npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

jwt-validate

v0.5.0

Published

Validate JWT tokens in Node.js.

Downloads

492

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

waldekmwaldekm

Keywords

Readme

jwt-validate

Easily validate JWT tokens in Node.js. This package builds on top of the jsonwebtoken and jwks-rsa packages and extends their functionality with several convenience features, including:

  • validating tokens including downloading keys in one step,
  • for multitenant apps, validating tokens against a list of allowed tenants,
  • validating tokens against specific roles or scopes,
  • validating token type (application or user),
  • validating token version,
  • caching keys for better performance,
  • support for resetting cache and deleting specific keys without restarting the app,
  • convenience method to get the JWKS URL for the specified Microsoft Entra tenant

npm version

Installation

npm install jwt-validate

Usage

Basic setup

Following snippets show the basic setup for validating JWT tokens in apps that use the CommonJS and ESM module systems. The following sections show specific use cases on top of the basic setup.

CommonJS

const { TokenValidator, getEntraJwksUri } = require('jwt-validate');

// gets the JWKS URL for the Microsoft Entra common tenant
const entraJwksUri = await getEntraJwksUri();

// create a new token validator with the JWKS URL
const validator = new TokenValidator({
  jwksUri: entraJwksUri
});
try {
  // define validation options
  const options = {
    // ...
  };
  // validate the token
  const validToken = await validator.validateToken(token, options);
  // Token is valid
}
catch (ex) {
  // Token is invalid
  console.error(ex);
}

ESM

import { TokenValidator, getEntraJwksUri } from 'jwt-validate';

// gets the JWKS URL for the Microsoft Entra common tenant
const entraJwksUri = await getEntraJwksUri();

// create a new token validator with the JWKS URL
const validator = new TokenValidator({
  jwksUri: entraJwksUri
});
try {
  // define validation options
  const options = {
    // ...
  };
  // validate the token
  const validToken = await validator.validateToken(token, options);
  // Token is valid
}
catch (ex) {
  // Token is invalid
  console.error(ex);
}

Sample use cases

Following are several examples of using the package to validate JWT tokens in different scenarios. For the basic setup see the previous section.

Validate a Microsoft Entra token

const options = {
  // allowed audience
  audience: 'cda00000-0000-0000-0000-a00000000001',
  // allowed issuer
  issuer: 'https://login.microsoftonline.com/cda00000-0000-0000-0000-700000000001/v2.0'
};
// validate the token
const validToken = await validator.validateToken(token, options);

Validate that the token is an application token

Validate that the token is an application token by checking the idtyp claim. Requires the idtyp claim to be present in the token.

const options = {
  idtyp: 'app'
};
// validate the token
const validToken = await validator.validateToken(token, options);
// Token is valid

Validate that the token is a v2.0 token

const options = {
  ver: '2.0'
};
// validate the token
const validToken = await validator.validateToken(token, options);

Validate a Microsoft Entra token for a multitenant app

const options = {
  // list of allowed tenants
  allowedTenants: ['cda00000-0000-0000-0000-700000000001'],
  // allowed audience
  audience: 'cda00000-0000-0000-0000-a00000000001',
  // allowed issuer multitenant
  issuer: 'https://login.microsoftonline.com/{tenantid}/v2.0'
};
// validate the token
const validToken = await validator.validateToken(token, options);

Validate that the token has specified roles or scopes

Validate that the token has one of the specified roles or scopes. This is a common requirements for APIs that support delegated and application permissions and allow usage with several scopes.

const options = {
  scp: ['Customers.Read', 'Customers.ReadWrite'],
  roles: ['Customers.Read.All', 'Customers.ReadWrite.All']
};
// validate the token
const validToken = await validator.validateToken(token, options);

Setup the token validator for use with the US Government cloud

const { TokenValidator, getEntraJwksUri, CloudType } = require('jwt-validate');

// gets the JWKS URL for the Microsoft Entra common tenant in the US Government cloud
const entraJwksUri = await getEntraJwksUri('cda00000-0000-0000-0000-700000000002', CloudType.USGovernment);
// create a new token validator with the JWKS URL
const validator = new TokenValidator({
  jwksUri: entraJwksUri
});

API Reference

Classes

TokenValidator

Responsible for validating JWT tokens using JWKS (JSON Web Key Set).

Constructor
  • constructor(options)
    • Parameters
      • options: Object - Configuration options for the TokenValidator.
        • cache: boolean (optional, default=true) - Whether to cache the JWKS keys.
        • cacheMaxAge: number (optional, default=86400000) - The maximum age of the cache in milliseconds (default is 24 hours).
        • jwksUri: string - The URI to fetch the JWKS keys from.
    • Throws
      • Error - If the options parameter is not provided.
Methods

  • async validateToken(token, options)

    • Description
      • Validates a JWT token.
    • Parameters
      • token: string - The JWT token to validate.
      • options Object (optional): Validation options. VerifyOptions from the jsonwebtoken library with additional properties.
        • allowedTenants string[] (optional): The allowed tenants for the JWT token. Compared against the tid claim.
        • idtyp string (optional): The idtyp claim to be validated against.
        • roles string[] (optional): Roles expected in the 'roles' claim in the JWT token.
        • scp string[] (optional): Scopes expected in the 'scp' claim in the JWT token.
        • ver: string (optional) - The version claim to be validated against.
    • Returns
      • Promise<JwtPayload | string> - The decoded and verified JWT token.
    • Throws
      • Error - If the token is invalid or the validation fails.

  • clearCache()

    • Description
      • Clears the key cache used by the TokenValidator.
    • Parameters
      • None
    • Returns
      • None

  • deleteKey(kid)

    • Description
      • Deletes a specific key from the cache.
    • Parameters
      • kid string - The key ID to delete from the cache.
    • Returns
      • None

Functions

getEntraJwksUri(tenant, cloud)

  • Description
    • Gets the JWKS URL for the Microsoft Entra common tenant.
  • Parameters
    • tenant string (optional, default=common) - The tenant to get the JWKS URL for.
    • cloud string (optional, default=CloudType.Public) - The cloud to get the JWKS URL for.
  • Returns
    • Promise<string> - The JWKS URI.

Enums

CloudType

  • Description
    • Enum for the cloud types.
  • Values
    • Public - Microsoft Azure public cloud.
    • Ppe - Microsoft PPE.
    • USGovernment - US Government cloud.
    • China - Microsoft Chinese national/regional cloud.

License

This project is licensed under the MIT License.