UNPKG

twt/README.md

Version:

6.16 kBMarkdownView Raw

1# 🤏 Tiny Web Tokens (TWT)
2
3Tiny Web Tokens (TWT) are like JSON Web Tokens (JWT), but for tiny payloads. They're an opinionated, non-standard way to generate and validate string payloads.
4
5[![Node CI](https://img.shields.io/github/workflow/status/koj-co/twt/Node%20CI?label=GitHub%20CI&logo=github)](https://github.com/koj-co/twt/actions)
6[![Travis CI](https://img.shields.io/travis/koj-co/twt?label=Travis%20CI&logo=travis%20ci&logoColor=%23fff)](https://travis-ci.org/koj-co/twt)
7[![Coverage](https://coveralls.io/repos/github/koj-co/twt/badge.svg?branch=master&v=2)](https://coveralls.io/github/koj-co/twt?branch=master)
8[![Dependencies](https://img.shields.io/librariesio/release/npm/twt)](https://libraries.io/npm/twt)
9[![License](https://img.shields.io/npm/l/twt)](https://github.com/koj-co/twt/blob/master/LICENSE)
10[![Vulnerabilities](https://img.shields.io/snyk/vulnerabilities/npm/twt.svg)](https://snyk.io/test/npm/twt)
11[![Based on Node.ts](https://img.shields.io/badge/based%20on-node.ts-brightgreen)](https://github.com/AnandChowdhary/node.ts)
12[![npm type definitions](https://img.shields.io/npm/types/twt.svg)](https://unpkg.com/browse/twt/dist/index.d.ts)
13[![npm package](https://img.shields.io/npm/v/twt.svg)](https://www.npmjs.com/package/node.ts)
14[![npm downloads](https://img.shields.io/npm/dw/twt)](https://www.npmjs.com/package/node.ts)
15[![Contributors](https://img.shields.io/github/contributors/koj-co/twt)](https://github.com/koj-co/twt/graphs/contributors)
16[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
17
18[![npm](https://nodei.co/npm/twt.png)](https://www.npmjs.com/package/twt)
19
20_Looking for the Twitter CLI `twt`? See the docs for v0.x on [GitHub](https://github.com/geoffreydhuyvetters/twt) or [npm](https://www.npmjs.com/package/twt/v/0.10.4)._
21
22## 📋 Spec
23
24A TWT is a URL-safe string with a payload and its computed HMAC MD5. The length of a TWT is the length of its payload + 32 characters. For example:
25
26```
27hellobade63863c61ed0b3165806ecd6acefc
28```
29
30In the above example, the payload is `hello`, and its hash is `bade63863c61ed0b3165806ecd6acefc`, signed using the secret key `secret`.
31
32### Is TWT a replacement for JWT?
33
34TWT is not a replacement for JWT, and you should use JWTs for most use cases. TWTs are only useful for no-expiry, string payloads. The use case is instead of using a random-character string, use its TWT, so that users cannot modify it.
35
36You should **not** use TWT:
37
38- For secure authentication tokens
39- When you want token expiry
40- When your payload is a JSON object
41- When you want to customize the algorithm
42- When you need to sign with RSA keys
43
44However, you can use TWT when your payload is a single string with no expiry and you don't want users to modify them, in use cases like:
45
46- Sessions tokens
47- Unique user ID parameters in URLs
48- Fingerprint cookies
49
50### TWTs are Tiny
51
52Compared to a JWT which includes information about the algorithm and base64-encodes the JSON object, TWTs are much smaller because they are hardcoded to use HMAC with MD5 (which is insecure but short, and works very well for this use case) and only support a string.
53
54A JWT signed with `secret` and one key-value pair `{ session_id: "fYbiqoTfXHtW6xPuq7hs" }` is **131 characters** long, whereas a TWT with the value `fYbiqoTfXHtW6xPuq7hs` is only 52 characters long, less than half of the JWT length.
55
56```
57eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uX2lkIjoiZlliaXFvVGZYSHRXNnhQdXE3aHMifQ.vrMGzUZ7qt4KXbBRG9VAVlVRGFLXTXYs0cAjQJpSc4s
58```
59
60### Example use case
61
62For example, if you have a webpage http://example.com/profile?id=3 where the user with ID = 3 can edit their profile, you can use a TWT instead: http://example.com/profile?id=3eccbc87e4b5ce2fe28308fd9f2a7baf3. This means that users cannot change the ID from the address bar to impersonate someone else (of course, there are other checks to ensure permissions, but you get the idea).
63
64At [Koj](https://koj.co), we're using TWT as part of our onboarding process. When a new user signs up on https://koj.co/en-ch/get-started, we ask them their name and generate a unique ID for their onboarding session. Then, we redirect them to https://koj.co/en-ch/get-started/fYbiqoTfXHtW6xPuq7hsdaa019dae774e16ea5e3cb5e9c1cf72a/furniture/bed, for example, when we ask for their bed preference. In this case, the user's session ID is `fYbiqoTfXHtW6xPuq7hs`, but we use a TWT in the URL. This means that that users cannot simply change the session ID from the address bar to impersonate someone else.
65
66## 💡 Usage
67
68Install the package from [npm](https://www.npmjs.com/package/twt):
69
70```bash
71npm install twt
72```
73
74Import and use:
75
76```ts
77import { sign, verify, decode, validate } from "twt";
78const SECRET = "your-super-safe-secret";
79
80sign("hello", SECRET);
81// hellobade63863c61ed0b3165806ecd6acefc
82
83verify("hellobade63863c61ed0b3165806ecd6acefc", SECRET);
84// hello
85
86verify("hello.this-is-not-the-correct-hmac", SECRET);
87// Throws an InvalidHmacError
88
89decode("hello.this-is-not-the-correct-hmac");
90// hello
91
92validate("hellobade63863c61ed0b3165806ecd6acefc");
93// true
94
95sign("hello", SECRET, 10);
96// hellobade63863c with 10 characters length
97
98sign("hello", SECRET, 64, "sha256");
99// Example with SHA-256 (requires 64 characters)
100// hello88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b
101```
102
103For the secret, you should generate and use a random 160-bit key.
104
105## 👩‍💻 Development
106
107Build TypeScript:
108
109```bash
110npm run build
111```
112
113Run unit tests and view coverage:
114
115```bash
116npm run test-without-reporting
117```
118
119## 📄 License
120
121- Code: [MIT](./LICENSE) © [Koj](https://koj.co)
122- Thanks to [Geoffrey Dhuyvetters](https://github.com/geoffreydhuyvetters) for the npm package name `twt`
123
124<p align="center">
125  <a href="https://koj.co">
126    <img width="44" alt="Koj" src="https://kojcdn.com/v1598284251/website-v2/koj-github-footer_m089ze.svg">
127  </a>
128</p>
129<p align="center">
130  <sub>An open source project by <a href="https://koj.co">Koj</a>. <br> <a href="https://koj.co">Furnish your home in style, for as low as CHF175/month →</a></sub>
131</p>

