npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

authomatic

v1.0.2

Published

An authentication library that uses JWT for access and refresh tokens with sensible defaults.

Downloads

6

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

amriamriwarp-adminwarp-admin

Keywords

authenticationjwtrefresh-tokensecurity

Readme

authomatic

Build Status Maintainability

Description

An authentication library that uses JWT for access and refresh tokens with sensible defaults.

Install

npm install authomatic

Available stores

Redis

Please create an issue if you need another store.

Examples

Koa Example

Quickstart

const Store = require('authomatic-redis');
const Authomatic = require('authomatic');
const store = Store();
const authomatic = new Authomatic({store});

// Use authomatic functions

Test

npm test

Notes about migrating from version 0.0.1 to 1

  1. Access and refresh tokens from those old versions will not work with the new ones. If you just upgraded, users will be required to relog. If that is undesirable, and you want a seamless transition use two instances of Authomatic, but do not sign new tokens (or refresh) with the old instance.
  2. The refresh method now accepts a 4th argument, verify options.
  3. The invalidate refresh token method now requires a secret.
  4. aud in sign options and audience in verify options are now strictly an array.
  5. RefreshTokenExpiredOrNotFound became RefreshTokenNotFound, the expiration error is throw by the 'jsonwebtoken' library.
  6. InvalidAccessToken became InvalidToken, it is for both refresh and access tokens.
  7. TokensMismatch error is thrown if refresh and access token do not match.

The example has been updated to reflect all the new changes.

Documentation

Members

Typedefs

sign ⇒ Promise.<Tokens>

Returns access and refresh tokens

Kind: global variable
Throws:

  • TypeError typeError if any param was not sent exactly as specified

| Param | Type | Description | | --- | --- | --- | | userId | String | | | secret | Secret | | | [content] | Object | user defined properties | | [prolong] | Boolean | if true, the refreshToken will last 4 days and accessToken 1 hour, otherwise the refresh token will last 25 minutes and the accessToken 15 minutes. | | [signOptions] | SignOptions | Options to be passed to jwt.sign |

verify ⇒ String

Verifies token, might throw jwt.verify errors

Kind: global variable
Returns: String - decoded token
Throws:

| Param | Type | Description | | --- | --- | --- | | token | String | | | secret | Secret | | | [verifyOptions] | VerifyOptions | Options to pass to jwt.verify. |

refresh ⇒ Promise.<Tokens>

Issues a new access token using a refresh token and an old token (can be expired).

Kind: global variable
Throws:

| Param | Type | Description | | --- | --- | --- | | refreshToken | String | | | accessToken | String | | | secret | Secret | | | signOptions | SignOptions | Options passed to jwt.sign, ignoreExpiration will be set to true |

invalidateRefreshToken ⇒ Promise.<Boolean>

Invalidates refresh token

Kind: global variable
Returns: Promise.<Boolean> - true if successful, false otherwise.
Throws:

| Param | Type | | --- | --- | | refreshToken | String |

invalidateAllRefreshTokens ⇒ Promise.<Boolean>

Invalidates all refresh tokens

Kind: global variable
Returns: Promise.<Boolean> - true if successful, false otherwise.
Throws:

  • TypeError typeError if any param was not sent exactly as specified

| Param | Type | | --- | --- | | userId | String |

Secret : String

a string greater than 20 characters

Kind: global typedef

AccessToken : String

Regular JWT token. Its payload looks like this:

{
 "t": "Authomatic-AT",
 "uid": "userId",
 "exp": "someNumber",
 "jti": "randomBytes",
 ...otherClaims,
 "pld": {
   ...otherUserContent
 }
}

Kind: global typedef

RefreshToken : String

regular JWT token. Its payload looks like this:

{
  "t": "Authomatic-RT",
  "iss": "Authomatic",
  "aud": ["Authomatic"]
  "uid": "userId",
  "exp": "someNumber",
  "jti": "randomBytes",
  "accessTokenJTI": "randomBytes"
}

Kind: global typedef

Tokens : Object

Token pairs

Kind: global typedef
Properties

| Name | Type | Description | | --- | --- | --- | | accessToken | AccessToken | | | accessTokenExpiresAt | Number | epoch | | refreshToken | RefreshToken | | | refreshTokenExpiresAt | Number | epoch |

VerifyOptions : Object

Verify options to be used when verifying tokens

Kind: global typedef
Properties

| Name | Type | Description | | --- | --- | --- | | [audience] | Array | String | checks the aud field | | [issuer] | String | Array | checks the iss field | | [ignoreExpiration] | Boolean | if true, ignores the expiration check of access tokens | | [ignoreNotBefore] | Boolean | if true, ignores the not before check of access tokens | | [subject] | String | checks the sub field | | [clockTolerance] | Number | String | | | [maxAge] | String | Number | | | [clockTimestamp] | Number | overrides the clock for the verification process |

SignOptions : Object

The allowed user options to for signing tokens

Kind: global typedef
Properties

| Name | Type | | --- | --- | | [nbf] | Number | | [aud] | Array | String | | [iss] | String | | [sub] | String |

RefreshTokenNotFound : StandardError

The refresh token was not found.

Kind: global typedef
Properties

| Name | Type | Default | | --- | --- | --- | | [name] | String | 'RefreshTokenNotFound' |

TokensMismatch : StandardError

The tokens provided do not match

Kind: global typedef
Properties

| Name | Type | Default | | --- | --- | --- | | [name] | String | 'TokensMismatch' |

InvalidToken : StandardError

The provided input is not a valid token.

Kind: global typedef
Properties

| Name | Type | Default | | --- | --- | --- | | [name] | String | 'InvalidToken' |

Creating a store

If you want to create a new store you need to expose the following functions:

  1. add
/**
* Register token and refresh token to the user
* @param {String} userId
* @param {String} refreshTokenJTI
* @param {String} accessTokenJTI
* @param {Number} ttl time to live in ms
* @returns {Promise<Boolean>} returns true when created.
*/
function add(userId, refreshTokenJTI, accessTokenJTI, ttl){...}
  1. remove
/**
* Remove a single refresh token from the user
* @param userId
* @param refreshTokenJTI
* @returns {Promise<Boolean>} true if found and deleted, otherwise false.
*/
function remove(userId, refreshTokenJTI) {...}
  1. removeAll
/**
* Removes all tokens for a particular user
* @param userId
* @returns {Promise<Boolean>} true if any were found and delete, false otherwise
*/
function removeAll(userId) {...}

You may need to expose a reference to the store if the user may need to handle connections during testing for example.