Jot NPM | npm.io

jot

hapi JSON Web Token (JWT) authentication plugin

The 'jwt' scheme takes the following options:

Option	Type	Required	Description
`secret`	string	Yes	Secret key used to compute the signature
`algorithms`	array		Algorithm(s) allowed to verify tokens. Defaults to `['HS256']`. Valid algorithms: `['HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'none']`
`audience`	string		Verify `aud` claim against this value
`cookie`	string		Cookie name. Defaults to `sid`. Works in tandem with `hapi-auth-cookie`. Must set JWT when the cookie is set. See examples below
`issuer`	string		Verify `iss` claim against this value
`token`	string		Name of the token set in the cookie. Defaults to `token`
`validateFunc`	function		Function to validate the decoded token on every request

Note: Storing the token in a cookie is optional, but recommended. You can always send the token in an Authorization header.

Example:

Or check out the sample app: massive-hapi

/* server.js */


// Register hapi-auth-cookie

server.register(require('hapi-auth-cookie'), (err) => {

    server.auth.strategy('session', 'cookie', {
        cookie: 'cookie-name',
        password: 'TheMinimumLengthOfPasswordsIs32!'
    });
});


// Register jot

server.register(require('jot'), (err) => {

    server.auth.strategy('jwt', 'jwt', {
        secret: 'ADifferentPasswordAlsoAtLeast32!',
        cookie: 'cookie-name'
    });

    server.auth.default({
        strategy: 'jwt',
        scope: ['admin']
    });
});


/* routes.js */


// Login route

server.route({
    method: 'POST',
    path: '/login',
    config: {
        auth: false,
        handler: (request, reply) => {

            // ... validate user credentials, yada yada yada ...

            // Set the token inside of the cookie

            request.cookieAuth.set(Jwt.sign({
                scope: ['admin']
            }, 'ADifferentPasswordAlsoAtLeast32!', {
                expiresIn: 60 * 60 * 2 // 2 hrs, but can be anything
            }));

            reply('ok!');
        }
    }
});


// Resource

server.route({
    method: 'GET',
    path: '/trade-secrets',
    config: {
        handler: (request, reply) => {

            // User is already authorized, time to check out those trade secrets

            reply('secrets!');
        }
    }
});

For more examples, check out the tests.