paseto | PASETO for Node.js | Authentication library

by panva JavaScript Version: 3.1.4 License: MIT

X-Ray Key Features Code Snippets Community Discussions(2)Vulnerabilities Install Support

kandi X-RAY | paseto Summary

paseto is a JavaScript library typically used in Security, Authentication, Nodejs applications. paseto has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can install using 'npm i paseto' or download it from GitHub, npm.

PASETO: Platform-Agnostic SEcurity TOkens for Node.js no dependencies.

Support

Quality

Security

License

Reuse

Support

paseto has a low active ecosystem.

It has 289 star(s) with 24 fork(s). There are 7 watchers for this library.

It had no major release in the last 12 months.

There are 0 open issues and 17 have been closed. On average issues are closed in 0 days. There are no pull requests.

It has a neutral sentiment in the developer community.

The latest version of paseto is 3.1.4

Quality

paseto has 0 bugs and 0 code smells.

Security

paseto has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.

paseto code analysis shows 0 unresolved vulnerabilities.

There are 0 security hotspots that need review.

License

paseto is licensed under the MIT License. This license is Permissive.

Permissive licenses have the least restrictions, and you can use them in most projects.

Reuse

paseto releases are available to install and integrate.

Deployable package is available in npm.

Installation instructions are not available. Examples and code snippets are available.

Top functions reviewed by kandi - BETA

kandi has reviewed paseto and discovered the below as its top functions. This is intended to give you an instant insight into paseto implemented functionality, and help decide if they suit your requirements.

Convert a byte object to a public key .
Ensure that the given key is a private key
Validate a private key
Validate the public key .
Generate a private key
Post payload processor
Decrypt a v3
Decrypt a v1 input .
Converts base64 - encoded key to bytes
Generates a key

Get all kandi verified functions for this library.

paseto Key Features

No Key Features are available at this moment for paseto.

paseto Examples and Code Snippets

No Code Snippets are available at this moment for paseto.

Community Discussions

Trending Discussions on paseto

Use libsodium in NAPI

Can "token" generated using "Paseto Token" be decrypted and viewed like "JWT Token"?

QUESTION

Use libsodium in NAPI

Asked 2019-Sep-02 at 10:01

I am using a library which depends on libsodium (libpaseto). I have installed it on my machine and I am trying to build a nodejs addon.

I have the following binding.gyp file:

...

ANSWER

Answered 2019-Sep-02 at 10:01

So I finally found the answer.In the libsodium documentation it mentions that you have to pass the -lsodium flag to be able to compile without problems.So what I had to do was to add this flag in my libraries in binding.gyp. So here is my final binding.gyp file:

Source https://stackoverflow.com/questions/57740825

QUESTION

Can "token" generated using "Paseto Token" be decrypted and viewed like "JWT Token"?

Asked 2019-Jul-16 at 02:43

I am using "Platform agnostic Security Token" for oAuth in Golang - https://github.com/o1egl/paseto

I am not able to understand, why this is better than JWT even after reading README

My Major Question is:

Can "token" generated be altered like "JWT" and pass modified or tampered data?
Can "token" generated using "paseto" be decrypted and viewed like "JWT"?

Paseto library above uses "SET" and "GET" method inside their JSONToken method. Is that how we can verify authenticity of the user?

Sample Code:

...

ANSWER

Answered 2019-Jul-16 at 02:43

1 - Can "token" generated be altered like "JWT" and pass modified or tampered data?

Note that token cannot be "altered" either using PASETO or JWT without knowing the signing key (which should of course be secret).

The fact you mention about being able to view the JWT token data in JWT.io page is because data is not encrypted (so you can see it without the key).

But token is signed, so if you modify any value and don't have the key, you won't be able to sign it back and the token receiver will note the token is not valid when trying to verify it.

2 - Can "token" generated using "paseto" be decrypted and viewed like "JWT"?

It depends on how you generate the PASETO token.

See here:

https://tools.ietf.org/id/draft-paragon-paseto-rfc-00.html#rfc.section.2

Format for the token is version.purpose.payload.

And from the docs:

The payload is a string that contains the token's data. In a local token, this data is encrypted with a symmetric cipher. In a public token, this data is unencrypted.

So if you generate the token as in the code snippet you posted (local token, with a symmetric key), then payload will be encrypted (you won't be able to see it unless you know the symmetric key and use that one to decrypt it).

If you use a public/private key pair, then payload will not be encrypted, so you'll be able to see it without the key (but you'll not be able to change it and sign it again without knowing the private key).

Source https://stackoverflow.com/questions/57048911

Community Discussions, Code Snippets contain sources that include Stack Exchange Network