payload icon indicating copy to clipboard operation
payload copied to clipboard
verified publisher icon payloadcms

perf: replace jsonwebtoken with jose

Open andershermansen opened this issue 1 year ago • 6 comments

The jose package has 0 dependencies and is tree shakable ESM. So we get lower bundle size and get rid of 10 dependencies.

andershermansen avatar Sep 14 '24 14:09 andershermansen

@AlessioGr On the quest for lower bundle size this will reduce payload bundle size from 4,008 KB to 3,824 KB (4.6% reduction).

In addition there are some security concerns with the lodash packages included in jsonwebtoken. Ref the comment here: https://github.com/auth0/node-jsonwebtoken/pull/933#issuecomment-1911240570

All in all jose seems more modern, updated and is ESM. I have used it successfully in other projects instead of jsonwebtoken.

I have also checked that the generated token with my change is same as before using the debugger on https://jwt.io/

andershermansen avatar Sep 14 '24 14:09 andershermansen

Hey @andershermansen good PR! We will review shortly. I think we will be able to merge it.

THANK YOU!!!

jmikrut avatar Sep 15 '24 01:09 jmikrut

@jmikrut @AlessioGr Any concerns about the change? Or just still waiting for code review?

andershermansen avatar Sep 30 '24 20:09 andershermansen

No concerns atm, just need to find time to review

AlessioGr avatar Sep 30 '24 20:09 AlessioGr

I reviewed this PR. Code wise it all seems fine.

I don't see a lot of difference between the two packages though: https://bundlephobia.com/package/[email protected] https://bundlephobia.com/package/[email protected].

DanRibbens avatar Oct 10 '24 19:10 DanRibbens

@DanRibbens The payload package will still be reduced by 4,6% if this is included if my calculations are correct.

I have calculated it like this: After pnpm install and pnpm of this commit (10032b5): npx esbuild --platform=node --bundle src/index.ts --outfile=out_jose.js --analyze > log_jose.txt 2>&1

and the last commit before it (6d1a287dd): npx esbuild --platform=node --bundle src/index.ts --outfile=out_jsonwebtoken.js --analyze > log_jsonwebtoken.txt 2>&1

File sizes:

$ du -k out_j*
1928	out_jose.js
2020	out_jsonwebtoken.js

That is a 92kB reduction in size. (92 / 2020 = 4,6%) I'm not sure if this way of calculating the size is relevant with how you build and distribute payload?

Jose is fully ESM and tree shakable while jsonwebtoken is not.

You also get rid of 10 dependencies, some of which are discouraged and will not be updated by loadash in newer versions. See https://lodash.com/per-method-packages

andershermansen avatar Oct 11 '24 14:10 andershermansen

🚀 This is included in version v3.0.0-beta.117

github-actions[bot] avatar Oct 22 '24 13:10 github-actions[bot]

Can we get the jwtSign method exported for library use?

For context I am using a custom passkeys authentication and I would prefer not to duplicate internal payload code since it might break in between updates.

emonadeo avatar Oct 23 '24 14:10 emonadeo

I would also love to see jwtSign exported, or better yet, payload Local API to support an operation for verifyToken()

robertmalicke avatar Nov 24 '24 01:11 robertmalicke