CouchDB ProxyAuth JWT HS256 Token generator
Generate JWT tokens with payload for CouchDB ProxyAuth (with expiration)
Install
npm i @nhz.io/jwt-hs256-proxy-auth-tokenUsage
const jwt = require('@nhz.io/jwt-hs256-proxy-auth-token')
const DURATION = 120 // seconds. Default.
token = jwt('secret', 'user', ['role1', 'role2'], DURATION)Verified token example
This is what the token will look like after successful verification with jsonwebtoken
{
"exp": 1510356100,
"iat": 1510356220,
"data": {
"user": "username",
"roles": ["role1", "role2"]
}
}Imports
jwt = require 'jsonwebtoken'
Generate token
Curry to allow reuse
generate = (secret) -> (user) -> (roles, duration) ->
Sanity
throw Error 'Invalid secret' unless secret and typeof secret is 'string'
throw Error 'Invalid user' unless user and typeof user is 'string'
Roles should be array of strings
roles ?= []
throw Error 'Invalid roles' unless Array.isArray roles
throw Error 'Invalid roles' if (roles.filter (r) -> not r or typeof r isnt 'string').length
Default duration is 120 seconds
duration ?= 120
Max duration is one hour
throw Error 'Invalid duration' if (isNaN duration) or duration > 3600
Sign the token
jwt.sign { data: { user, roles }, exp: Math.floor Date.now() / 1000 + duration }, secret
API Wrapper
Wrapper to allow calling both curried and full arguments
jwtHS256ProxyAuthToken = (secret, user, roles, duration) ->
Start curried
token = generate secret
Complete invocation or return curried generator
token = if user then token user else token
if roles then token roles, duration else token
Exports
module.exports = jwtHS256ProxyAuthToken
Test
assert = require 'assert'
Test curry
assert.ok typeof (jwtHS256ProxyAuthToken 'secret') is 'function'
assert.ok typeof (jwtHS256ProxyAuthToken 'secret')('user') is 'function'
assert.ok typeof (jwtHS256ProxyAuthToken 'secret')('user')([]) is 'string'
Test validation
jwtHS256ProxyAuthToken()
assert.throws (-> jwtHS256ProxyAuthToken()()()), /Invalid secret/
assert.throws (-> jwtHS256ProxyAuthToken(1)()()), /Invalid secret/
assert.throws (-> jwtHS256ProxyAuthToken('secret')()()), /Invalid user/
assert.throws (-> jwtHS256ProxyAuthToken('secret')(1)()), /Invalid user/
assert.throws (-> jwtHS256ProxyAuthToken('secret')('user')('foo')), /Invalid roles/
assert.throws (-> jwtHS256ProxyAuthToken('secret')('user')([1])), /Invalid roles/
assert.throws (-> jwtHS256ProxyAuthToken('secret')('user')([undefined])), /Invalid roles/
assert.throws (-> jwtHS256ProxyAuthToken('secret')('user')([''])), /Invalid roles/
assert.throws (-> jwtHS256ProxyAuthToken('secret')('user')([], 3601)), /Invalid duration/
Test token
token = jwtHS256ProxyAuthToken 'secret', 'foo', ['users', 'foos']
assert.ok jwt.verify token, 'secret'
Test bad secret
assert.throws (-> jwt.verify token, 'bad-secret'), /invalid signature/
Test payload
assert.deepEqual { user: 'foo', roles: ['users', 'foos'] }, (jwt.verify token, 'secret').data
Test expiration
token = jwtHS256ProxyAuthToken 'secret', 'foo', ['users', 'foos'], -1
assert.throws (-> jwt.verify token, 'secret'), /jwt expired/
console.log 'pass'