1
1
Fork
You've already forked hwt
0
A dead simple, Secure by design alternative to JSON Web Token (JWT)
  • Go 100%
Find a file
Yonle 5d8548f161 Say hi to HWT
Signed-off-by: Yonle <yonle@lecturify.net>
2025年05月26日 11:30:59 +07:00
go.mod Say hi to HWT 2025年05月26日 11:30:59 +07:00
hwt.go Say hi to HWT 2025年05月26日 11:30:59 +07:00
hwt_test.go Say hi to HWT 2025年05月26日 11:30:59 +07:00
LICENSE Say hi to HWT 2025年05月26日 11:30:59 +07:00
misc.go Say hi to HWT 2025年05月26日 11:30:59 +07:00
README.md Say hi to HWT 2025年05月26日 11:30:59 +07:00

HWT (Hewo Web Token)

Go Reference

A dead simple, Secure by design alternative to JSON Web Token (JWT)

import("crypto/rand""fmt""codeberg.org/Yonle/hwt")funcmain(){varpayload[]byte// could be anything. stringified json, or whatever, you name it.// for this example, let's say our payload is just "OMG HI"payload=[]byte("OMG HI")salt:=make([]byte,32)// random bytes for salting. you may store this safely to be then reused later._,err:=rand.Read(salt)// feed random bytes to salt.iferr!=nil{panic(err)}token:=hwt.Sign(payload,salt)fmt.Println("Token:",token)// Output:// Token: abcdefg12345.abcdefg12345// now let's verifypayload,ok:=hwt.Check(token,salt)if!ok{// it's not valid.panic("Token not valid!")}// now read the payloadfmt.Println("Payload:",string(payload))// Output:// Payload: OMG HI}

Why?

  • JWT took 5 layers of encoding (Base64 ×ばつ3 + JSON ×ばつ3) for something that should be one hash and a concatenation.
  • The header on JWT token is often redundant in many usecases.

What HWT do?

  • The format: <payload>.<sig>. That's it.
  • It just hash a bytes of <payload> with HMAC+SHA256 (+ salt)
  • Then encode the <payload> and <sig> into base64 string, Resulting <base64encoded_payload>.<base64encoded_hash>

That's it for the process of token making.

For checking process:

  • It split the token into 2 parts
  • It decode the base64 as a bytes for both <payload> and <sig>
  • It tries to hash a bytes of <payload> with our salt, Then compares it with <sig>. If it's the same, That's us! Now read the <payload>. If it's not, It's invalid, and we shouldn't read the payload (unless you wanna see the data out of curiosity)

That's it for the process of validating. Additional ones like expiry or whatever it is? Validate that yourself.

Where should i put the token on?

It's recommended to store the token as a cookie. When sending cookie containing token to the client, Send Set-Cookie with Secure, HttpOnly, and SameSite flags.

Set-Cookie: hwt_token=<token>; HttpOnly; Secure; SameSite=Strict; Path=/