Giter VIP home page Giter VIP logo

token-encoder's Introduction

OpenTok Token Encoder

Tokbox is now known as Vonage

Build Status

Generates tokens for X-TB-TOKEN-AUTH header when using OpenTok REST API.

Installation

npm install --save opentok-token

Usage

WARNING: This module does not check for the validity of the data being encoded into the token. It doesn't know about the OpenTok REST API semantics, and you can encode data that doesn't result in a valid token. Its merely a utility. Use the OpenTok Node Server SDK for a more complete module.

Generating a token

var encodeToken = require("opentok-token");

var tokenData = {
  session_id: "SESSIONID",
  create_time: 1424221013,
  nonce: 50885,
  role: "moderator",
  expire_time: 1424307413,
  connection_data: '{"name":"value"}',
};
var apiKey = "APIKEY";
var apiSecret = "APISECRET";

var token = encodeToken(tokenData, apiKey, apiSecret);

NOTE: The API key, secret, and session ID above are not real.

Default values

If you do not specify certain properties of the tokenData parameter, defaults will be applied for you.

Property Type Default
create_time unix timestamp in seconds (integer) now
expire_time unix timestamp in seconds (integer) now + 1 day
role string 'publisher'
nonce number unique random number

Development and Contributing

Interested in contributing? We ❤️ pull requests! See the Contribution guidelines.

Getting Help

We love to hear from you so if you have questions, comments or find a bug in the project, let us know! You can either:

token-encoder's People

Contributors

michaeljolley avatar aoberoi avatar jeffswartz avatar dragonmantank avatar mend-for-github-com[bot] avatar

Stargazers

avatar buhe avatar

Watchers

Paul Ardeleanu avatar Patrick Quinn-Graham avatar avatar Melih Onvural avatar Dwane Hemmings avatar Joey Kwasniewski avatar avatar avatar Gustavo Garcia avatar Igor Wojda avatar Bill Ma avatar Jose Antonio Olivera Ortega avatar avatar Badri Rajasekar avatar James Cloos avatar Andrew Wroblicky avatar Manas Pradhan avatar Zachary Powell avatar Robert Hainer avatar Cesar Guirao avatar Beatriz Rodríguez avatar avatar avatar Carmen J. Cabezas avatar Francisco Javier Cano Sandoval avatar Oscar Divorra avatar Christian Ferran avatar Jint George avatar marina serrano montes avatar Weiping Guo avatar Toxbox Deploy avatar Lawrence Byrd avatar avatar avatar Jonathan Wade avatar Brian Pante avatar avatar Arthur Wilton avatar Andrew Bucko avatar avatar Jurgo Boemo avatar avatar Ari Ades avatar avatar Marko V avatar avatar avatar Nan Xin avatar avatar Tiffany Walsh avatar Alen Ilkov avatar Emiliano Pelliccioni avatar Selvarani Gurunath avatar Rafay Hamid avatar avatar avatar Michael Maguire avatar Howard Lin avatar Raulkg avatar avatar Lawrence Hayes avatar Tymothy Meyerhoff avatar avatar avatar Manik Sachdeva avatar James Seconde avatar Abdul Moeed avatar Vamis Xhagjika avatar avatar Bruno Ribeiro avatar avatar

Forkers

westy92 buhe killmenot inlightmedia jeffswartz msach22

token-encoder's Issues

lodash-4.17.15.tgz: 3 vulnerabilities (highest severity is: 7.4) - autoclosed

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Found in HEAD commit: 59ccc855351636312f620efa780e4074fa576df9

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-8203 High 7.4 lodash-4.17.15.tgz Direct 4.17.19
CVE-2021-23337 High 7.2 lodash-4.17.15.tgz Direct 4.17.21
CVE-2020-28500 Medium 5.3 lodash-4.17.15.tgz Direct 4.17.21

Details

CVE-2020-8203

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 59ccc855351636312f620efa780e4074fa576df9

Found in base branch: main

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution: 4.17.19

⛑️ Automatic Remediation is available for this issue

CVE-2021-23337

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 59ccc855351636312f620efa780e4074fa576df9

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-02-15

Fix Resolution: 4.17.21

⛑️ Automatic Remediation is available for this issue

CVE-2020-28500

Vulnerable Library - lodash-4.17.15.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • lodash-4.17.15.tgz (Vulnerable Library)

Found in HEAD commit: 59ccc855351636312f620efa780e4074fa576df9

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution: 4.17.21

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Is this project still active?

I ask since the dependencies are not up to date and is giving me some feedback on npm audit

Thanks and kind regards,

Defaults for some tokenData properties

Currently, encodeToken() is completely unaware of the semantics of a token, it simply knows how to transform the inputs into something that looks like a token. This is very flexible.

This comes with the burden that the client has to know the semantics and specify all parts of the tokenData.

A compromise between that burden and the flexibility, one that achieves more usability, is to use default values for properties that are not defined on tokenData. This includes create_time, expire_time, nonce, and role.

Add a validate method

It would be nice to have a "validate" method that took a token and verified that it was legitimate for a given session ID and properly signed. I know OpenTok must do this itself server-side, but neither this library nor the OpenTok node-js library provide one. I could send a PR for it but wanted to check with you here first in case you thought it would be more appropriate to submit to the opentok NodeJS SDK project.

Throw when `session_id` is not specified.

Following with #1, if the semantics of a token are implemented, then another useful behavior might be to throw when the one required property of tokenData, that is session_id, is not specified.

The one drawback I can think of is that some specs or tests might purposely want to leave out the session_id. I don't think this is a common case.

A possible compromise is to create an additional argument, called options, which can have a property called strict. If strict is truthy, then the tokenData is taken literally, with no default substitution and no throwing.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.