It's 2020. You have an idea for new webapp. The scope is small, but requires auth. You look at services like Auth0 and libraries like node-jsonwebtoken
. You've probably read about the countless security bugs they've had.
The npm package node-jsonwebtoken
is a huge library where most of the core functionality comes from a dependency of a dependency, node-jws
which depends on node-jwa
of the same author, and both of them are no longer maintained. If you look at the Github issues of node-jws
, you can find a thread explaining how the maintainers don't have time to work on the projects anymore and reccomend using a newer project, Github user Panva's jose.
Panva's jose
is also a huge library. It's goal is to follow the specification perfectly and allow the user to enocde, decode, verify, and sign, tons of formats using tons of algorithms and anything else that the specification allows.
It seems great. If you need all those bells and whistles the project is perfect. Although, the reality is you will probably use the most common algorithm, HS256
to encode your JWT and you will probably use the most common key type, a symmetric key. If you use jose
you're left with hundreds of lines of authorization code just to get the most basic authorization system you can have. A system that can be solved in vanilla node with only ~70 loc.
Yep, one mistake and your app could be completely compromised, just like any server side code. If care is taken and you do your research, you should be just fine. JWT isn't a new standard anymore. The internet is full of guides and resources to get you started. You don't need to let an auth library the size of the moon determine the fate of your application.
Check out my take on JWT authorization here.