npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

express-tokenware

v0.4.2

Published

Simple token-based authentication middleware for express

Downloads

34

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

hifarazhifaraz

Keywords

authauthnauthenticationauthzauthorizationhttpjwttokenoauthexpressjsonwebtoken

Readme

express-tokenware

Simple token-based authentication middleware for express.

NOTE: this is a pre-production version, and the module interfaces and functionality are not stable yet.

var tokenware = require('express-tokenware')('mySecretKey');
var app = tokenware(express);

app.get('/authenticate',
  someAuthenticationMiddleware,
  somePayloadCreationMiddleware
);

app.get('/myProtectedPath',
  function (req, res, next) {
    // success, do something with req.decodedBearerToken here
  });

app.listen(3000);

1. Installation

$ npm install express-tokenware

2. Testing

All express-tokenware behaviours have been tested using jasmine.

$ npm test

3. Features / high-level behaviours

  • Uses JSON Web Tokens (JWT)
  • Flexible data structure - store whatever you like in the token
  • Provides tokens on sign-in/authentication
  • Extracts bearer tokens from request header
  • Checks tokens on incoming requests
  • Handles anonymous requests
  • Rejects expired tokens
  • Allows custom error handling
  • Checks revoked tokens

4. Philosophy

  • behaviour driven-development
  • do the work for the user, such as sandwiching the stack with one function
  • unopinionated, provide an interface that can be used with any architecture or database

5. Documentation

Where not specified, variables are defined as per auth0/node-jsonwebtoken documentation.

5.1 Configuration

Include express-tokenware in your project by calling:

var tokenware = require('express-tokenware')(secretOrPrivateKey, [options, isRevokedToken]);

options refers to configuration parameters that govern both signing and verification of bearer tokens. It must be an object literal that may include any or all of the following 7 parameters:

  • algorithm
  • expiresIn
  • audience
  • issuer
  • allowAnonymous set this to true to allow anonymous requests (default: false)
  • handleErrors set this to false to use a custom error-handling middleware (default: true)

isRevokedToken is a callback which can accept a token string and return true if the token has been revoked or false if the token has not been revoked.

5.2 Initialization

Attach tokenware to your application. This will allow bearer tokens to be received, verify any bearer tokens found on incoming requests, and send signed tokens on responses with token payloads.

var app = tokenware(express);

express is injected as a dependency into tokenware. This ensures that tokenware is both the first and last middleware to execute, which allows it to be used for both authenticating users and authorizing requests.

5.3 Sign-in/authentication

Once your application has authenticated a user and created a payload for the bearer token, create a payload object at res.locals.bearerTokenPayload and call next() in your last route middleware. tokenware will send the signed token to the user as a JSON object {"signedBearerToken": <token>}, along with an OK HTTP header status of 200.

This example is a simple implementation of sign-in/authentication:

app.get('/authenticate',
  someAuthenticationMiddleware,
  somePayloadCreationMiddleware // this **must** call `next()` to send a signed token
);

5.4 Extracting signed bearer tokens from incoming requests

express-tokenware looks for tokens in the authorization header in the form of 'Bearer <token>' (case-sensitive). Set the response headers appropriately to allow cross-origin resource sharing (CORS).

5.5 Verifying signed bearer tokens

express-tokenware automatically verifies any bearer token found in an incoming request. This guarantees that the token has a valid signature. An alternate approach of verifying against tokens stored in a database is not supported by this module, as the stored tokens may be tampered with by an attacker.

If tokenware successfully verifies the signed bearer token, it will attach the decoded bearer token to req.decodedBearerToken and call the next middleware function. If it fails to verify the token, it will invoke an error which will be passed to the error-handling middleware in the stack.

This example verifies tokens with the default configuration:

app.get('/myProtectedPath',
  function (req, res, next) {
    // success, do something with req.decodedBearerToken here
  }
);

If you would like to allow anonymous requests to your server, set the configuration option allowAnonymous to true. Subsequent middleware can detect anonymous requests by checking req.isAnonymous. This example demonstrates how to differentiate between authorized and anonymous requests:

app.get('/myProtectedPath',
  function (req, res, next) {
    if (req.isAnonymous) {
      // anonymous request
    } else {
      // not anonymous, do something with req.decodedBearerToken here
    }
  }
);

6. Error handling

express-tokenware comes with a built-in error-handling, however, it may be replaced with a custom middleware. This section provides information on building a custom error-handling middleware.

The error object passed to the middleware will have at least two properties:

  • name
  • message

This table lists the errors sent by express-tokenware:

Name|Message ---|--- JsonWebTokenError|(variable, generated by auth0/node-jsonwebtoken) malformedAuthorizationHeader|Authorization header is malformed, should be in the form of: Bearer revokedToken|Request authorization was previously revoked TokenExpiredError|jwt expired (generated by auth0/node-jsonwebtoken)

If anonymous requests are allowed (through the configuration parameter allowAnonymous) then unauthorized requests are not treated as an error. In this case, an error-handling middleware may not be necessary.

7. Issues and pull requests

Feedback and contribution are highly encouraged! Please report feedback through the Github issue tracker. To submit code, please fork the Github repository and send a pull request.