npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@patagoniantech/jwt-redis-session

v1.3.1

Published

JSON Web Token session middleware backed by Redis

Downloads

87

Readme

JWT-Redis-Session

JSON Web Token session middleware backed by Redis. This connect middleware module exposes an API surface similar to a session middleware module, however instead of using cookies to transport session details this module uses JSON Web Tokens. This is useful for cookie-less clients or for cross service user authentication.

Some info on JSON Web Tokens

Install

npm install @patagoniantech/jwt-redis-session

Important Notes

Developers are free to use either the JWT claims or redis to store session related data. In many cases when serializing a user's session only the minimal amount of data necessary to uniquely identify the user's session is actually serialized and sent to the client. By default when this module creates a JWT token it will only reserve the "jti" property on the JWT claims object. This property will refer to a UUID that acts as the key in redis for the user's session data. This ensures that by default this module will only serialize the minimal amount of data needed. Any other data stored on the JWT session object throughout the request-response process will be serialized and stored in redis.

Due to the way JSON Web Tokens work the claims object can only be modified when creating a new token. Because of this by default this module does not attach a TTL to the JWT. Any TTL attached to the JWT cannot be refreshed without regenerating a new JWT so this module instead manages a session's expiration via redis key expirations. Aside from the "jti" property, which this module reserves, developers are free to attach any data to the claims object when creating a new JWT, including a TTL, but need to be aware that any TTL on the claims object will supercede the TTL managed by redis.

API Overview

Initialization

This module supports a few initialization parameters that can be used to support several usage scenarios, including running any number of instances of this middleware module alongside each other.

  • requestKey - The key name on the request object used to identify the JWT session object. The default for this value is "session". This would interfere with a module such as express-session so developers are free to modify this.
  • requestArg - The parameter name on the HTTP request that refers to the JWT. The middleware will look for this property in the query string, request body, and headers. The header name will be derived from a camelBack representation of the property name. For example, if the requestArg is "accessToken" (the default) then this instance of the middlware will look for the header name "x-access-token".
  • keyspace - The prefix of the keys stored in redis. By default this is "sess:".
  • secret - The secret key used to encrypt token data.
  • verificationSecret - The secret key used to verify the token signature.
  • signOptions - A SignOptions from "jsonwebtoken" package. This property is optional
  • client - The redis client to use to perform redis commands.
  • maxAge - The maximum age (in seconds) of a session.
const JWTRedisSession = require("@patagoniantech/jwt-redis-session"),
    express = require("express"),
    fs = require('fs'),
    redis = require("redis");

const redisClient = redis.createClient(),
    secret = generateSecretKeySomehow(),
    app = express();

app.use(JWTRedisSession({
    client: redisClient,
    secret: secret,
    keyspace: "sess:",
    maxAge: 86400,
    signOptions: {
        algorithm: 'HS256'
    },
    requestKey: "jwtSession",
    requestArg: "jwtToken"
}));



// If you need to use an asymmetric algorithm such as RS256

const privateKey = fs.readFileSync('/path/to/private_key.pem', 'utf8');
const publicKey = fs.readFileSync('/path/to/public_key.pem', 'utf8');

app.use(JWTRedisSession({
    client: redisClient,
    secret: privateKey,
    verificationKey: publicKey,
    keyspace: "sess:",
    maxAge: 86400,
    signOptions: {
        algorithm: 'RS256'
    },
    requestKey: "jwtSession",
    requestArg: "jwtToken"
}));

All examples following this assume the above configuration.

Create JWT Session

Create a new JSON Web Token from the provided claims and store any relevant data in redis.

var handleRequest = function(req, res){
	User.login(req.param("username"), req.param("password"), function(error, user){

		// this will be stored in redis
		req.jwtSession.user = user.toJSON();

		// this will be attached to the JWT
		var claims = {
			iss: "my application name",
			aud: "myapplication.com"
		};

		req.jwtSession.create(claims, function(error, token){

			res.json({ token: token });

		});
	});
};

Read JWT Data

The session's UUID, JWT claims, and the JWT itself are all available on the jwtSession object as well. Any of these properties can be used to test for the existence of a valid JWT and session.

var handleRequest = function(req, res){

	console.log("Request JWT session data: ",
		req.jwtSession.id,
		req.jwtSession.claims,
		req.jwtSession.jwt
	);

	res.json(req.jwtSession.toJSON());

};

Modify Session Data

Any modifications to the jwtSession will be reflected in redis.

var handleRequest = function(req, res){

	if(req.jwtSession.id){

		req.jwtSession.foo = "bar";

		req.jwtSession.update(function(error){
			res.json(req.jwtSession.toJSON());
		});

	}else{
		res.redirect("/login");
	}
};

Reload Session Data

Force a reload of the session data from redis.

var handleRequest = function(req, res){

	setTimeout(function(){

		req.jwtSession.reload(function(error){
			res.json(req.jwtSession.toJSON());
		});

	}, 5000);

};

Refresh the TTL on a Session

var handleRequest = function(req, res){

	req.jwtSession.touch(function(error){
		res.json(req.jwtSession.toJSON());
	});

};

Destroy a Session

Remove the session data from redis. The user's JWT may still be valid within its expiration window, but the backing data in redis will no longer exist. This module will not recognize the JWT when this is the case.

var handleRequest = function(req, res){

	req.jwtSession.destroy(function(error){
		res.redirect("/login");
	});

};

Tests

This module uses Mocha/Chai for testing. In order to run the tests a local redis server must be running or the REDIS_HOST and REDIS_PORT environment variables must be set.

npm install
grunt test