UNPKG

pw-punch

Version:

๐Ÿ” Ultra-lightweight password hashing & token signing with WebCrypto. Zero dependencies. Edge-native. Built for Cloudflare, Deno, Bun, and Vercel.

github.com/idtpanic/pw-punch

idtpanic/pw-punch

157 lines (103 loc) โ€ข 3.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# ๐ŸฅŠ pw-punch > ๐Ÿ” **Ultra-lightweight** password hashing & JWT-style token signing with pure **WebCrypto**. > Built for **Edge**, **Serverless**, and modern runtimes like **Cloudflare**, **Deno**, **Vercel**, **Bun** โ€” _no Node.js required_. > **Zero dependencies. Zero bloat. Just crypto.** --- ## โšก Why pw-punch? - โœ… **0 dependencies** โ€” no install bloat - โœ… **0 Node.js required** โ€” pure WebCrypto API - โœ… **0 config** โ€” import and go - โœ… **~4KB gzipped** โ€” tiny footprint - โœ… **Crypto only** โ€” no extra fluff --- ## ๐Ÿ” Features - ๐Ÿ”’ Password hashing with PBKDF2 + random salt - โœ๏ธ HMAC-SHA256 / SHA512 token signing (JWT-style) - ๐Ÿ•ต๏ธ Token verification with standard claim checks (`exp`, `nbf`, `iat`, `iss`, `aud`, `sub`) - ๐Ÿ”„ Supports key rotation (`kid` support) - ๐Ÿงช Constant-time comparison utilities - ๐Ÿงฉ WebCrypto only โ€” works on: - โœ… Cloudflare Workers - โœ… Deno Deploy - โœ… Bun - โœ… Modern Browsers - โœ… Node 18+ (WebCrypto) - ๐Ÿ’ก Fully tree-shakable --- ## ๐Ÿ“ฆ Install ```bash npm install pw-punch ``` --- ## ๐Ÿ”ง API Usage ### ๐Ÿ”’ Hash a password ```ts import { hashPassword } from 'pw-punch' const hashed = await hashPassword('hunter2') // "base64salt:base64hash" ``` ### โœ… Verify a password ```ts import { verifyPassword } from 'pw-punch' const isValid = await verifyPassword('hunter2', hashed) // true or false ``` ### โœ๏ธ Sign a token ```ts import { signToken } from 'pw-punch' const token = await signToken({ sub: 'user' }, 'secret') ``` ### ๐Ÿ•ต๏ธ Verify a token ```ts import { verifyToken } from 'pw-punch' const payload = await verifyToken(token, 'secret') // returns payload or null ``` ### ๐Ÿ” Decode token (without verifying) ```ts import { decodeToken } from 'pw-punch' const { header, payload, signature } = decodeToken(token) ``` --- ## ๐Ÿ“˜ Full Example ```ts const token = await signToken( { sub: 'user' }, 'my-secret', 256, 'key-1' ) const payload = await verifyToken(token, { 'key-1': 'my-secret' }) ``` --- ## ๐Ÿงช Tests & Demo - โœ… All core features tested using [`bun test`](https://bun.sh/docs/test) - โœ… Additional **interactive demo** available: ```bash npm run demo ``` Select and run hashing/token functions in CLI with colored output. Great for dev previewing & inspection. --- ## ๐Ÿ“ฆ Built With - ๐ŸŒ€ 100% WebCrypto (FIPS-compliant) - โšก Bun for test/dev (optional) - ๐Ÿ“ TypeScript + `tsc` build - ๐Ÿ”ฌ No dependencies at all --- ## โš ๏ธ Disclaimer This is **not a full JWT spec implementation**. - Only `HMAC` is supported (no RSA/EC) - You must check claims like `aud`, `iss` yourself, or provide a `customValidate()` hook - No support for JWE/JWS standards --- ## ๐Ÿ”ฎ Roadmap - [x] Interactive CLI demo - [x] JWT claim validation hook - [x] Shorter token support (manual control) This is the way. --- ## ๐Ÿ“„ License MIT --- <!-- keywords: jwt, token, hmac, pbkdf2, crypto, webcrypto, edge, serverless, cloudflare, bun, vercel, deno, browser, password, hashing, lightweight, 0dep, zero-dependency -->