npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@openware/node-auth-barong

v1.1.0

Published

Express middleware for Barong Authorizer

Downloads

3

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

akushnirukakushnirukcmeuliencmeulienheliostechheliostech

Keywords

jwtverifyauthorizebarong

Readme

node-auth-barong

This Express Middleware package can:

  • Validate JsonWebTokens returned from barong and sets req.session.
  • Sign a JWT with a private Key and encode request on either Peatio or Barong management API's

This module lets you validate JWT from HTTP requests using jsonwebtoken library in your Node.js applications and sign JWT's with application private key. JWTs are typically used to protect API endpoints.

Install

$ npm install node-auth-barong

Usage

There are two middlewares you can use from this package

sessionVerifier

This JWT authentication middleware authenticates Barong session using a JWT. If the token is valid, req.session will be set with the JSON object decoded to be used by later middleware for authorization and access control.

Example of req.session object:

{ iat: 1565687278,
  exp: 1565693278,
  sub: 'session',
  iss: 'barong',
  aud: [ 'peatio', 'barong' ],
  jti: '1111111111',
  uid: 'ID123123123',
  email: '[email protected]',
  role: 'admin',
  level: 3,
  state: 'active',
  referral_id: null }

For example,

var barongJwt = require('node-auth-barong');
const barongJwtPublicKey = Buffer.from(process.env.BARONG_JWT_PUBLIC_KEY.trim(), 'base64').toString('utf-8')

app.get('/protected',
  barongJwt.sessionVerifier({barongJwtPublicKey: barongJwtPublicKey}),
  function(req, res) {
    if (!req.user.admin) return res.sendStatus(401);
    res.sendStatus(200);
  });

You can specify audience and/or issuer as well:

barongJwt.sessionVerifier({ barongJwtPublicKey: 'decoded public key',
  audience: 'barong',
  issuer: 'http://issuer' })

Available options for verification:

  • algorithms: List of strings with the names of the allowed algorithms. For instance, ["HS256", "HS384"].
  • audience: if you want to check audience (aud), provide a value here. The audience can be checked against a string, a regular expression or a list of strings and/or regular expressions. Eg: "urn:foo", /urn:f[o]{2}/, [/urn:f[o]{2}/, "urn:bar"]
  • issuer (optional): string or array of strings of valid values for the iss field.
  • ignoreExpiration: if true do not validate the expiration of the token.
  • subject: if you want to check subject (sub), provide a value here
  • clockTolerance: number of seconds to tolerate when checking the nbf and exp claims, to deal with small clock differences among different servers
  • maxAge: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span zeit/ms. Eg: 1000, "2 days", "10h", "7d". A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default ("120" is equal to "120ms").
  • clockTimestamp: the time in seconds that should be used as the current time for all necessary comparisons.

If the JWT has an expiration (exp), it will be checked.

If you are using a base64 URL-encoded secret, pass a Buffer with base64 encoding as the secret instead of a string:

barongJwt.sessionVerifier({ barongJwtPublicKey: new Buffer('base64encoded', 'base64') })

Instead of decoding you can also specify the path to public key:

var publicKey = fs.readFileSync('/path/to/public.pub');
barongJwt.sessionVerifier({ barongJwtPublicKey: publicKey });

managementSigner

This middleware uses JWT library to sign a request that is sent to either Barong or Peatio management API.

The middleware takes req.management.payload object and signs it with private key, formatting the payload in the right for management api way. After the payload is signed and formatted, its assigned to req.body object as request parameters. This request parameters then can be used by the next middleware to send a request to either Barong or Peatio. Usage example:

app.post('/api/v2/deposit', function( req, res, next) {
	# Verifing if the user is an admin and allowed to make a deposit
    if (req.session.role =! "admin") {
      res.status(401);
      res.send(`Deposit submittion is allowed only for admins`);
    }
    # Creating req.management.payload object to send a request to /api/v2/management/deposits/new
    
    req.management = { payload: {
        uid: req.session.uid,
        currency: req.body.currency_id,
        amount: req.body.amount
        }
    }
    
    next();
    # Using managementSigner middleware we've signed the req.management.payload object and assigned it to req.body object with correct formatting
}, barongAuth.managementSigner({privateKey: appPrivateKey}), function(req,res) {
    # Using request middleware we've sent a request to Peatio management API to create a new deposit for current user.

    request({
      method: "POST",
      uri:  `${global.gConfig.peatio_url}/api/v2/management/deposits/new`,
      json: true,
      body: req.body
    }, (err, result, body) => {
      res.json(body)
      if (err) {
          return console.error(err);
      }
    });
})

WARNING! privateKey option is mandatory, otherwise your request won't be signed

Available options for signing:

  • jwtAlgorithm: string with the name of the algorithm. For instance, "RS256".
  • jwtKid: key identifier parameter. For instance, "applogic"
  • jwtExpireDate: the maximum allowed age for tokens to still be valid. It is expressed in seconds or a string describing a time span zeit/ms. Eg: 1000, "2 days", "10h", "7d". A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default ("120" is equal to "120ms").

Examples

Example app that uses node-auth-barong can be found here

Related Modules

Tests

$ npm install
$ npm test

Contributors

Check them out here

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker.

Author

Openware

License

This project is licensed under the MIT license. See the LICENSE file for more info.