Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Key Readme Suggestion + Release #17

Open
grempe opened this issue Jun 14, 2021 · 4 comments
Open

Secure Key Readme Suggestion + Release #17

grempe opened this issue Jun 14, 2021 · 4 comments

Comments

@grempe
Copy link
Contributor

grempe commented Jun 14, 2021

Hi, I noticed that you have a new README in the works for addressing the changes in #12

https://github.com/tuupola/branca-js/tree/key-readme

I have a few suggested changes you might consider for the new Key section. A new release with the updated README would be great.

## Secret key

The token is encrypted using a 32 byte secret key. You can pass the secret key either as an instance of `Buffer` or a hex encoded string. The value of the key must be protected and should not be stored in your application code. In the examples that follow the key is generated on the fly only for demonstration purposes.

From hex string:

```javascript
const key = "7ed049e344f73f399ba1f7868cf9494f4b13347ecce02a8e463feb32507b73a5";
const branca = require("branca")(key);
```

From a hex string as a Buffer:

```javascript
const key = Buffer.from("7ed049e344f73f399ba1f7868cf9494f4b13347ecce02a8e463feb32507b73a5", "hex");
const branca = require("branca")(key);
```

You should not use human readable, or memorable, strings as the secret key. Instead always generate the key using cryptographically secure random bytes. You can do this, for example, from the command-line with Node.js itself or `openssl`. 

```sh
$ node
Welcome to Node.js v16.2.0.
Type ".help" for more information.
> crypto.randomBytes(32).toString("hex")
'46cad3699da5766c45e80edfbf19dd2debc311e0c9046a80e791597442b2daf0'
```

```sh
$ openssl rand -hex 32
29f7d3a263bd6fcfe716865cbdb00b7a317d1993b8b7a3a5bae6192fbe0ace65
```
@grempe
Copy link
Contributor Author

grempe commented Jun 14, 2021

Once this is released I can also submit a pull request to fix the type definitions:

https://github.com/DefinitelyTyped/DefinitelyTyped/tree/f7ec78508c6797e42f87a4390735bc2c650a1bfd/types/branca

@tuupola
Copy link
Owner

tuupola commented Jun 22, 2021

Published as 0.4.0

https://www.npmjs.com/package/branca

@grempe
Copy link
Contributor Author

grempe commented Jun 22, 2021

I've submitted a pull request to update the Typescript types package for branca-js.

DefinitelyTyped/DefinitelyTyped#53989

Ultimately it would be better if these were included with the package.

@grempe
Copy link
Contributor Author

grempe commented Jun 22, 2021
edited
Loading

PR approved and merged. A new definitions package should be published shortly.

https://www.npmjs.com/package/@types/branca

Update : Published

https://www.npmjs.com/package/@types/branca

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grempe @tuupola