Giter Site home page Giter Site logo

peter-evans / paseto-lua Goto Github PK

View Code? Open in Web Editor NEW
11.0 6.0 2.0 136 KB

PASETO (Platform-Agnostic Security Tokens) for Lua

License: MIT License

Lua 88.64% Shell 0.29% C 10.35% Dockerfile 0.73%
paseto lua stateless-token libsodium authorization authorization-token authenticated-encryption ed25519 jose jwt

paseto-lua's Introduction

PASETO (Platform-Agnostic Security Tokens) for Lua

luarocks Build Status Coverage Status

Paseto (Platform-Agnostic SEcurity TOkens) is a specification and reference implementation for secure stateless tokens.

"Paseto is everything you love about JOSE (JWT, JWE, JWS) without any of the many design deficits that plague the JOSE standards."

paragonie/paseto

Feature Support

v1.local v1.public v2.local v2.public
✔️ ✔️

This implementation doesn't support the v1 protocol. Please note that v1 should only be used by legacy systems that cannot use modern cryptography.

Roadmap

  • v2 local authentication (Blake2b and XChaCha20-Poly1305)
  • v2 public authentication (Ed25519 signatures)
  • JSON payload and footer processing
  • Registered claims validation
  • Custom claims validation
  • High-level token builder API
  • Integrated key ID (kid) support
  • API documentation

Installation

Sodium Crypto Library

This Lua module depends on the Sodium crypto library (libsodium). The following is a convenient way to install libsodium via LuaRocks. Alternatively, see libsodium's documentation for full installation instructions.

luarocks install libsodium

Lua CJSON

This module also has a dependency on lua-cjson. Due to an issue with the latest version you might need to specify an earlier stable version. If you let luarocks install this dependency for you when installing PASETO you might experience problems. Additionally, if using Lua 5.3 you need to build Lua with a compatibility flag for Lua 5.1.

Lua Lua CJSON install Lua compatibility flags
5.1 luarocks install lua-cjson 2.1.0
5.2 luarocks install lua-cjson 2.1.0
5.3 luarocks install lua-cjson 2.1.0 -DLUA_COMPAT_5_1
Lua JIT 2.0 luarocks install lua-cjson 2.1.0
Lua JIT 2.1 luarocks install lua-cjson 2.1.0.6

See .travis.yml for build configurations.

PASETO

Finally, install PASETO:

luarocks install paseto

Usage

v2.local :

local paseto = require "paseto.v2"

local key, payload_claims, token, footer_claims, claim_rules
local extracted_footer_claims, extracted_footer, decrypted_claims, enforced_claims
payload_claims = {
  iss = "paragonie.com",
  jti = "87IFSGFgPNtQNNuw0AtuLttP",
  aud = "some-audience.com",
  sub = "test",
  iat = "2018-01-01T00:00:00+00:00",
  nbf = "2018-01-01T00:00:00+00:00",
  exp = "2099-01-01T00:00:00+00:00",
  data = "this is a secret message",
  myclaim = "required value"
}
footer_claims = { kid = "MDlCMUIwNzU4RTA2QzZFMDQ4" }
claim_rules = {
  claim_1 = { claim = "IssuedBy", value = "paragonie.com" },
  claim_2 = { claim = "IdentifiedBy", value = "87IFSGFgPNtQNNuw0AtuLttP" },
  claim_3 = { claim = "ForAudience", value = "some-audience.com" },
  claim_4 = { claim = "Subject", value = "test" },
  claim_5 = { claim = "NotExpired", value = "" },
  claim_6 = { claim = "ValidAt", value = "" },
  claim_7 = { claim = "ContainsClaim", value = "data" },
  claim_8 = { claim = "myclaim", value = "required value" }
}

-- generate symmetric key
key = paseto.generate_symmetric_key()

-- encrypt/decrypt without footer and without enforcing claim rules
token = paseto.encrypt(key, payload_claims)
decrypted_claims = paseto.decrypt(key, token)

-- encrypt with footer
token = paseto.encrypt(key, payload_claims, footer_claims)

-- extract footer claims (e.g. to determine public key from kid claim)
extracted_footer_claims, extracted_footer = paseto.extract_footer_claims(token)

-- decrypt without enforcing claim rules
decrypted_claims = paseto.decrypt(key, token, nil, extracted_footer)

