jwt_auth
v1.0.1
Published
Extremely simple middleware for use with express and restify to enable authentication using JSON Web Tokens.
Downloads
4
Maintainers
Readme
JWT_AUTH [1.0.0]
It's an extremely simple middleware for use with express and restify to enable authentication using JSON Web Tokens.
Installation
npm install jwt_auth
Usage
jwt_auth can be used on a per-route basis for those routes that require authenticated access.
It requires you to supply a function that actually authenticates the issuer. jwt_auth will pass your function the issuer that was extracted from the token and an object. This object implements a deferred semantic so that your issuer-checking function can be asynchronous: if the issuer is legit, you may call the object's resolve()
function, otherwise, you will call its reject()
function.
If the request is legit, jwt_auth will put the token data in the request object so that it can be used by other middleware or your application code.
For example in express:
var express = require('express'),
app = express(),
jwtAuth = require('jwt_auth'),
secret = 'secret-used-to-sign-and-verify-jwt-hashes';
var check_user_from_database = function(id, deferred)
{
//find user by id in the database asynchronously
db.findById(id, function(err, data){
if(!data)
//user not found! do not authenticate request!
deferred.reject();
else
//whohoo!!
deferred.resolve();
});
}
//---- routes ----
//anybody can access this route
app.get('/', function(req, res){
// do something here..
});
//only requests with a jwt token in the headers and that
//are authenticated can access this resource
app.get('/top_secret', jwtAuth(check_user_from_database, secret), function(req, res){
// this is how you retrieve the authenticated issuer
var user_id = req.jwtauth.iss;
// list all the documents about the alien invasion....
});
Configuration
jwt_auth needs four pieces of information:
- the issuer-checking function - required!
- the secret to use for signing and verifying the tokens - required!
- the name of the header where the token is to be found - optional, it defaults to
x-access-token
- an optional boolean indicating whether or not to perform a token expiration check. If not specified, jwt_auth default is to not perform the expiry check.