npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@aegis-auth/jwt

v17.0.0

Published

Angular JWT authentication library

Downloads

98

Readme

jwt

Latest NPM Version

Handles common JWT use-cases, like adding the access token to requests and automatically refreshing it when needed.

It consists of a JwtModule with two configurable Interceptors, and a helper service to access your parsed and typed tokens.

It also provides a way to handle cases where a refresh cannot happen (For example: both token expired) with a redirection (As thats the most common recovery method) or a completely custom function for more advanced use-cases.

Installation

Using npm

npm i @aegis-auth/jwt

Using yarn

yarn add @aegis-auth/jwt

Usage

For an example app visit the jwt-demo application. It's small and simple.

Configuration

The heart of the library is the JwtModule and it's forRoot method which helps you configure it's providers.

Basic usage

For simple usecases, where you only want to have the access token injected into your http headers, you only need to configure the first provider, like so.

The provider definitions in this project are typed! While configuring it you will always have knowledge on what you can configure and how, right there! There is JSDoc hint for each!

This is the simplest possible configuration, where you put your tokens into localstorage. Remember that the library will call this getToken function every time it needs to use the token!

JwtModule.forRoot({
  useValue: {
    getToken: () => localStorage.getItem('accessToken'),
  },
});

I recommend using a BehaviorSubject in a service, so it can stay in memory, it still can be initialized from the localStorage and with a subscription you can always save the changes. (Example)

For this, you would use a factory provider with this service as it's dependency:

JwtModule.forRoot({
  useFactory: (authService: AuthService) => ({
    getToken: authService.accessTokenStorage$,
    domainWhitelist: ['localhost'],
  }),
  deps: [AuthService],
});

Configuring this provider causes an HTTP Interceptor to be activated. It will append the acquired token in a configurable header on every request where it's applicable.

Configuration options
interface JwtConfiguration extends UrlFilter {
  /**
   * A callback or observable that will be called or subscribed to
   * on every http request and returns a value for the header
   *
   * @example getValue: () => localstorage.get('foo')
   * @example getValue: myTokenService.foo$
   */
  getToken:
    | Observable<string | null | undefined>
    | (() =>
        | string
        | null
        | undefined
        | Promise<string | null | undefined>
        | Observable<string | null | undefined>);

  /**
   * The prefix of the token when injecting. Notice thet the trailing
   * whitespace has to be set here
   *
   * @default 'Bearer '
   */
  scheme?: string;

  /**
   * Header name to be set
   *
   * @default 'Authorization'
   */
  header: string;

  /**
   * This callback is called when the request fails and there is no
   * RefreshConfiguration, or when the access token is simply missing.
   * `getToken` returned a nullish value. If the RefreshConfiguration is
   * available, then the error handling continues in the same fashion on
   * the other configuration.
   *
   * Both have the same names and signature for
   * both the error handling configuration options `onFailure` and
   * `onFailureRedirectParameters`, so if you wish to use the same for both
   * implement them outside, and spread them back. You can use the
   * `JwtErrorHandling` interface to help you with the typing. Although
   * thats a bit wider when it comes to the error types.
   *
   * If it's a string, instead of calling it, a redirection will happen,
   * with `onFailureRedirectParameters` as it's queryParams.
   */
  onFailure?: string | ((jwtError: JwtError) => void);

  /**
   * This option is only used when the `onFailure` option is a string
   * so it's handled as a redirect. When this happens, you can define
   * the queryparams to be used with this redirect.
   */
  onFailureRedirectParameters?:
    | ((error: JwtError) => HttpParams | Params)
    | HttpParams
    | Params;
}

These properties are available on the configuration, and are used to control what Urls can or can not recieve the token

interface UrlFilter {
  /**
   * These domains won't recieve this header even if they are listed in the
   * whitelist.
   *
   * If `null` or `undefined`, this category of rules won't take any effect.
   * If empty, it would mean "No domains are blacklisted", and it won't
   * take any effect.
   *
   * @default undefined
   * @example ['localhost:3333']
   * @example [/localhost:[0-9]{4}/]
   */
  domainBlacklist?: (string | RegExp)[];

  /**
   * Only domains listed will be recieving header injections
   *
   * If `null` or `undefined`, this category of rules won't take any effect.
   * If empty, it would mean "No domains are whitelisted", so no paths would
   * recieve tokens!
   *
   * @default undefined
   * @example ['localhost:3333']
   * @example [/localhost:[0-9]{4}/]
   */
  domainWhitelist?: (string | RegExp)[];

  /**
   * These paths won't recieve this header even if they are listed in the
   * whitelist.
   *
   * If `null` or `undefined`, this category of rules won't take any effect.
   * If empty, it would mean "No paths are blacklisted", and it won't
   * take any effect.
   *
   * @default undefined
   * @example ['api/v2/users/1']
   * @example [/users\/.+/]
   */
  pathBlacklist?: (string | RegExp)[];