-- decrypt and enforce claim rules
enforced_claims = paseto.decrypt(key, token, claim_rules, extracted_footer)

v2.public :

local paseto = require "paseto.v2"

local secret_key, public_key, payload_claims, token, footer_claims, claim_rules
local extracted_footer_claims, extracted_footer, verified_claims, enforced_claims
payload_claims = {
  iss = "paragonie.com",
  jti = "87IFSGFgPNtQNNuw0AtuLttP",
  aud = "some-audience.com",
  sub = "test",
  iat = "2018-01-01T00:00:00+00:00",
  nbf = "2018-01-01T00:00:00+00:00",
  exp = "2099-01-01T00:00:00+00:00",
  data = "this is a signed message",
  myclaim = "required value"
}
footer_claims = { kid = "MDlCMUIwNzU4RTA2QzZFMDQ4" }
claim_rules = {
  claim_1 = { claim = "IssuedBy", value = "paragonie.com" },
  claim_2 = { claim = "IdentifiedBy", value = "87IFSGFgPNtQNNuw0AtuLttP" },
  claim_3 = { claim = "ForAudience", value = "some-audience.com" },
  claim_4 = { claim = "Subject", value = "test" },
  claim_5 = { claim = "NotExpired", value = "" },
  claim_6 = { claim = "ValidAt", value = "" },
  claim_7 = { claim = "ContainsClaim", value = "data" },
  claim_8 = { claim = "myclaim", value = "required value" }
}

-- generate key pair
secret_key, public_key = paseto.generate_asymmetric_secret_key()

-- sign/verify without footer and without enforcing claim rules
token = paseto.sign(secret_key, payload_claims)
verified_claims = paseto.verify(public_key, token)

-- sign with footer
token = paseto.sign(secret_key, payload_claims, footer_claims)

-- extract footer claims (e.g. to determine public key from kid claim)
extracted_footer_claims, extracted_footer = paseto.extract_footer_claims(token)

-- verify without enforcing claim rules
verified_claims = paseto.verify(public_key, token, nil, extracted_footer)

-- verify and enforce claim rules
enforced_claims = paseto.verify(public_key, token, claim_rules, extracted_footer)

Core API

This low-level API should only be used when you cannot use JSON for payload claims and footer claims.

v2.local :

local paseto = require "paseto.v2.core"

local key, message, token, footer, extracted_footer, decrypted
message = "my secret message"
footer = "my footer"

-- generate symmetric key
key = paseto.generate_symmetric_key()

-- encrypt/decrypt without footer
token = paseto.encrypt(key, message)
decrypted = paseto.decrypt(key, token)

-- encrypt/decrypt with footer
token = paseto.encrypt(key, message, footer)
extracted_footer = paseto.extract_footer(token)
decrypted = paseto.decrypt(key, token, extracted_footer)

v2.public :

local paseto = require "paseto.v2.core"

local secret_key, public_key, message, token, footer, extracted_footer, verified
message = "my signed message"
footer = "my footer"

-- generate key pair
secret_key, public_key = paseto.generate_asymmetric_secret_key()

-- sign/verify without footer
token = paseto.sign(secret_key, message)
verified = paseto.verify(public_key, token)

-- sign/verify with footer
token = paseto.sign(secret_key, message, footer)
extracted_footer = paseto.extract_footer(token)
verified = paseto.verify(public_key, token, extracted_footer)

License

MIT License - see the LICENSE file for details

paseto-lua's People

Contributors

peter-evans avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar

Forkers

00mjk

paseto-lua's Issues

Bind Keys to Version and Purpose

paseto-lua/paseto/v2.lua

Lines 174 to 184 in 400f2bd

function v2.generate_symmetric_key()
return paseto.generate_symmetric_key()
end
function v2.generate_asymmetric_secret_key()
return paseto.generate_asymmetric_secret_key()
end
function v2.extract_version_purpose(token)
return paseto.extract_version_purpose(token)
end

function v2.decrypt(key, token, claim_rules, footer)

function v2.verify(public_key, token, claim_rules, footer)

See https://github.com/paseto-standard/paseto-spec/blob/master/docs/02-Implementation-Guide/03-Algorithm-Lucidity.md

Right now, byte arrays are accepted by this API. There's no mechanism to prevent a user from using a v2 public key as a v2 local key.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.