r-secure-token v1.0.5
R-Secure-Token
š A secure alternative to JWT, using AES-256-GCM encryption and Ed25519 digital signatures for authentication and authorization.
R-Secure-Token provides a high-security approach for token generation and verification, ensuring tamper-proof and encrypted payloads.
š Features
ā
AES-256-GCM Encryption ā Strong encryption for payload security.
ā
Ed25519 Signatures ā Prevents forgery and tampering.
ā
Replay Attack Prevention ā Unique nonce per token.
ā
JWT Alternative ā Secure and stateless authentication.
ā
High Performance ā Optimized for speed and security.
š¦ Installation
Install via NPM:
npm install r-secure-tokenor with Yarn:
yarn add r-secure-tokenš Usage
1ļøā£ Generating a Secure Token
import { RSecureToken } from 'r-secure-token';
(async () => {
const tokenService = new RSecureToken();
const payload = { data: { userId: 123 }, exp: Date.now() + 60000 }; // 1-minute expiry
const tokenData = await tokenService.generateToken(payload);
console.log('Token:', tokenData.token);
console.log('Signature:', tokenData.signature);
})();2ļøā£ Verifying & Decrypting a Secure Token
import { RSecureToken } from 'r-secure-token';
(async () => {
const tokenService = new RSecureToken();
const { token, signature } = /* Token received from user */;
const verifiedPayload = await tokenService.verifyToken(token, signature);
if (verifiedPayload) {
console.log('Valid Token:', verifiedPayload);
} else {
console.log('Invalid or Expired Token!');
}
})();š¬ How It Works
1. Token Generation
- Encrypts the payload using AES-256-GCM.
- Generates a secure nonce for each token.
- Signs the encrypted token using Ed25519.
2. Token Verification
- Checks the Ed25519 signature for authenticity.
- Decrypts the token using AES-256-GCM.
- Validates token expiration.
š Security Advantages Over JWT
| Feature | JWT (JSON Web Tokens) | R-Secure-Token |
|---|---|---|
| Encryption | ā No built-in encryption | ā AES-256-GCM |
| Signature Type | RSA / HMAC / ECDSA | ā Ed25519 |
| Tamper Protection | ā Yes | ā Yes |
| Readable Payload | ā Exposed (Base64-encoded JSON) | ā Encrypted |
| Replay Attack Resistance | ā None | ā Unique nonce per token |
| Verification Type | Requires shared secret (HMAC) or public-private keypair | ā Uses asymmetric cryptography |
š API Reference
new RSecureToken(secretKey?: Buffer)
Creates a new instance of RSecureToken. If no secret key is provided, a random one is generated.
generateToken(payload: TokenPayload): Promise
Creates a secure, signed token.
Parameters:
payload(object) ā The data to include in the token, including anexp(expiration timestamp).
Returns:
{
token: string; // Encrypted token
signature: string; // Ed25519 signature
}verifyToken(token: string, signature: string): Promise<TokenPayload | null>
Verifies and decrypts the token if valid.
Parameters:
token(string) ā The encrypted token.signature(string) ā The digital signature for verification.
Returns:
- Valid: Returns the decrypted payload object.
- Invalid: Returns
null.
Example Response:
{
data: { userId: 123 },
exp: 1700000000000
}ā ļø Best Practices
š¹ Store Secret Keys Securely: Never hardcode them in your source code. Use environment variables or a secure key management system.
š¹ Rotate Keys Periodically: Regularly update encryption and signing keys to minimize security risks.
š¹ Use Short-Lived Tokens: Prevent token abuse by setting short expiration times (exp).
š¹ Avoid Token Storage in Local Storage: Instead, store tokens in HTTP-only cookies or secure storage solutions.
š License
This project is licensed under the MIT License.
š Support & Contributions
šØāš» Contributions are welcome! Feel free to submit pull requests or report issues on GitHub.
š§ Need Help? Open an issue or contact us!