Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save whaaaley/2c1153e55a76c7c020cabf1f0cf6778f to your computer and use it in GitHub Desktop.
Save whaaaley/2c1153e55a76c7c020cabf1f0cf6778f to your computer and use it in GitHub Desktop.

You probably don't need a JWT library 2020

It's 2020. You have an idea for new webapp. The scope is small, but requires auth. You look at services like Auth0 and libraries like node-jsonwebtoken. You've probably read about the countless security bugs they've had.

It's 2020 they should have it figured out

The npm package node-jsonwebtoken is a huge library where most of the core functionality comes from a dependency of a dependency, node-jws which depends on node-jwa of the same author, and both of them are no longer maintained. If you look at the Github issues of node-jws, you can find a thread explaining how the maintainers don't have time to work on the projects anymore and reccomend using a newer project, Github user Panva's jose.

So just use jose

Panva's jose is also a huge library. It's goal is to follow the specification perfectly and allow the user to enocde, decode, verify, and sign, tons of formats using tons of algorithms and anything else that the specification allows.

It seems great. If you need all those bells and whistles the project is perfect. Although, the reality is you will probably use the most common algorithm, HS256 to encode your JWT and you will probably use the most common key type, a symmetric key. If you use jose you're left with hundreds of lines of authorization code just to get the most basic authorization system you can have. A system that can be solved in vanilla node with only ~70 loc.

Writing your own auth is dangerous

Yep, one mistake and your app could be completely compromised, just like any server side code. If care is taken and you do your research, you should be just fine. JWT isn't a new standard anymore. The internet is full of guides and resources to get you started. You don't need to let an auth library the size of the moon determine the fate of your application.

Self promo

Check out my take on JWT authorization here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment