postman-app-support icon indicating copy to clipboard operation
postman-app-support copied to clipboard

Published 20 hours ago verified publisher icon postmanlabs

Add "jsonwebtoken" module to the NodeJS sandbox in Postman

Open jbauerrfid opened this issue 1 year ago • 2 comments

Is there an existing request for this feature?

  • [X] I have searched the existing issues for this feature request and I know that duplicates will be closed

Is your feature request related to a problem?

I need to generate a JWT and sign it with aprivate key, then process it in a pre-request script and finally add it to a pm environment variable.

Describe the solution you'd like

Inside of pre-request script:

// this import is what Postman does not like
const jwt = require('jsonwebtoken');

const credJson = pm.environment.get("gcp-credential-json");
const { client_email, private_key, private_key_id } = JSON.parse(credJson);
const currentDate = Math.floor(new Date().getTime() / 1000);
const url = "https://oauth2.googleapis.com/token";
const payload = {
    iss: client_email,
    scope: "https://www.googleapis.com/auth/cloud-platform",
    aud: url,
    exp: currentDate + 3600,
    iat: currentDate
};

// sign the JWT here
const token = jwt.sign(payload, private_key, { algorithm: 'RS256', keyid: private_key_id });

pm.environment.set("gcp-jwt", token);

Error message from PM console

Error: Cannot find module 'jsonwebtoken'

Describe alternatives you've considered

Currently I am running an external JS script with Node to generate the JWT and then do OAuth on GCP with custom headers.

The JS code works, but Postman does not support the dependency I need for this.

But I need to copy the OAuth token into PM env manually, which is nasty for test runners and automation with newman.

Additional context

Use case is to fetch service account OAuth 2.0 token for Google Cloud Platform

jbauerrfid avatar Jun 26 '24 09:06 jbauerrfid

Yes this will be helpful to us as well.

jainildesai-crest avatar Aug 29 '24 09:08 jainildesai-crest

This would be ideal. Does anyone have a different dependency other than jsonwebtoken ? I too am building the JWT outside of postman, but it's not ideal.

joelpettis avatar Sep 20 '24 19:09 joelpettis

Agreed, that this would be very helpful.

sigh-20i avatar Feb 14 '25 23:02 sigh-20i

Hey everyone! 👋

Postman's script execution environment now supports using external packages from NPM directly into your scripts. Here is an example of generating JWT using jose:

const { importPKCS8, SignJWT } = pm.require("npm:jose");

// Your RSA private key (PEM-encoded, PKCS#8)
const privateKeyPEM = `
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----
`;

// Import the private key
const alg = "RS512"; // RSA + SHA-512
const key = await importPKCS8(privateKeyPEM.trim(), alg);

const jwt = await new SignJWT({ foo: "bar" })
  .setProtectedHeader({ alg })
  .setIssuedAt()
  .setExpirationTime("2h")
  .sign(key);

console.log("Signed JWT (RS512):", jwt);

Image

📌 You can find more details about external packages support and limitations here: https://github.com/postmanlabs/postman-app-support/issues/13542

I’ll go ahead and close this one for now, but feel free to open a new ticket if you have more questions or run into any issues. 🚀

appurva21 avatar Apr 29 '25 11:04 appurva21