npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@naskot/node-hmac-auth-core

v1.0.0

Published

HMAC auth core for Node.js APIs and microservices. Sign, verify, manage credentials. Pure auth, no propagation.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

padcmoipadcmoi

Keywords

hmacauthexpressnestjsredisapi

Readme

@naskot/node-hmac-auth-core

Pure HMAC auth primitives for Node.js APIs and microservices: sign outbound requests, verify inbound requests, manage credentials (HTTP + message tracks) against a Redis store. Framework-agnostic. Zero runtime dependencies.

Install

npm install @naskot/node-hmac-auth-core redis

redis is a peer dep at runtime. Any Redis client matching the small RedisLikeClient interface works (node-redis, ioredis via shim, fakeredis, etc.).

Usage in 30 seconds

import { createClient } from "redis";
import { initializeHmacHttpAuth } from "@naskot/node-hmac-auth-core";

const redis = createClient({ url: process.env.REDIS_URL });
await redis.connect();

const auth = initializeHmacHttpAuth({
  redis: redis as unknown as Parameters<typeof initializeHmacHttpAuth>[0]["redis"],
  namespace: "hmac", // optional
  secretToken: process.env.HMAC_SECRET_TOKEN,
});

// Provision a credential
const created = await auth.clients.create({ clientId: "client_demo" });
console.log("secret to share with the caller:", created.secret);

// Protect routes
app.use(auth.createExpressHttpMiddleware());
app.post("/api/echo", (req, res) => {
  res.json({ ok: true, clientId: (req as any).hmacAuth.clientId });
});

// Sign an outbound call
const fetchSigned = auth.createHttpSignedFetchClient({
  clientId: "client_demo",
  secret: created.secret,
});
await fetchSigned("http://peer.local/api/whoami", { method: "GET" });

Full per-framework guides:

What this lib gives you

| Surface | What | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | HTTP track | initializeHmacHttpAuth(...) instance with clients CRUD, verifyHttpRequest, verifyHttpSignature, createHttpSignedFetchClient, createHttpMiddleware / createExpressHttpMiddleware. | | Message track | initializeHmacMessageAuth(...) instance with clients CRUD on a disjoint Redis namespace, signMessage, verifyMessage for non-HTTP transports. | | Aggregate runtime | createHmacRuntime(auth) returns createSignedFetchFromClientId, signedFetchWithClientId, hmacHttpMiddleware(...clientIds). | | Express adapter | createExpressHttpHmacMiddleware(...), createHttpHmacMiddleware(...), captureRawBody. | | Stores | RedisCredentialStore, RedisNonceStore, buildRedisNamespaceKeys, resolveNamespace. | | Pure crypto | hashClientSecret, hashBody, safeEqualHex, signRequest, buildSigningPayload, buildHttpSignedHeaders, buildMessageSigningPayload, signedHttpFetch. | | Error class | HmacAuthError with 14 typed codes (MISSING_*, BAD_SIGNATURE, UNKNOWN_CLIENT, CLIENT_IP_NOT_ALLOWED, REPLAYED_NONCE, ...). |

Rotation + revert

Every setSecret / setSecretHash / regenerateSecret that actually changes the stored hash writes a TTL backup of the previous hash. clients.revert(clientId) restores it within dbSeedBackupTtlSeconds (default 10 min). Outside that window, revert is a no-op.

Wire specification

docs/wire-contract.md is the normative spec for cross-language ports (Python, Go, Rust, ...). The HMAC wire is byte-identical to the auth surface of @naskot/node-hmac-auth 1.0.x through 1.4.0: same signing payload, same headers, same Redis record JSON, same constant-time comparison.

Test vectors live in test/vectors/.

POC

End-to-end demonstration of the lib alone (no propagation) in poc/:

cd poc && docker compose up --build

Source creates client_demo, pushes its secretHash to the target via a signed admin call, runs business calls, rotates, verifies rejection of the old secret, reverts, verifies acceptance of the original secret again. Exit code 0 when the five steps succeed.

Compatibility

| @naskot/node-hmac-auth-core | @naskot/node-hmac-auth-core-propagation | | ----------------------------- | ----------------------------------------- | | 1.0.0 | 1.0.0 |

Background

This package is the epured fork of @naskot/node-hmac-auth 1.4.0.

Upstream had grown a credential-propagation layer on top of the auth primitives (internal management HTTP route, bootstrap-window lock, federation defaults, propagation-only purpose cantonment, propagate-to-targets orchestration). That layer was helpful in a homogeneous federation but it conflated two distinct responsibilities and made the auth lib opinionated about how credentials flow between peers.

This fork strips the lib back to the auth primitives. Same wire, same Redis layout, same test vectors. The propagation layer is now an independent companion package, @naskot/node-hmac-auth-core-propagation, that consumes this lib as a peer dep and adds RabbitMQ-backed orchestration on top.

If you used @naskot/node-hmac-auth 1.x without the propagation features, the migration is renaming the import. See docs/release-notes/1.0.0.md for the full mapping of removed options / methods / types.

Upstream @naskot/node-hmac-auth is now deprecated.

License

MIT, see LICENSE.