1	`# 🤏 Tiny Web Tokens (TWT)`
2
3	`Tiny Web Tokens (TWT) are like JSON Web Tokens (JWT), but for tiny payloads. They're an opinionated, non-standard way to generate and validate string payloads.`
4
5	`[![Node CI](https://img.shields.io/github/workflow/status/koj-co/twt/Node%20CI?label=GitHub%20CI&logo=github)](https://github.com/koj-co/twt/actions)`
6	`[![Travis CI](https://img.shields.io/travis/koj-co/twt?label=Travis%20CI&logo=travis%20ci&logoColor=%23fff)](https://travis-ci.org/koj-co/twt)`
7	`[![Coverage](https://coveralls.io/repos/github/koj-co/twt/badge.svg?branch=master&v=2)](https://coveralls.io/github/koj-co/twt?branch=master)`
8	`[![Dependencies](https://img.shields.io/librariesio/release/npm/twt)](https://libraries.io/npm/twt)`
9	`[![License](https://img.shields.io/npm/l/twt)](https://github.com/koj-co/twt/blob/master/LICENSE)`
10	`[![Vulnerabilities](https://img.shields.io/snyk/vulnerabilities/npm/twt.svg)](https://snyk.io/test/npm/twt)`
11	`[![Based on Node.ts](https://img.shields.io/badge/based%20on-node.ts-brightgreen)](https://github.com/AnandChowdhary/node.ts)`
12	`[![npm type definitions](https://img.shields.io/npm/types/twt.svg)](https://unpkg.com/browse/twt/dist/index.d.ts)`
13	`[![npm package](https://img.shields.io/npm/v/twt.svg)](https://www.npmjs.com/package/node.ts)`
14	`[![npm downloads](https://img.shields.io/npm/dw/twt)](https://www.npmjs.com/package/node.ts)`
15	`[![Contributors](https://img.shields.io/github/contributors/koj-co/twt)](https://github.com/koj-co/twt/graphs/contributors)`
16	`[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)`
17
18	`[![npm](https://nodei.co/npm/twt.png)](https://www.npmjs.com/package/twt)`
19
20	_Looking for the Twitter CLI `twt`? See the docs for v0.x on [GitHub](https://github.com/geoffreydhuyvetters/twt) or [npm](https://www.npmjs.com/package/twt/v/0.10.4)._
21
22	`## 📋 Spec`
23
24	`A TWT is a URL-safe string with a payload and its computed HMAC MD5. The length of a TWT is the length of its payload + 32 characters. For example:`
25
26	```
27	`hellobade63863c61ed0b3165806ecd6acefc`
28	```
29
30	In the above example, the payload is `hello`, and its hash is `bade63863c61ed0b3165806ecd6acefc`, signed using the secret key `secret`.
31
32	`### Is TWT a replacement for JWT?`
33
34	`TWT is not a replacement for JWT, and you should use JWTs for most use cases. TWTs are only useful for no-expiry, string payloads. The use case is instead of using a random-character string, use its TWT, so that users cannot modify it.`
35
36	`You should not use TWT:`
37
38	`- For secure authentication tokens`
39	`- When you want token expiry`
40	`- When your payload is a JSON object`
41	`- When you want to customize the algorithm`
42	`- When you need to sign with RSA keys`
43
44	`However, you can use TWT when your payload is a single string with no expiry and you don't want users to modify them, in use cases like:`
45
46	`- Sessions tokens`
47	`- Unique user ID parameters in URLs`
48	`- Fingerprint cookies`
49
50	`### TWTs are Tiny`
51
52	`Compared to a JWT which includes information about the algorithm and base64-encodes the JSON object, TWTs are much smaller because they are hardcoded to use HMAC with MD5 (which is insecure but short, and works very well for this use case) and only support a string.`
