Sign and verify tokens for your express app with one middleware.
NOTE: this is a pre-production version, and the module interfaces and functionality are not stable yet.
var tokenware = require('express-tokenware')('mySecretKey');
var app = tokenware(express);
app.get('/authenticate',
someAuthenticationMiddleware,
somePayloadCreationMiddleware
);
app.get('/myProtectedPath',
function (req, res, next) {
// success, do something with req.decodedBearerToken here
});
app.listen(3000);
$ npm install express-tokenware
All express-tokenware
behaviours have been tested using jasmine.
$ npm test
- Uses JSON Web Tokens (JWT)
- Flexible data structure - store whatever you like in the token
- Provides tokens on sign-in/authentication
- Extracts bearer tokens from request header
- Checks tokens on incoming requests
- Handles anonymous requests
- Rejects expired tokens
- Allows custom error handling
- Checks revoked tokens
- behaviour driven-development
- do the work for the user, such as sandwiching the stack with one function
- unopinionated, provide an interface that can be used with any architecture or database
Where not specified, variables are defined as per auth0/node-jsonwebtoken documentation.
Include express-tokenware
in your project by calling:
var tokenware = require('express-tokenware')(secretOrPrivateKey, [options, isRevokedToken]);
options
refers to configuration parameters that govern both signing and verification of bearer tokens. It must be an object literal that may include any or all of the following 7 parameters:
algorithm
expiresIn
audience
issuer
allowAnonymous
set this totrue
to allow anonymous requests (default:false
)handleErrors
set this tofalse
to use a custom error-handling middleware (default:true
)
isRevokedToken
is a callback which can accept a token string and return true
if the token has been revoked or false
if the token has not been revoked.
Attach tokenware
to your application. This will allow bearer tokens to be received, verify any bearer tokens found on incoming requests, and send signed tokens on responses with token payloads.
var app = tokenware(express);
express
is injected as a dependency into tokenware
. This ensures that tokenware
is both the first and last middleware to execute, which allows it to be used for both authenticating users and authorizing requests.
Once your application has authenticated a user and created a payload for the bearer token, create a payload object at res.locals.bearerTokenPayload
and call next()
in your last route middleware. tokenware
will send the signed token to the user as a JSON object {"signedBearerToken": <token>}
, along with an OK
HTTP header status of 200
.
This example is a simple implementation of sign-in/authentication:
app.get('/authenticate',
someAuthenticationMiddleware,
somePayloadCreationMiddleware // this **must** call `next()` to send a signed token
);
express-tokenware
looks for tokens in the authorization
header in the form of 'Bearer <token>'
(case-sensitive). Set the response headers appropriately to allow cross-origin resource sharing (CORS).
express-tokenware
automatically verifies any bearer token found in an incoming request. This guarantees that the token has a valid signature. An alternate approach of verifying against tokens stored in a database is not supported by this module, as the stored tokens may be tampered with by an attacker.
If tokenware
successfully verifies the signed bearer token, it will attach the decoded bearer token to req.decodedBearerToken
and call the next middleware function. If it fails to verify the token, it will invoke an error which will be passed to the error-handling middleware in the stack.
This example verifies tokens with the default configuration:
app.get('/myProtectedPath',
function (req, res, next) {
// success, do something with req.decodedBearerToken here
}
);
If you would like to allow anonymous requests to your server, set the configuration option allowAnonymous
to true
. Subsequent middleware can detect anonymous requests by checking req.isAnonymous
. This example demonstrates how to differentiate between authorized and anonymous requests:
app.get('/myProtectedPath',
function (req, res, next) {
if (req.isAnonymous) {
// anonymous request
} else {
// not anonymous, do something with req.decodedBearerToken here
}
}
);
express-tokenware
comes with a built-in error-handling, however, it may be replaced with a custom middleware. This section provides information on building a custom error-handling middleware.
The error object passed to the middleware will have at least two properties:
name
message
This table lists the errors sent by express-tokenware
:
Name | Message |
---|---|
JsonWebTokenError | (variable, generated by auth0/node-jsonwebtoken) |
malformedAuthorizationHeader | Authorization header is malformed, should be in the form of: Bearer |
revokedToken | Request authorization was previously revoked |
TokenExpiredError | jwt expired (generated by auth0/node-jsonwebtoken) |
If anonymous requests are allowed (through the configuration parameter allowAnonymous
) then unauthorized requests are not treated as an error. In this case, an error-handling middleware may not be necessary.
Feedback and contribution are highly encouraged! Please report feedback through the Github issue tracker. To submit code, please fork the Github repository and send a pull request.