should accept Key-value pairs and run crit-header functions to validate an incoming JWT.
Crit header support is necessary for validate
and decrypt
.
The readfile helper requires superagent, which it should not
Hello!
I was curious about the network traffic that is emitted every single time I run newkey
with npx
.
Cheers.
The addkey tests sometimes fail due to timing conditions of Promises.
The tests should be written in a way that are agnostic to the timing of the promises.
Multiple keys require key wrapping alg. (Eg not ecdh-es but ecdh-es-...)
Zsh allows tools to register their sub commands for auto (tab) expansion.
It would be great to have a shell-install
-tool that allows users to register jose tools into the environment.
The tools should not require that algorithms are explicity mentioned. Instead sign and encrypt should select suitable defaults if alg or enc are missing.
right now jose crashes ungracefully if no tool is provided.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.