Sails-api-jwt NPM

JSON Web Token authorization API

Based on Sails.js

An example implementation of JWT-based API for user registration and authorization.

It supports: 1. User register; 2. User login; 3. Token generation and validation; 4. Password reset (with a reset token); 5. Password change (with JWT credentials); 6. Account locking.

Things to do: 1. Optional email notifications (based on environment); 2. Keep reset token encrypted and with a validity date; 3. Unlock after some freeze period; 4. Registration confirmation (with a confirm token).

Start

npm run start

or, if you have Sails globally:

sails lift

For security reasons, please change JWT_SECRET in api/config/env/development.js.

JWT Token

Token-free endpoints:

/user/create
/user/login
/user/forgot
/user/reset_password

Token-required endpoints:

/user
/change_password

To pass a JWT token use Authorization header:

Authorization: Bearer <JWT Token>

API methods description

For some reasons I do not use REST. Shortcuts also disabled by default (see api/config/blueprints.js).

`/user/create`

Creates a new user. Requirements for the password: length is 6-24, use letters and digits.

request

{
  "email": "email@example.com",
  "password": "abc123",
  "password_confirm": "abc123"
}

response

{
  "token": "<JWT Token>"
}

`/user/login`

request

{
  "email": "email@example.com",
  "password": "abc123"
}

response

{
  "token": "<JWT Token>"
}

N.B. Account will be blocked after 5 fails in 2 mins (configurable in api/services/UserManager.js).

`/user/change_password`

Changes user password. User should be authorized.

request

{
  "email": "email@example.com",
  "password": "abc123", 
  "new_password": "xyz321",
  "new_password_confirm": "xyz321"
}

response

{
  "token": "<JWT Token>"
}

N.B. All old tokens will be invalid after changing password.

`/user/forgot`

Initiates procedure of password recovery.

request

{
  "email": "email@example.com"
}

response

{
  "message": "Check your email"
}

`/user/reset_password`

Reset password to a new one with a reset token. Reset token sends to a user after /user/forgot.

request

{
  "email": "email@example.com",
  "reset_token": "<Password Reset Token>",
  "new_password": "xyz321",
  "new_password_confirm": "xyz321"
}

response

{
  "message": "Done"
}

HTTP codes

All endpoints uses HTTP status codes to notify about execution results

200 ok, reqeust executed successfully;
201 created, new user created successfully;
400 bad requests, usually means wrong params;
403 forbidden, for locked accounts;
500 server error, something went wrong.

Tests

The project uses Travis-CI and Coveralls integration and has some tests. Run it via:

npm run test

Inspired by

This project is based on this repo: https://github.com/swelham/sails-jwt-example (unlicensed).
I refactored and improved it for myself.

License

It is MIT.

Sails Sails.js JWT JSON Web Token authorization API

bcrypt farmhash include-all jsonwebtoken mailgun-js moment password-validator rc sails sails-disk shortid validator

@infinitebrahmanuniverse/nolb-sails @everything-registry/sub-chunk-2701

8 years ago

8 years ago

8 years ago

8 years ago