branca-js icon indicating copy to clipboard operation
branca-js copied to clipboard

Published 20 hours ago verified publisher icon tuupola

Secure Key Readme Suggestion + Release

Open grempe opened this issue 3 years ago • 4 comments

Hi, I noticed that you have a new README in the works for addressing the changes in #12

https://github.com/tuupola/branca-js/tree/key-readme

I have a few suggested changes you might consider for the new Key section. A new release with the updated README would be great.

## Secret key

The token is encrypted using a 32 byte secret key. You can pass the secret key either as an instance of `Buffer` or a hex encoded string. The value of the key must be protected and should not be stored in your application code. In the examples that follow the key is generated on the fly only for demonstration purposes.

From hex string:

```javascript
const key = "7ed049e344f73f399ba1f7868cf9494f4b13347ecce02a8e463feb32507b73a5";
const branca = require("branca")(key);
```

From a hex string as a Buffer:

```javascript
const key = Buffer.from("7ed049e344f73f399ba1f7868cf9494f4b13347ecce02a8e463feb32507b73a5", "hex");
const branca = require("branca")(key);
```

You should not use human readable, or memorable, strings as the secret key. Instead always generate the key using cryptographically secure random bytes. You can do this, for example, from the command-line with Node.js itself or `openssl`. 

```sh
$ node
Welcome to Node.js v16.2.0.
Type ".help" for more information.
> crypto.randomBytes(32).toString("hex")
'46cad3699da5766c45e80edfbf19dd2debc311e0c9046a80e791597442b2daf0'
```

```sh
$ openssl rand -hex 32
29f7d3a263bd6fcfe716865cbdb00b7a317d1993b8b7a3a5bae6192fbe0ace65
```

grempe avatar Jun 14 '21 18:06 grempe

Once this is released I can also submit a pull request to fix the type definitions:

https://github.com/DefinitelyTyped/DefinitelyTyped/tree/f7ec78508c6797e42f87a4390735bc2c650a1bfd/types/branca

grempe avatar Jun 14 '21 19:06 grempe

Published as 0.4.0

https://www.npmjs.com/package/branca

tuupola avatar Jun 22 '21 11:06 tuupola

I've submitted a pull request to update the Typescript types package for branca-js.

https://github.com/DefinitelyTyped/DefinitelyTyped/pull/53989

Ultimately it would be better if these were included with the package.

grempe avatar Jun 22 '21 15:06 grempe

PR approved and merged. A new definitions package should be published shortly.

https://www.npmjs.com/package/@types/branca

Update : Published

https://www.npmjs.com/package/@types/branca

grempe avatar Jun 22 '21 18:06 grempe