express-simple-auth-token
v1.2.3
Published
JSON web token middleware for express designed to work with Ember Simple Auth Token
Downloads
11
Readme
Express Simple Auth Token
JSON web token middleware for express designed to work with Ember Simple Auth Token.
Usage
var expressSimpleAuthToken = require('express-simple-auth-token');
var tokenMiddleware = expressSimpleAuthToken({
secret: 'keyboard cat',
lookup: function (user, callback) {
users.findOne({ _id: user.id }, callback);
},
verify: function (password, user, callback) {
verifyPassword(password, user.hash, callback);
}
});
app.use(tokenMiddleware);Settings
Required settings:
secret- for JSON Web Token, you must supply this.lookup- function called to lookup a user when they log in, called with 2 arguments, username and callback. Username is based onidentificationFieldoption.verify- function called to verify a user against the supplied password. Called with 3 arguments:passwordwhich is derived from thepasswordFieldoption,userwhich is the result of lookup, and a callback which must be called in the formcallback(null, true)if verification was successful. This is where you run a key derivation function or similar.
Optional settings:
algorithm- for JWT (default:'HS256')serverTokenEndpoint- path of the endpoint for getting a token. (default:'api-token-auth')serverTokenRefreshEndpoint- path of the endpoint for getting a token (default:'api-token-refresh')passwordField- field in the body of the request posted toserverTokenEndpointwhich contains the password (default:password)identificationField- field in the body of the request posted toserverTokenEndpointwhich contains the method if identifying the user (default:username)tokenPropertyName- field name for the token for use in verification middleware, the request send toserverTokenRefreshEndpoint, and the response from both token endpoints (default:'token')refreshLeeway- in seconds, this option denotes if you should give a little leeway in the expiration time when refreshing the token. Useful if your client library uses the expiration date as the time it should send the request causing all token refreshes to fail due to the token having expired milliseconds previously. (default:0)tokenLife- how long should the token last, in minutes (default:60)authError- what to do when we can't validate a json web token (either because it isn't there or it is invalid). Defaults tofunction (req, res, next, error){ return res.statusStatus(401); }createTokenError- function called when error encountered in request toserverTokenEndpoint. Same default asauthError.refreshTokenError- function called when error encountered in request toserverTokenRefreshEndpoint. Same default asauthError.createToken- a function you can use if you want to modify the fields passed back in the token. Useful if you want to strip password hashes or lookup other related attributes. Called with 2 arguments:userwhich is the result oflookup, andcallback. Defaults tofunction (user, callback) { process.nextTick(function () { callback(null, user); }); }refreshLookup- lookup function for use when the token is refreshed. Defaults tofunction (user, callback) { if (!user[opts.identificationField]) { return process.nextTick(function () { callback(new Error('no username in token')); }); } var lookup = opts.lookup; lookup(user[opts.identificationField], callback); }
More Complete Example
var expressSimpleAuthToken = require('express-simple-auth-token');
var crypto = require('crypto');
var HASH_LEN = 64;
app.use(expressSimpleAuthToken({
secret: crypto.randomBytes(64),
lookup: function (user, callback) {
lookupInDataBase(user, callback);
},
verify: function (password, user, callback) {
var hash = user.hash;
crypto.pbkdf2(password, user.salt, 10000, HASH_LEN, 'sha224', function (err, resp) {
if (err) {
return callback(err);
}
var hash = user.hash;
var i = -1;
var out = 0;
while (++i < HASH_LEN) {
out |= hash[i] ^ resp[i];
}
callback(null, out);
});
},
createToken: function (user, callback) {
delete user.hash;
delete user.salt;
callback(null, user);
}
}));