  /**
   * Only paths listed will be recieving this header injection.
   *
   * If `null` or `undefined`, this category of rules won't take any effect.
   * If empty, it would mean "No paths are whitelisted", so no paths would
   * recieve tokens!
   *
   * @default undefined
   * @example ['api/v2/users/1']
   * @example [/users\/.+/]
   */
  pathWhitelist?: (string | RegExp)[];

  /**
   * These protocols won't recieve this header even if they are listed in
   * the whitelist.
   *
   * If `null` or `undefined`, this category of rules won't take any effect.
   * If empty, it would mean "No protocols are blacklisted", and it won't
   * take any effect.
   *
   * @default undefined
   * @example ['http']
   * @example [/https?/]
   */
  protocolBlacklist?: (string | RegExp)[];

  /**
   * Only protocols listed will be recieving this header injections.
   *
   * If empty or undefined, this category of rules won't take any effect.
   * If empty, it would mean "No protocols are whitelisted", so no protocols
   * would recieve tokens!
   *
   * @default undefined
   * @example ['http']
   * @example [/https?/]
   */
  protocolWhitelist?: (string | RegExp)[];
}

Refreshing usage

You can optionally configure a second provider. If you do, another HTTP Interceptor will make sure that if an endpoint that needs to recieve an accessToken, and the provided one is expired, it first visits the configured refresh endpoint, optionally refreshes your storage, and retries the originally intended request with the newly acquired, fresh access token.

It can also do the same if the original token wasn't expired, but the server rejected it (For example, the server can have a blacklist mechanic on login). It only retries once, and by default it only does the retry if the error status was 401, Unauthorized.

Refresh configuration options

Because handling refreshes is not standardized instead of asking for the refresh token directly I ask you to provide the request itself, however you like to. In these callbacks you can access your refreshToken wherever you store it.

The reason it's configured through multiple properties instead of a callback where I let you do the refresh request however you see fit is to make sure the refreshUrl is known to avoid potentional infinite requests when hitting the refresh endpoint. This way you don't have to remember setting this into the url filter manually.

export interface JwtRefreshConfiguration<RefreshRequest, RefreshResponse>
  extends UrlFilter,
    HttpErrorFilter {
  /**
   * After a successful refresh, this callback will be called.
   * You need to define a function which will save the the token in a way
   * that if the interceptor calls `getToken` again, it will get the token
   * saved with this method.
   *
   * @example using `localStorage`
   *    setToken: (response) => localStorage.setItem('accessToken', response.accessToken)
   * @example using a service.
   *
   * ```typescript
   * AuthCoreModule.forRoot<TokenStorageService>({
   *    useFactory: (service: TokenStorageService) => ({
   *      getToken: service.accessToken$
   *      autoRefresher: {
   *         endpoint: `${environment.api}/auth/refresh`,
   *         setRefreshToken: (response) => service.accessToken$.next(response.accessToken)
   *       }
   *    }),
   *    deps: [TokenStorageService],
   * })
   * ```
   *
   */
  setRefreshedTokens: (response: JwtRefreshResponse) => void;

  /**
   * The method for the request, usually it's a POST so that's the default
   *
   * @default 'POST'
   */
  method?: HttpMethodType;
  /**
   * The endpoint that will be requested for a new token
   */
  refreshUrl: string;
  /**
   * A callback or observable that can be used to retrieve the body of the
   * request. If it's null or undefined, the refresh won't be executed. This
   * can be utilized to not do a refresh on a logged out state.
   *
   * @example getValue: () => localstorage.get('foo')
   * @example getValue: myTokenService.foo$
   */
  createRefreshRequestBody:
    | Observable<RefreshRequest | null | undefined>
    | (() =>
        | RefreshRequest
        | null
        | undefined
        | Promise<RefreshRequest | null | undefined>
        | Observable<RefreshRequest | null | undefined>);
  /**
   * A callback that should return the defaults on the request
   */
  refreshRequestInitials?:
    | (() => HttpRequestInit | undefined)
    | HttpRequestInit;
  /**
   * This function have to transform the result of your refresh endpoint
   * into a digestable form. It will be called after successful refreshes.
   */
  transformRefreshResponse: (response: RefreshResponse) => JwtRefreshResponse;

  /**
   * This callback is called when a refresh either failed or cannot be done.
   * This marks the point where both tokens are invalid and the user needs to
   * relog. Because this is usually done through a login page, aside from a
   * regular callback, a string can also be supplied which will act as the
   * target of navigation. Check `onFailureRedirectParameters` if you wish
   * to supply query parameters. For more advanced usage, consider
   * implementing it as a custom function, the error object is available
   * there too!
   */
  onFailure?:
    | string
    | ((error: JwtCouldntRefreshError | JwtCannotRefreshError) => void);

  onFailureRedirectParameters?:
    | ((
        error: JwtCouldntRefreshError | JwtCannotRefreshError
      ) => HttpParams | Params)
    | HttpParams
    | Params;

