← All projects

node

Node.js / TypeScript implementation of the aice-auth contract; currently provides a JOSE-based JWT verifier.

  • TypeScript 96.29%
  • JavaScript 3.71%
View on GitLab ↗
git@gitlab.com:aice-lab/auth/node.git

Latest release

v1.0.2 ·

README

aice-auth — Node.js implementation

pipeline status coverage report

Node.js / TypeScript implementation of the aice-auth specification. Verifies JWTs issued by an aice-auth OIDC issuer and (over time) covers the rest of the contract.

This package is distributed as @aice-lab/auth via the aice-lab GitLab npm registry (anonymous public read).

Install

Add the @aice-lab scope to your project’s .npmrc:

@aice-lab:registry=https://gitlab.com/api/v4/groups/aice-lab/-/packages/npm/

If you use pnpm v10+, also add the next line so --frozen-lockfile in CI can fetch the tarball from GitLab’s non-standard URL pattern (see pnpm/pnpm#10913):

lockfile-include-tarball-url=true

Then install:

npm install @aice-lab/auth
# or
pnpm add @aice-lab/auth

Requires Node.js ≥ 20.

Quickstart — verify a JWT

import { Jwks, verify } from '@aice-lab/auth';

const jwks = await Jwks.fromJson(jwksDoc);
const claims = await verify(token, jwks, {
  issuer: 'https://id.example.com',
  audience: 'example-app',
});

console.log(claims.sub);

verify enforces:

  • algorithm is ES256 (rejects none, HS*, and any non-ES256 alg);
  • a kid header is present and resolves in the JWKS;
  • the signature is valid;
  • iss and aud match the supplied options;
  • the token is within nbfexp.

Failures throw a typed subclass of JwtVerificationError (UnknownKidError, AlgRejectedError, ExpiredError, IssuerMismatchError, AudienceMismatchError).

Examples

  • examples/protect-route/ — minimal Express app that fetches the issuer’s JWKS, verifies a bearer token, and gates /secret on the result. See the example’s own README for the 4-line run sequence.

Status

CapabilityShipped
JWT verification (ES256 + JWKS)yes
OIDC discovery / token / userinfo / introspect / revokenot yet
Refresh-token rotation clientnot yet
Step-up flowsnot yet

The rest of the surface lands as the spec’s conformance categories are wired up.

License

Source: FSL-1.1-Apache-2.0 (see LICENSE and LICENSE.FAQ.md).

Documentation

Full documentation: https://auth.aice-lab.org

Contributing

See CONTRIBUTING.md. All commits require DCO sign-off.

Reporting security issues

See SECURITY.md. Do not open public issues for vulnerabilities.

This is a snapshot generated from GitLab. For the live README, see the project page.