:rocket: A crypto utility library to be used from Postman Pre-request and Tests script tabs.
Home Page: https://joolfe.github.io/postman-util-lib/
License: MIT License
I´m mainly a backend developer, but more than one time I develop also frontend, I´m working actually as technical expert in an innovation team what means, look and review new technologies, design new solutions, develop this solutions and define/create the infrastructure to deliver the sofware using Devops.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
In createJws, the typ header claim is currently hardcoded to JWT, and there is no way to override it. On the other hand, it is sometimes necessary to set it to a custom value (like dpop+jwt for DPoP).
It would be nice for the library to honor custom typ value provided via the header object.
Hello, i use this package to generate jwt token for app store connect, which need ecdsa. But when i tried to decrypt valid token for testing, it shows error on title, does this library does not support ECDSA? here is part of my code
const result = pmlib.jwtVerify(token, jwtSecret,'ES256')
At the moment, only a public key in PEM format is accepted to validate a JWT.
It'd be very useful to support JWK too. This might be achieved by means of this good library.
I set Pre-request Script, after run this script it shows "[jwtSign] t.indexOf is not a function". Since the jwk is secret, I cleared it in the demo code.
eval(pm.globals.get('pmlib_code'));
const uuid = require('uuid');
var header = {
"alg": "" //jwk.alg
};
var payload = {
"iss": "",
"aud": "",
"sub": "xxx",
"jti": uuid.v4()
};
const jwk = {
"kty": "",
"d": "",
"use": "",
"crv": "",
"kid": "",
"x": ""
}
// Create a signed jwt (JWS)
const jws = pmlib.jwtSign(jwk,payload, header, 10, 'EdDSA');
console.log('Signed JWT: ' +jws);
pm.environment.set('actor_token',jws);In order to properly test error cases, it might be necessary to generate JWTs with invalid iat/exp/nbf (to simulate expired / not yet active tokens) and/or jti (to simulate already seen tokens in case of one-time use, like DPoP).
Currently, the values of the above claims, if provided via payload object, will be ignored.
Defined header is not present in a generated token.
Passed headers to function:
header = {
'typ': 'JWT',
'jku': 'https://localhost:8080/uaa/token_keys',
'kid': 'key-id-1',
'alg': 'RS256'
}Decoded JWT:
{"header": {"typ":"JWT","jku":"https://localhost:8080/uaa/token_keys","alg":"RS256"}, "payload": ...}Postman version: 9.5.0
Pre-req script:
eval( pm.globals.get('pmlib_code') )
var header =
{
"alg": "RS256",
"typ": "JWT"
};
var data =
{
"iss": pm.globals.get('jwt_iss'),
"sub": pm.globals.get('jwt_sub'),
"aud": "wd"
};
console.log('Header: ', header);
console.log('Data: ', data);
console.log('JWT Secret: ', pm.globals.get('jwt_secret'));
signedToken = pmlib.jwtSign(pm.globals.get('jwt_secret'),data,header,300,'RS256');
pm.environment.set('jwt_signed', signedToken);
console.log('Signed and encoded JWT', signedToken);
Console:
'Header: ', { alg: 'RS256', typ: 'JWT' }
'Data: ', { iss: 'xxxx',
sub: 'xxxx',
aud: 'xxxx' }
'JWT Secret: ', 'xxxx'
Error: [jwtSign] not supported argument
When signing string longer that 126 characters with 'RSAOAEP512' or 192 characters for RSAOAEP256 the script throws an error. There is no error text. This is the code I use:
eval(pm.globals.get('pmlib_code'))
const pubkey = '-----BEGIN CERTIFICATE-----\n' +
'...\n' +
'-----END CERTIFICATE-----\n';
var keyObj = pmlib.rs.KEYUTIL.getKey(pubkey);
let signingString = 'date: Tue, 18 Sep 2018 09:51:01 GMT\n' +
'digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==\n' +
'x-request-id: 95126d8f-ae9d-4ac3-ac9e-c357dcd78';
signingString = 'date: Tue, 18 Sep 2018 09:51:01 GMT\n' +
'digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==\n' +
'x-request-id: 11111111-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
let signature = pmlib.rs.KJUR.crypto.Cipher.encrypt(signingString, keyObj, 'RSAOAEP256');
console.log( 'signature:' );
console.log( signature );
But when I remove just a single character from the signingString I can see the proper output in the console.
Hi Maintainers,
I'm writing to suggest an addition to your library - AES-GCM encryption support. The default CryptoJS library used by Postman lacks this feature, which is essential for secure data communication.
I believe adding AES-GCM support would significantly enhance your library's functionality and benefit many users.
Thank you for considering this request.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.