express-simple-jwt-auth v0.1.7
express-simple-jwt-auth
WORK IN PROGRESS, NOT FULLY TESTED, DO NOT USE.
Automates validation and decoding of JWT tokens, incorporation of the decoded JWT into req.user
as an object, and the addition of role based security in an opinionated database, and an /auth
route to validate the JWT and decode it for the client, and a role based security method for end points.
The authenticator is intended to be used with the jwt-simple-login component.
New Notes
Uses password-validator
so configuration for that works for passwords
Ensure your custom methods return the not a mongoose object but a json object... use .toJSON()
on the result you return.
Authentication requires objects which contain:
{
...
email: '...',
salt: '...',
password: '...'
}
Login and create endpoint requires fields: username
and password
along with any other fields.
Create returns { body, saltHash: { salt: '...', hash: '...' } }
Login returns { body }
Installation
npm i -S jwt-simple-auth
Requirements
Your Mongo database model must include the following:
{
"email": String, // For matching with what's in the '.mail' within the jwt.
"roles": [ String ], // Array of strings of Role names
"locations": [ // Array of location objects user is associated with (below)
{
"city": String,
"state": String
}
] //
}
Usage
Within the app.js file on your node application, require in the component.
Somewhere you must define the jwtSecret to validate your Authorization token. Do not store this in your source code as in the example below Use docker-secreto
or some other secret management method.
NOTE: If you are using app.use(cors())
you will need to include the route after you add the cors module in.
This module uses express-jwt
to manage unless operations
app.js
const { authenticator, authRoute } = require('sso-api-authenticator')
...
const jwtSecret = 'my-secret-password', // Do NOT do this!
mongoOptions = {
uri: 'mongodb://someserver.com:27017/db',
options: {
...
}
},
expressJwtOptions = {}
...
// AFTER database connection and mongoose model are defined...
app.use(authenticator(jwtSecret, mongoOptions, expressJwtOptions, {
path: [
'/users',
'/login',
/\/login\/.*/
]
}))
app.use('/auth', authRoute)
After including the above code in your server setup you will gain access to a new object, req.user
. This contains all data within the JWT, unencoded as well as relevant roles and locations.
Now, securing a route by role is as simple as adding either req.user.allow()
or req.user.deny()
route/users.js
...
router.get('/allow', (req, res, next) => {
req.user.allow(['Developer'], () => {
return res.send('The user is a Developer')
})
.otherwise(() => {
res.send('The user does not have the Developer role.')
})
})
router.get('/deny', (req, res, next) => {
req.user.deny(['Developer'], () => {
return res.send('The user does not have the Developer role, so is allowed access.')
})
.otherwise(() => {
res.send('The user is a Developer. None Shall Pass!')
})
})
...
Parameters
middleware(jwtSecret, MongooseModelForPermissions, expressJwtOptions, unlessObject)
Param | Required | Definition |
---|---|---|
jwtSecret | Y | The secret to use for validating your JWT token |
mongoOptions | Y | The database connection object: { uri: 'mongodb://server.com:2017, options: { ... } }. |
expressJwtOptions | N | A passthrough to give access to the express-jwt options. Defaults to {} |
unlessObject | N | An object which is placed into the express-jwt.unless() method. This defines which end points not to protect with JWT security ... like /login |
See express-jwt documentation for details on the expressJwtOptions and unless object settings