{"id":43388334,"url":"https://github.com/cyphrme/cozejs","last_synced_at":"2026-02-02T12:02:17.906Z","repository":{"id":38792777,"uuid":"484508137","full_name":"Cyphrme/CozeJS","owner":"Cyphrme","description":"Coze Javascript - cryptographic JSON messaging specification","archived":false,"fork":false,"pushed_at":"2025-11-14T22:44:53.000Z","size":767,"stargazers_count":5,"open_issues_count":4,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2026-01-15T17:00:38.878Z","etag":null,"topics":["auth","authentication","coze","cryptography","cyphrme","json","jwt","login"],"latest_commit_sha":null,"homepage":"https://cyphr.me/coze","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cyphrme.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-04-22T16:53:04.000Z","updated_at":"2025-11-14T22:44:57.000Z","dependencies_parsed_at":"2023-02-10T12:01:26.999Z","dependency_job_id":null,"html_url":"https://github.com/Cyphrme/CozeJS","commit_stats":null,"previous_names":["cyphrme/coze_js","cyphrme/cozejs"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/Cyphrme/CozeJS","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyphrme%2FCozeJS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyphrme%2FCozeJS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyphrme%2FCozeJS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyphrme%2FCozeJS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cyphrme","download_url":"https://codeload.github.com/Cyphrme/CozeJS/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cyphrme%2FCozeJS/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29012200,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-02T10:37:29.253Z","status":"ssl_error","status_checked_at":"2026-02-02T10:37:28.644Z","response_time":58,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","authentication","coze","cryptography","cyphrme","json","jwt","login"],"created_at":"2026-02-02T12:02:16.891Z","updated_at":"2026-02-02T12:02:17.897Z","avatar_url":"https://github.com/Cyphrme.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Coze](verifier/coze_logo_zami_white_450x273.png)\n\nFor Coze, please see the README in the [Main Coze Project.](https://github.com/Cyphrme/Coze)\n\nFor your project use `coze.min.js`.\n\n\n# Developing Coze JS\n## How to Build\n##### Install esbuild\n\nIf using Go, esbuild can be installed with the following.\n\n```\ngo install github.com/evanw/esbuild/cmd/esbuild@v0.15.8\n```\n\n[Alternatively, see esbuild's installation instructions.][1]\nAlso, [Coze JS npm](https://www.npmjs.com/package/coze).  \n\n##### Create the Coze distribution file. \n\n(See [join.js](join.js) for more instructions.)\n```\nesbuild join.js --bundle --format=esm --minify --outfile=coze.min.js\ncp coze.min.js verifier/coze.min.js\n```\n\n## Simple Coze Verifier\nThe simple verifier is self-contained in `/verifier`.\n\n- [Cyphr.me   hosted Power  Coze Verifier](https://cyphr.me/coze)\n- [Cyphr.me   hosted Simple Coze Verifier](https://cyphr.me/coze_verifier_simple/coze.html)\n- [Github.com hosted Simple Coze Verifier](https://cyphrme.github.io/CozeJS/verifier/coze.html)\n\nTo run the simple verifier locally, especially useful for local development, use\nthe Go server.  \n\n```sh\ncd verifier\ngo run server.go\n```\n\nAnd then go to https://localhost:8082/coze.html in your browser. \n\n\n## Testing\nCoze uses \u003ca href=\"https://github.com/Cyphrme/BrowserTestJS\"\u003eBrowserTestJS\u003c/a\u003e\nfor running unit tests in the browser. The test can run as a [Github\npage.](https://cyphrme.github.io/CozeJS/verifier/browsertest/browsertest.html)\n\nFor local development, use the Go server. \n\n```sh\ncd verifier/browsertest\ngo run server.go\n```\n\nThen go to `https://localhost:8082`.\n\n\n# Coze Javascript Gotchas\n- ⚠️ **Constant Time** ⚠️- Javascript is not constant time.  Until there's something available\n\twith constant time guarantees, like [constant time\n\tWASM](https://cseweb.ucsd.edu/~dstefan/pubs/renner:2018:ct-wasm.pdf), this\n\tlibrary will be vulnerable to timing attacks as this problem is inherent to Javascript.\n\n- ⚠️ **Duplicates** ⚠️- Duplicate detection is unavailable for Javascript objects\n\tas Javascript objects always have unique fields with last-value-wins. (This of\n\tcourse does not apply to strings or any serialized UTF-8 form). .  The\n\tsolution Coze JS uses is that String/UTF-8/serialized form must be checked for\n\tduplicates by calling function `CheckDuplicate`.  This is slow and\n\tunfortunate, but for security reasons required as different versions of\n\tJavascript have different behaviors.\n\t\n\tIn ES5, duplicates should fail in strict mode, which is the correct behavior\n\tfor a JSON parser.  ES6 experienced regression, and objects in ES6\n\tterrifyingly permit duplicate fields with last-value-wins.  \n\tThis is the wrong design decision for a plethora of reasons and the correct\n\tbehavior is error-on-duplicate, but there's nothing we can do about that on\n\tour side without implementing our own primitives.  \tAs currently designed, no\n\tJSON parsing is done within of Coze JS, and so Coze JS inherits the\n\tlast-value-wins behaviour from Javascript, thus the Coze JS provided function\n\t`CheckDuplicate` must be called for correct behavior.  See notes on\n\t`test_Duplicate`.\n\t\n\tSee also https://github.com/json5/json5-spec/issues/38#issuecomment-1224158640\n and https://262.ecma-international.org/5.1/#sec-C \u003e It is a SyntaxError if\n\tstrict mode code contains an ObjectLiteral with more \u003e than one definition of\n\tany data property (11.1.5).\n\n\n- **ES224 is not supported**.  Even though [FIPS\n\t186](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) defines\n\tcurves P-224, the [W3C recommendation omits\n\tit](https://www.w3.org/TR/WebCryptoAPI/#dfn-EcKeyGenParams) and thus is not\n\timplemented in Javascript.  The Javascript version of Coze will probably only\n\tsupport ES256, ES384, and ES512.  \n\n- The W3C Web Cryptography API recommendation also omits Ed25519, so an external\n\tpackage that implements the Ed25519 primitive is used.  The upcoming update\n\t[FIPS 186-5 section 7.8](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf)\n\tspecifies Ed25519 support. Hopefully this will motivate Javascript to include\n\tEd25519.  Also, [Paul has implemented Ed25519ph](\n\thttps://github.com/paulmillr/noble-ed25519/issues/63).\n\n- TODO use Paul's curves library.  Currently ESM builds are \"broken\", and we'll\n  wait for it to be polished.  (The imports are using Typescript `@` imports and\n  not resolving to ESM files.)\n\n\tAlso, we'll preserve the current style somewhere so that we have a\n\tSubtleCrypto backend that can be used.  \n \n- Javascript's `SubtleCrypto.sign(algorithm, key, data)` always hashes a message\n\tbefore signing while Go's ECDSA expects a digest to sign. This means that in\n\tJavascript messages must be passed for signing, while in Go only a digest is\n\tneeded.\n\n\n\n\n----------------------------------------------------------------------\n# Attribution, Trademark Notice, and License\nCoze and CozeJS are released under The 3-Clause BSD License. \n\n\"Cyphr.me\" is a trademark of Cypherpunk, LLC. The Cyphr.me logo is all rights\nreserved Cypherpunk, LLC and may not be used without permission.\n\nCoze is an open source project.  Use at your own risk.\n\n\n[1]:https://esbuild.github.io/getting-started/#build-from-source","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyphrme%2Fcozejs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyphrme%2Fcozejs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyphrme%2Fcozejs/lists"}