nn: Nonce-Next
Real Nonce (Number used only once) for node.
Install
npm install --save nonce-next
Getting Started
Easy breezy:
let nn = ; // Generate a noncelet nonce = nn;console; // Something like 123456789123 // Validateconsole; // True! // Only once!console; // False!!!
How it works... And what for?
nn generates a different number every time it is called, based on your timestamp and an increasing counter.
Nonces get saved to a LRU memory store, to avoid memory leaks, and to expire automagically.
When checked, nn invalidates the last nonce, to make sure it is used only once.
Because that's the whole point!
Use for securing websites forms, like so:
routes/post-message.js
route; route;
views/form.ejs
<form action="/add" method="post"> <input type="hidden" name="nonce" value="<%= nonce %>"> <input type="text" name="message"> <input type="submit"></form>
Scoped nonces
Scoped nonces are a way to add an extra layer of security and organize your code
You can give your nonces one or more scopes, all of which must be present when compared:
let n = nn; nn; // False!nn; // True!
Docs
nn.generate([{Number} maxAge=1000*60*60*24 | {Object} props])
Generates and saves persists a nonce to LRU memory store
Can optionally receive a props object, or number specifying max age.
A number will set the nonce expiration in milliseconds.
An object may contain any of the following properties:
-
{Number} expires
Expiration, does the same as passing a number directly
-
{String|String[]} scope
A string or array of strings which will scope the nonce
Examples:
nn; // will expire in a minute nn; nn;
nn.compare({Number} nonce[, {String|String[]} scope])
Compares nonce, removing it from the store never to be used again!
May pass optional string of array of strings to check scope. Scope must match all strings.
Example:
let nonce1 = nn; nn; // Falsenn; // True let nonce2 = nn; nn; // Falsenn; // Falsenn; // True
nn.peekCompare({Number} nonce[, {String|String[]} scope])
Compares nonce without removing it from database.
May pass optional string or array of strings to check scope. Scope must match all strings.
See nn.compare
for example
nn.remove({Number} nonce)
Removes nonce from the store.
Returns the removed nonce
nn.cache
The LRU cache object, to bet down, dirty and low level