{"library":"secure-web-token","title":"Secure Web Token (SWT)","description":"Secure Web Token (SWT) is a Node.js library offering a security-focused alternative to traditional JSON Web Tokens (JWTs). Unlike JWTs, which are merely Base64 encoded, SWT employs AES-256-GCM encryption for payloads and implements server-side session binding, making tokens device-bound and preventing reuse on other devices. This approach significantly enhances security by making stolen tokens useless for attackers. The current stable version is 1.2.8. It provides a simple API with `sign()` and `verify()` functions, supporting expiry and HttpOnly session cookies. Key differentiators include full payload encryption, true device binding, and server-side session management, making it suitable for high-security applications like admin panels, SaaS dashboards, and internal tools where preventing token leakage and session hijacking is critical.","language":"javascript","status":"active","last_verified":"Sun Apr 19","install":{"commands":["npm install secure-web-token"],"cli":null},"imports":["import { sign } from 'secure-web-token'","import { verify } from 'secure-web-token'","import { getStore } from 'secure-web-token'"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import express from \"express\";\nimport cookieParser from \"cookie-parser\";\nimport { sign, verify, getStore } from \"secure-web-token\";\n\nconst app = express();\napp.use(express.json());\napp.use(cookieParser());\n\nconst SECRET = process.env.SWT_SECRET ?? 'a-very-secure-random-secret-key-of-at-least-32-characters'; // Use environment variable for production\nconst store = getStore(\"memory\"); // Default in-memory store, replace with persistent for production\n\n// Define a simple user for demonstration\nconst demoUser = { userId: 123, username: \"testuser\" };\n\n// --- Sign Token Example ---\napp.post('/login', (req, res) => {\n  // In a real app, validate user credentials here\n  const { token, sessionId } = sign(demoUser, SECRET, {\n    fingerprint: true, // Enable device binding\n    store: \"memory\", // Use the configured store\n    expiresIn: 3600 // Token expires in 1 hour\n  });\n\n  // Set HttpOnly cookie for sessionId\n  res.cookie(\"swt_session\", sessionId, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax' });\n  res.json({ message: \"Login successful\", token });\n});\n\n// --- Verify Token Example ---\napp.get('/protected', (req, res) => {\n  try {\n    const sessionId = req.cookies.swt_session;\n    const token = req.headers.authorization?.split(\" \")[1];\n\n    if (!sessionId || !token) {\n      return res.status(401).json({ error: \"Authentication required\" });\n    }\n\n    // Retrieve session data (e.g., fingerprint) from the store\n    const session = store.getSession(sessionId);\n    if (!session) {\n        return res.status(401).json({ error: \"Session not found or expired\" });\n    }\n\n    const payload = verify(token, SECRET, {\n      sessionId,\n      fingerprint: session.fingerprint, // Crucial for device binding\n      store: \"memory\" // Use the configured store\n    });\n\n    res.json({ message: \"Access granted!\", user: payload.data });\n  } catch (error) {\n    console.error(\"Verification failed:\", error);\n    res.status(401).json({ error: \"Unauthorized access\" });\n  }\n});\n\nconst PORT = 3000;\napp.listen(PORT, () => {\n  console.log(`Server running on http://localhost:${PORT}`);\n  console.log(\"Try: POST /login and then GET /protected with the token and cookie.\");\n});","lang":"typescript","description":"Demonstrates a basic Express.js server using `secure-web-token` to handle user login and protect a route. It shows how to `sign` a token with device binding, set an HttpOnly session cookie, and then `verify` the token and session context for authorized access.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}