Skip to content

Rewrite of the Readme #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jakoblorz wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Rewrite of the Readme #62

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c30b51d
Started rewriting the readme
jakoblorz Feb 7, 2017
f77848a
Added description for decode
jakoblorz Feb 7, 2017
83bfd25
Update README.md
jakoblorz Feb 7, 2017
ed9f502
added logo to readme
jakoblorz Feb 7, 2017
4b6aa48
Update README.md
jakoblorz Feb 7, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 39 additions & 28 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,58 +1,69 @@
# node-jwt-simple
<div align="center">
<img src="https://jwt.io/assets/logo.svg"><br><br>
</div>
Copy link
Collaborator

@alexjab alexjab Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a huge fan of using this external resource, we do not want people to think that jwt.io (which is maintained by auth0) endorses this module in any way.

Moreover, this looks like marketing material, and I don't think we need this.


[JWT(JSON Web Token)](http://self-issued.info/docs/draft-jones-json-web-token.html) encode and decode module for node.js.
# Welcome
Copy link
Collaborator

@alexjab alexjab Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not use full, IMHO.

Secure your application in seconds using standardised **JWT-Tokens**. [RFC 7519](https://tools.ietf.org/html/rfc7519)
Copy link
Collaborator

@alexjab alexjab Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This awfully looks like marketing as well. I would go for something more neutral, such as:

This module allows you to implement authentication in your web applications using JSON Web Tokens (aka JWT). JWTs are standardized in [RFC 7519](https://tools.ietf.org/html/rfc7519).


## Install
[![npm version](https://badge.fury.io/js/jwt-simple.svg)](https://badge.fury.io/js/jwt-simple)

## Sample Use-Case
You may use this as an authentication-method for your API: on one route you encode a token, storing the authenticated user (e.g. after checking password and email) in it. On all other routes you check if the token is valid - this indicates that the user once did authenticate himself successfully.

Copy link
Collaborator

@alexjab alexjab Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a huge fan of this kind of introductions, this looks not necessary here, but that is just my opinion.

## Installation
$ npm install jwt-simple

## Usage
### Encoding
Encode a Object into your token - the `jwt.encode` function takes a maximum of 3 parameters:
Copy link
Collaborator

@alexjab alexjab Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the parameters are almost self-explanatory, here is a proposal:

### jwt.encode(payload, secret, [algorithm])

Creates a token from a payload. The available algorithms are `HS256` (default), `HS384`, `HS512` and `RS256`.

Example:
...

Copy link
Collaborator

@alexjab alexjab Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the signature of the method in the title allows the user to get an idea of the API right from the start, even before reading the doc, which is good !


| Name | Description | Optional? |
| --- | --- | --- |
| payload | the object you want to encode into the token | No |
| secret | you secret | No |
| algorithm | there are 4 different algorithms `HS256`, `HS384`, `HS512` and `RS256` - standard is `HS256` | Yes |

```javascript
var jwt = require('jwt-simple');
var payload = { foo: 'bar' };
var secret = 'xxx';

// HS256 secrets are typically 128-bit random strings, for example hex-encoded:
// var secret = Buffer.from('fe1a1915a379f3be5394b64d14794932', 'hex)
var secret = Buffer.from('fe1a1915a379f3be5394b64d14794932', 'hex');

// encode
var payload = { 'foo': 'bar' };

//create a new token by encoding the payload object into it
var token = jwt.encode(payload, secret);

// decode
var decoded = jwt.decode(token, secret);
console.log(decoded); //=> { foo: 'bar' }
//encode using HS512
var token = jwt.encode(payload, secret, 'HS512');
```

### decode params

### Decoding
Decode a Token returning the encoded Object - the `jwt.decode` function takes a maximum of 4 parameters

| Name | Description | Optional? |
| --- | --- | --- |
| token | the token previously generated | No |
| secret | key which previously encoded the token | No |
| noVerify | turn off verification **ON YOUR OWN RISK** | Yes |
| algorithm | select another algorithm. see encode for algorithm options. | Yes, but noVerify must been set before |
Copy link
Collaborator

@alexjab alexjab Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as for encode, I'd try for a simpler way of explaining things:

### jwt.decode(token, secret, [noVerify], [algorithm])
...

Also:

  • I would go for a slightly less violent warning (after all, OS licenses are mostly "at your own risk"), maybe **turn off** verification, or explain what it does,
  • "Yes, but noVerify must been set before" that is the way js works, I don't think you need to tell this to the user.


```javascript
/*
* jwt.decode(token, key, noVerify, algorithm)
*/
var jwt = require('jwt-simple');
var secret = Buffer.from('fe1a1915a379f3be5394b64d14794932', 'hex');
Copy link
Collaborator

@alexjab alexjab Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure that this is a Buffer ? The jsdoc says String...


// decode, by default the signature of the token is verified
var decoded = jwt.decode(token, secret);
console.log(decoded); //=> { foo: 'bar' }
console.log(decoded); //-> { foo: 'bar' }

// decode without verify the signature of the token,
// be sure to KNOW WHAT ARE YOU DOING because not verify the signature
// means you can't be sure that someone hasn't modified the token payload
var decoded = jwt.decode(token, secret, true);
console.log(decoded); //=> { foo: 'bar' }
console.log(decoded); //-> { foo: 'bar' }

// decode with a specific algorithm (not using the algorithm described in the token payload)
var decoded = jwt.decode(token, secret, false, 'HS256');
console.log(decoded); //=> { foo: 'bar' }
```

### Algorithms

By default the algorithm to encode is `HS256`.

The supported algorithms for encoding and decoding are `HS256`, `HS384`, `HS512` and `RS256`.

```javascript
// encode using HS512
jwt.encode(payload, secret, 'HS512')
console.log(decoded); //-> { foo: 'bar' }
```