1.0.1 • Published 8 years ago

jwt_auth v1.0.1

Weekly downloads
13
License
MIT
Repository
bitbucket
Last release
8 years ago

JWT_AUTH 1.0.0

It's an extremely simple middleware for use with express and restify to enable authentication using JSON Web Tokens.

Installation

npm install jwt_auth

Usage

jwt_auth can be used on a per-route basis for those routes that require authenticated access.

It requires you to supply a function that actually authenticates the issuer. jwt_auth will pass your function the issuer that was extracted from the token and an object. This object implements a deferred semantic so that your issuer-checking function can be asynchronous: if the issuer is legit, you may call the object's resolve() function, otherwise, you will call its reject() function.

If the request is legit, jwt_auth will put the token data in the request object so that it can be used by other middleware or your application code.

For example in express:

  var express = require('express'),
      app = express(),
      jwtAuth = require('jwt_auth'),
      secret = 'secret-used-to-sign-and-verify-jwt-hashes';

  var check_user_from_database = function(id, deferred)
  {
    //find user by id in the database asynchronously
    db.findById(id, function(err, data){
      if(!data)
        //user not found! do not authenticate request!
        deferred.reject();
      else
        //whohoo!!
        deferred.resolve();
    });
  }

  //---- routes ----

  //anybody can access this route
  app.get('/', function(req, res){
    // do something here..
  });

  //only requests with a jwt token in the headers and that
  //are authenticated can access this resource
  app.get('/top_secret', jwtAuth(check_user_from_database, secret), function(req, res){
    // this is how you retrieve the authenticated issuer
    var user_id = req.jwtauth.iss;
    // list all the documents about the alien invasion....
  });

Configuration

jwt_auth needs four pieces of information:

  1. the issuer-checking function - required!
  2. the secret to use for signing and verifying the tokens - required!
  3. the name of the header where the token is to be found - optional, it defaults to x-access-token
  4. an optional boolean indicating whether or not to perform a token expiration check. If not specified, jwt_auth default is to not perform the expiry check.
jwtauthenticationcryptographysecuritymiddlewareexpressrestify
momentjwt-simple
1.0.1

8 years ago

1.0.0

10 years ago

0.0.2

10 years ago

0.0.1

10 years ago