express-tokenware v0.4.2
express-tokenware
Simple token-based authentication middleware for express.
NOTE: this is a pre-production version, and the module interfaces and functionality are not stable yet.
var tokenware = require('express-tokenware')('mySecretKey');
var app = tokenware(express);
app.get('/authenticate',
someAuthenticationMiddleware,
somePayloadCreationMiddleware
);
app.get('/myProtectedPath',
function (req, res, next) {
// success, do something with req.decodedBearerToken here
});
app.listen(3000);1. Installation
$ npm install express-tokenware2. Testing
All express-tokenware behaviours have been tested using jasmine.
$ npm test3. Features / high-level behaviours
- Uses JSON Web Tokens (JWT)
- Flexible data structure - store whatever you like in the token
- Provides tokens on sign-in/authentication
- Extracts bearer tokens from request header
- Checks tokens on incoming requests
- Handles anonymous requests
- Rejects expired tokens
- Allows custom error handling
- Checks revoked tokens
4. Philosophy
- behaviour driven-development
- do the work for the user, such as sandwiching the stack with one function
- unopinionated, provide an interface that can be used with any architecture or database
5. Documentation
Where not specified, variables are defined as per auth0/node-jsonwebtoken documentation.
5.1 Configuration
Include express-tokenware in your project by calling:
var tokenware = require('express-tokenware')(secretOrPrivateKey, [options, isRevokedToken]);options refers to configuration parameters that govern both signing and verification of bearer tokens. It must be an object literal that may include any or all of the following 7 parameters:
algorithmexpiresInaudienceissuerallowAnonymousset this totrueto allow anonymous requests (default:false)handleErrorsset this tofalseto use a custom error-handling middleware (default:true)
isRevokedToken is a callback which can accept a token string and return true if the token has been revoked or false if the token has not been revoked.
5.2 Initialization
Attach tokenware to your application. This will allow bearer tokens to be received, verify any bearer tokens found on incoming requests, and send signed tokens on responses with token payloads.
var app = tokenware(express);express is injected as a dependency into tokenware. This ensures that tokenware is both the first and last middleware to execute, which allows it to be used for both authenticating users and authorizing requests.
5.3 Sign-in/authentication
Once your application has authenticated a user and created a payload for the bearer token, create a payload object at res.locals.bearerTokenPayload and call next() in your last route middleware. tokenware will send the signed token to the user as a JSON object {"signedBearerToken": <token>}, along with an OK HTTP header status of 200.
This example is a simple implementation of sign-in/authentication:
app.get('/authenticate',
someAuthenticationMiddleware,
somePayloadCreationMiddleware // this **must** call `next()` to send a signed token
);5.4 Extracting signed bearer tokens from incoming requests
express-tokenware looks for tokens in the authorization header in the form of 'Bearer <token>' (case-sensitive). Set the response headers appropriately to allow cross-origin resource sharing (CORS).
5.5 Verifying signed bearer tokens
express-tokenware automatically verifies any bearer token found in an incoming request. This guarantees that the token has a valid signature. An alternate approach of verifying against tokens stored in a database is not supported by this module, as the stored tokens may be tampered with by an attacker.
If tokenware successfully verifies the signed bearer token, it will attach the decoded bearer token to req.decodedBearerToken and call the next middleware function. If it fails to verify the token, it will invoke an error which will be passed to the error-handling middleware in the stack.
This example verifies tokens with the default configuration:
app.get('/myProtectedPath',
function (req, res, next) {
// success, do something with req.decodedBearerToken here
}
);If you would like to allow anonymous requests to your server, set the configuration option allowAnonymous to true. Subsequent middleware can detect anonymous requests by checking req.isAnonymous. This example demonstrates how to differentiate between authorized and anonymous requests:
app.get('/myProtectedPath',
function (req, res, next) {
if (req.isAnonymous) {
// anonymous request
} else {
// not anonymous, do something with req.decodedBearerToken here
}
}
);6. Error handling
express-tokenware comes with a built-in error-handling, however, it may be replaced with a custom middleware. This section provides information on building a custom error-handling middleware.
The error object passed to the middleware will have at least two properties:
namemessage
This table lists the errors sent by express-tokenware:
| Name | Message |
|---|---|
| JsonWebTokenError | (variable, generated by auth0/node-jsonwebtoken) |
| malformedAuthorizationHeader | Authorization header is malformed, should be in the form of: Bearer |
| revokedToken | Request authorization was previously revoked |
| TokenExpiredError | jwt expired (generated by auth0/node-jsonwebtoken) |
If anonymous requests are allowed (through the configuration parameter allowAnonymous) then unauthorized requests are not treated as an error. In this case, an error-handling middleware may not be necessary.
7. Issues and pull requests
Feedback and contribution are highly encouraged! Please report feedback through the Github issue tracker. To submit code, please fork the Github repository and send a pull request.