npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@jfdi/azjwt

v1.1.3

Published

An easy to use JWT verifier/decoder for authorisation in Azure Functions

Downloads

11

Readme

An easy to use JWT verifier/decoder for authorisation in Azure Functions

JWT verification in just 1.5 lines of code

Intro

Consuming an Azure Function-based API, you might want to use an authN/authZ provider like Auth0. In this case the function app will be sent a JWT (JSON Web Token) access token in the Authorization header. Verifying the token can be a right old pain, often involving more code than the actual purpose of the function. That's why this library was born.

Usage

The library exports a single function. This function is not for use inside your code and does not by itself decode a JWT. Rather, the function takes your async function, wraps it in a higher order function that performs the JWT validation & decoding, and returns you that new function that you can export from your module to the function host.

Hence, a function that starts off looking like this before JWT validation:

module.exports = async (context, req) => {
    context.res = { body: "I don't know who the heck called me!" };
};

looks like this after it's been converted to validate JWTs:

const verifyJwt = require("@jfdi/azjwt");

module.exports = verifyJwt(async (context, req) => {
    const { user } = context;
    context.res = { body: user };
});

In other words, the verification wrapper takes care of:

  • verification against issuer and audience claims
  • responding with a 401 unauthorised if the token isn't valid
  • and returns the decoded JWT contents to you as context.user.

Simples.

If you're using Auth0 RBAC, you'll get the user's role permissions in the permissions key of context.user.

Your decoded JWT will look something like this (details changed to protect the innocent):

{
    "iss": "https://tenant.eu.auth0.com/",
    "sub": "iojudnfjodsfjdgkjbndkjgbkjfdgnkj",
    "aud": ["https://api.api.api"],
    "iat": 1618569192,
    "exp": 1618655592,
    "azp": "njoddjnhgjfkjgn",
    "scope": "openid profile email",
    "permissions": ["customers:list", "customer:read", "customer:edit", "customer:delete"]
}

Checking Additional JWT Properties

Sommetimes additional properties are encoded into the JWT by the issuer. Auth0 does this, for example, as part of its RBAC (Role-Based Access Control) features for APIs. If a user has roles assignes, they're included in the token in a permissions property. You can specify additional properties to check against criteria in a second object parameter passed to the function. This object can have one of two syntaxes, shortform and longform. Here's the shortform...

module.exports = verifyJwt(
    async (context, req) => {
        const { user } = context;
        context.res = { body: user };
    },
    {
        permissions: ["customer:create"]
    }
);

and here's the more versatile longform, providing for denied roles and all/some matching:

module.exports = verifyJwt(
    async (context, req) => {
        const { user } = context;
        context.res = { body: user };
    },
    {
        permissions: {
            permitted: { roles: permitted, requireAll: true },
            denied: { roles: denied, requireAll: false }
        }
    }
);

These are demonstrated in the included example.

Prerequisites

You'll need to specify a couple of application settings for the library to pick up at runtime, or it simply won't work.

domain is the issuer, e.g. https://<tenancy>.eu.auth0.com/, which is also used to fetch the public key

audience is the audience expected for users of this API. In Auth0 this generally looks like a url, although it's just an ID and never actually hit as an endpoint, e.g. https://api.myapp.io

debug is an optional flag that can be set to anything truthy to turn on extra runtime context logging

There's a local.settings.sample.json file included to remind you what the library needs.

Installation

Insert @jfdi/azjwt in your package.json dependencies, or

npm i @jfdi/azjwt