How to improve JWT performance in Node.js

Click for: original source

Each operation, even the smallest one, counts towards the performance and availability of a service. High performance and availability must be maintained without compromising the security of the system. By Paolo Insogna @nearform.com.

Keep reading to discover how the team improved the performance of JSON Web Tokens (JWT), one of the most common authentication systems, in Node.js. They created a new plugin, fast-jwt, to demonstrate and measure the Node.js performance improvements. Using flamegraphs, they compared fast-jwt on a sample Fastify server with the existing jsonwebtoken implementation. This blog post also outlines the architecture of fast-jwt, which includes caching and asynchronous support.

The article is split into:

  • What is a JWT?
  • Node.js implementation
  • Performance of jsonwebtoken
  • fast-jwt architecture
  • Asynchronous support
  • Caching
  • Worker threads evaluation
  • Performance comparison between jsonwebtoken and fast-jwt

The purpose of fast-jwt is to improve jsonwebtoken performance while keeping the same features and a similar API. To do this, authors established the following architecture principles:

  • Minimise the number of external dependencies: except for the cache layer and a couple of small cryptographic utilities, fast-jwt has no external dependencies. This ensures the code is easily maintained and data flow can be followed.
  • Use factory pattern and single ahead options verification: fast-jwt uses the factory pattern to create the signer, decoder and verifier functions. This ensures that all options (with the exception of the key, which might be fetched at execution time, depending on the options passed) are validated only once and only during the startup phase.
  • Small public API: the public fast-jwt API consists of three factory functions (one for each operation) with a specific set of options.

Plenty of code examples thoroughly explained. Excellent job!

[Read More]

Tags app-development infosec nodejs javascript