53
54	A JWT signed with `secret` and one key-value pair `{ session_id: "fYbiqoTfXHtW6xPuq7hs" }` is 131 characters long, whereas a TWT with the value `fYbiqoTfXHtW6xPuq7hs` is only 52 characters long, less than half of the JWT length.
55
56	```
57	`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uX2lkIjoiZlliaXFvVGZYSHRXNnhQdXE3aHMifQ.vrMGzUZ7qt4KXbBRG9VAVlVRGFLXTXYs0cAjQJpSc4s`
58	```
59
60	`### Example use case`
61
62	`For example, if you have a webpage http://example.com/profile?id=3 where the user with ID = 3 can edit their profile, you can use a TWT instead: http://example.com/profile?id=3eccbc87e4b5ce2fe28308fd9f2a7baf3. This means that users cannot change the ID from the address bar to impersonate someone else (of course, there are other checks to ensure permissions, but you get the idea).`
63
64	At [Koj](https://koj.co), we're using TWT as part of our onboarding process. When a new user signs up on https://koj.co/en-ch/get-started, we ask them their name and generate a unique ID for their onboarding session. Then, we redirect them to https://koj.co/en-ch/get-started/fYbiqoTfXHtW6xPuq7hsdaa019dae774e16ea5e3cb5e9c1cf72a/furniture/bed, for example, when we ask for their bed preference. In this case, the user's session ID is `fYbiqoTfXHtW6xPuq7hs`, but we use a TWT in the URL. This means that that users cannot simply change the session ID from the address bar to impersonate someone else.
65
66	`## 💡 Usage`
67
68	`Install the package from [npm](https://www.npmjs.com/package/twt):`
69
70	```bash
71	`npm install twt`
72	```
73
74	`Import and use:`
75
76	```ts
77	`import { sign, verify, decode, validate } from "twt";`
78	`const SECRET = "your-super-safe-secret";`
79
80	`sign("hello", SECRET);`
81	`// hellobade63863c61ed0b3165806ecd6acefc`
82
83	`verify("hellobade63863c61ed0b3165806ecd6acefc", SECRET);`
84	`// hello`
85
86	`verify("hello.this-is-not-the-correct-hmac", SECRET);`
87	`// Throws an InvalidHmacError`
88
89	`decode("hello.this-is-not-the-correct-hmac");`
90	`// hello`
91
92	`validate("hellobade63863c61ed0b3165806ecd6acefc");`
93	`// true`
94
95	`sign("hello", SECRET, 10);`
96	`// hellobade63863c with 10 characters length`
97
98	`sign("hello", SECRET, 64, "sha256");`
99	`// Example with SHA-256 (requires 64 characters)`
100	`// hello88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b`
101	```
102
103	`For the secret, you should generate and use a random 160-bit key.`
104
105	`## 👩‍💻 Development`
106
107	`Build TypeScript:`
108
109	```bash
110	`npm run build`
111	```
112
113	`Run unit tests and view coverage:`
114
115	```bash
116	`npm run test-without-reporting`
117	```
118
119	`## 📄 License`
120
121	`- Code: [MIT](./LICENSE) © [Koj](https://koj.co)`
122	- Thanks to [Geoffrey Dhuyvetters](https://github.com/geoffreydhuyvetters) for the npm package name `twt`
123
124	`<p align="center">`
125	`<a href="https://koj.co">`
126	`<img width="44" alt="Koj" src="https://kojcdn.com/v1598284251/website-v2/koj-github-footer_m089ze.svg">`
127	`</a>`
128	`</p>`
129	`<p align="center">`
130	`<sub>An open source project by <a href="https://koj.co">Koj</a>. <br> <a href="https://koj.co">Furnish your home in style, for as low as CHF175/month →</a></sub>`
131	`</p>`