Members
(inner, constant) encKey
Import encryption key if user sessions are configured to be
preserved on reboot or synchronously generate an encryption
key with config-defined type and curve/size.
- Source:
(inner, constant) keystore
Initialise JSON Web Key Store
- Source:
(inner, constant) sigKey
Import signing key if user sessions are configured to be
preserved on reboot or synchronously generate a signing
key with config-defined type and curve/size.
- Source:
Methods
(inner) decrypt(jwe) → {string}
Decrypt given JWK object with owned
private key and return cleartext as a
utf8 string.
Parameters:
| Name | Type | Description |
|---|---|---|
jwe |
string | JWE object as string |
- Source:
Returns:
cleartext (utf8)
- Type
- string
(inner) decryptAndVerify(jwe, audopt) → {string}
Decrypt given JWE with the server's encryption
key and verify resulting JWT with the server's
signing key. Returns the payload object if
successful.
Parameters:
| Name | Type | Attributes | Default | Description |
|---|---|---|---|---|
jwe |
string | JWE object as string | ||
aud |
string |
<optional> |
default | default config will be used if omitted |
- Source:
Returns:
decrypted and verified payload
- Type
- string
(inner) encrypt(cleartext, pub) → {string}
Encrypt given cleartext with specified public
key and return the resulting JWE object as a string.
If no public key is provided by the recipient and
symmetric encryption is enabled, the JWT is symmetrically
encrypted by the server's key instead.
In case asymmetric encryption is enforced and the client
does not provide a public key, an error is thrown.
Parameters:
| Name | Type | Description |
|---|---|---|
cleartext |
string | |
pub |
object | JWK compatible public key of recipient |
- Source:
Returns:
JWE object as string
- Type
- string
(inner) getEncPubAsPEM() → {object}
Get the public key used for encryption-decryption
in Privacy-Enhanced Mail format
- Source:
Returns:
enc public key in PEM format
- Type
- object
(inner) getSigPubAsPEM() → {object}
Get the public key used for signing-verifying
in Privacy-Enhanced Mail format
- Source:
Returns:
sig public key in PEM format
- Type
- object
(inner) sign(payload, expopt) → {string}
Sign provided payload and return the
signed JWT.
Parameters:
| Name | Type | Attributes | Default | Description |
|---|---|---|---|---|
payload |
JSON | |||
exp |
string |
<optional> |
default | default expiry will be used if omitted |
- Source:
Returns:
signed JWT
- Type
- string
(inner) signAndEncrypt(payload, pub, expopt) → {string}
Sign provided payload with the server's private
key and asymmetrically encrypt the signed JWT by
the client provided public key.
This returns the encrypted JWE object as a string.
Parameters:
| Name | Type | Attributes | Default | Description |
|---|---|---|---|---|
payload |
JSON | |||
pub |
object | client's pub used for encryption | ||
exp |
string |
<optional> |
default | default expiry will be used if omitted |
- Source:
Returns:
JWE object as string
- Type
- string
(inner) verify(jwt, audopt) → {string}
Verify provided JWT with given params and
the server's signing key.
The audience may also be optionally provided,
for instance when validating access to routes
with custom permissions. An example is when
an unauthenticated user wishes to reset their
password and have been granted access via a
reset token. In this case the aud="/reset".
If the audience param is left out, the default
configuration will be used.
Parameters:
| Name | Type | Attributes | Default | Description |
|---|---|---|---|---|
jwt |
object | JWT token | ||
aud |
string |
<optional> |
default | default config will be used if omitted |
- Source:
Throws:
-
-
if JWT blacklisted
- Type
- JWSVerificationFailed
-
-
-
for failed verification
- Type
- jose.errors
-
Returns:
payload
- Type
- string