  /**
   * Optional!
   *
   * Not used in the refresh mechanic! See `createRefreshRequestBody` if you
   * need to provide the `refreshToken` in the body when making the refresh
   * request or `refreshRequestInitials` when it's handled in a header!
   *
   * A callback or observable that can be used to retrieve the refresh token
   * Not used in the interceptor! it is only used in the helper service if
   * you with to interact with the parsed refreshToken throught the helper
   * observables. If you do not, you don't have to implement this.
   *
   * @example getValue: () => localstorage.get('foo')
   * @example getValue: myTokenService.foo$
   */
  getRefreshToken?:
    | Observable<string | null | undefined>
    | (() =>
        | string
        | null
        | undefined
        | Promise<string | null | undefined>
        | Observable<string | null | undefined>);

  /**
   * When using the LoginGuard this setting will determine the default
   * value. So instead of disabling the autoRefresh behavior on every
   * route with the data option, or writing your own guard (Which would
   * be really simple) just set this to false. You can still override it
   * using route data.
   *
   * See the LoginGuardData helper interface to see what it can utilize.
   *
   * @default true
   */
  isAutoRefreshAllowedInLoginGuardByDefault?: boolean;
}

All options on the URLFilter are also available here too to further restrict what endpoint can be refreshed.

Additionally, it can filter on the return status of a failed request

export interface HttpErrorFilter {
  /**
   * The error codes on which an act is allowed to happen,
   * an empty array means it can't act on anything
   *
   * @default [401]
   */
  errorCodeWhitelist?: number[];

  /**
   * The error codes on which an act is not allowed to happen,
   * an empty array (and if undefined) means it can always try a single
   * act in case of an error
   *
   * @default undefined
   */
  errorCodeBlacklist?: number[];
}

The helper service

The provided JwtTokenService<Claims> is a service consisting of Observable pipelines all originating from the getToken property in your configuration provided by you.

There are observables to acquire the raw tokens:

  • rawAccessToken$: Observable<string | null | undefined>
  • rawRefreshToken$: Observable<string | null | undefined>

The parsed tokens:

  • accessToken$: Observable<JwtToken<Claims> | null>
  • refreshToken$: Observable<JwtToken<Claims> | null>

Where JwtToken<Claims> is:

class JwtToken<Claims extends {}> {
  header: JwtTokenHeader, // Based on RFC 7519
  payload: JwtTokenPayload & Claims, // Based on RFC 7519
  signature: string,
  isExpired: () => boolean
}

The headers:

  • accessTokenHeader$: Observable<JwtTokenHeader | null>
  • refreshTokenHeader$: Observable<JwtTokenHeader | null>

The payloads:

  • accessTokenHeader$: Observable<(JwtTokenPayload & Claims) | null>
  • refreshTokenHeader$: Observable<(JwtTokenPayload & RefreshClaims) | null>

And if they are expired or not:

  • isAccessTokenExpired$: Observable<boolean>
  • isRefreshTokenExpired$: Observable<boolean>

The payload is used to carry custom claims. These can be defined by you and passed to the service on injection as a generic. Though often not used, the second generic allows to define the extra claims on the refresh token.

export interface MyClaims {
  username: string;
}

export class MyService {
  constructor(private readonly jwtTokenService: JwtTokenService<MyClaims>) {
    this.jwtTokenService.accessToken$.pipe(
      map((token) => token?.payload.username) // Here, `username` is a string
    );
  }
}

Remember, that the helper service has to inject the configuration inside it, so if you would try to inject this service into any of the dependencies of the configurations provider of the JwtModule, you would get a cyclic dependency.

But since this helper servise does not contain any functions, you can't pass any more information to it. That means it can be used independently.

If you do need to use your original dependency and this helper service together I recommend making that original dependency into a simple storage with 2 BehaviorSubjects, and making another service where you can inject both.

In the example application, the AuthService acts both as the storage of the tokens, and some methods on doing login, refresh and logout.

This demo AuthService only has to manage the token storage, the library will always use the latest values.

The LoginGuard

Using the LoginGuard on a route means that the route and all of its children cannot open unless there is a valid accessToken available. Since tokens are only refreshed on-demand it's possible that after an idle time that is longer than the accessTokens lifetime, that on guard activation the token is expired.

For this reason, the guard does a manualRefresh if the token is invalid.

The autorefreshing is controllable with a configuration option on the refresh configuration and per route with route data. See LoginGuardData for what is available.

/**
 * This interface is for your convinience to use with Route data to see what
 * you can configure on the LoginGuard
 */
export interface LoginGuardData {
  /**
   * Explicitly enable or disable auto refreshing on the route.
   */
  isRefreshAllowed: boolean;
}

If you need something more custom, I highly recommend implementing your own guard as LoginGuard itself is also really simple.