UNPKG

jwt-token-pair-generator

Version:

A secure RSA token pair generator CLI and library for generating and storing RSA keys for JWT

github.com/ShaNaim/rsa-token-pair-generator

ShaNaim/rsa-token-pair-generator

188 lines (133 loc) 5.54 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
# JWT Token Pair Generator 🔐 A secure CLI utility and library for generating RSA-2048/4096 cryptographic key pairs specifically designed for JWT-based authentication systems. Generates access/refresh token key pairs with enterprise-grade security practices and seamless environment integration. [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) [![npm version](https://img.shields.io/npm/v/rsa-token-pair-generator)](https://www.npmjs.com/package/jwt-token-pair-generator) ## Features 🚀 - **Military-Grade Cryptography**: Generates RSA key pairs (PKCS#8) with configurable modulus length (2048/4096 bits) - **Secure Storage**: Writes keys to disk with strict file permissions (default: 644) - **Environment Automation**: Auto-updates .env files with key paths and Base64-encoded values - **Production-Ready Logging**: Integrated [Pino](https://getpino.io/) logger with structured JSON output - **Zero Dependencies**: Uses native Node.js crypto module for key generation - **TypeSafe API**: Full TypeScript support with declaration files - **Configurable CLI**: Built with [Commander.js](https://github.com/tj/commander.js) for robust argument handling ## Installation 📦 ### Global CLI Installation ```bash npm install jwt-token-pair-generator ``` ### As Project Dependency ```bash npm install jwt-token-pair-generator --save-dev ``` ## Usage 🛠️ ### CLI Quick Start Generate keys with default settings: ```bash generate-token ``` This will: 1. Create `secure-keys` directory 2. Generate 2048-bit RSA key pair 3. Update `.env` file with key paths 4. Set restrictive file permissions ### Advanced CLI Usage ```bash generate-token \ --keyDir "my-keys" \ --envFile ".prod.env" \ --modulus 4096 \ --permissions 600 \ --log all ``` **Options**: | Flag | Description | Default | Options | | ---------------------- | ----------------------------------------------------------- | ------------------------ | ---------------------------- | | `--keyDir <path>` | Output directory for keys | `secure-keys` | `off`(files won't be saved ) | | `--envFile <name>` | Environment file to update | `.env` | | | `--modulus <bits>` | RSA modulus length (2048/4096) | `2048` | | | `--permissions <mode>` | File permission mode (octal) | `644` | | | `--log <level>` | Specifies the logging level for detailed execution tracking | `warn` / `step` (custom) | `all` (trace) `off`(No Logs) | **Example:** ```bash generate-token --keyDir my-keys --envFile mykeys.env --permissions 600 --modulus 4096 ``` ### Programmatic API ```typescript import { SecureKeyGenerator } from "rsa-token-pair-generator"; const keyGenerator = new SecureKeyGenerator({ keyDirectory: "config/keys", envFileName: ".env.production", modulusLength: 4096, filePermissions: 0o600, }); keyGenerator .generate() .then(() => console.log("Key pair generated successfully")) .catch((err) => console.error("Generation failed:", err)); ``` ## Security Best Practices 🔒 1. **Permission Hardening**: Always set file permissions to 600 in production 2. **Key Rotation**: Generate new keys quarterly or per security policy 3. **Environment Isolation**: Store private keys separate from application code 4. **Audit Logging**: Monitor key generation events via Pino logs 5. **CI/CD Integration**: Generate keys during deployment processes ## Logging 📝 The utility uses Pino for high-performance structured logging: ```json { "time": "2025-02-23T10:06:36.536Z", "logLevel": "step", "logMessage": "RSA token key pair generation process completed successfully." } ``` **Log Levels**: - `all` [`warn`]: Cryptographic details (enable for troubleshooting) - `default` [`trace`]: Generation milestones - `off`: No Logs Enable debug logging: ```bash generate-token --log all ``` ## Development 🧑💻 ### Build from Source ```bash git clone https://github.com/ShaNaim/rsa-token-pair-generator.git ``` ```bash cd rsa-token-pair-generator ``` ```bash npm install ``` ```bash npm run build ``` ### Test Generation ```bash # Production build test node dist/cli.js --keyDir test-keys --modulus 2048 # Development mode (ts-node) npx ts-node src/cli.ts --envFile .env.test ``` ### Testing Recommendations 1. Add Jest/Mocha tests for cryptographic functions 2. Implement E2E testing for CLI workflows 3. Add static analysis with ESLint/TypeScript 4. Consider adding HSM integration tests ## Contributing 🤝 We welcome security-focused contributions: 1. Fork the repository 2. Create feature branch (`git checkout -b feature/improvement`) 3. Commit changes with signed-off messages 4. Push to branch (`git push origin feature/improvement`) 5. Open Pull Request **Priority Areas**: - Security audits - Cloud HSM integration - Key encryption at rest - Automated key rotation - Comprehensive test suite ## License 📄 MIT License - See [LICENSE](https://github.com/ShaNaim/rsa-token-pair-generator/blob/main/LICENSE) for full text. --- > **Note**: Always store private keys in secure vaults (AWS KMS, HashiCorp Vault) in production environments.