node package manager

jot

hapi JSON Web Token (JWT) authentication plugin

jot

hapi JSON Web Token (JWT) authentication plugin

The 'jwt' scheme takes the following options:

Option Type Required Description
secret string Yes Secret key used to compute the signature
algorithms array Algorithm(s) allowed to verify tokens. Defaults to ['HS256']. Valid algorithms: ['HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'none']
audience string Verify aud claim against this value
cookie string Cookie name. Defaults to sid. Works in tandem with hapi-auth-cookie. Must set JWT when the cookie is set. See examples below
issuer string Verify iss claim against this value
token string Name of the token set in the cookie. Defaults to token
validateFunc function Function to validate the decoded token on every request

Note: Storing the token in a cookie is optional, but recommended. You can always send the token in an Authorization header.

Or check out the sample app: massive-hapi

/* server.js */
 
 
// Register hapi-auth-cookie 
 
server.register(require('hapi-auth-cookie'), (err) => {
 
    server.auth.strategy('session', 'cookie', {
        cookie: 'cookie-name',
        password: 'TheMinimumLengthOfPasswordsIs32!'
    });
});
 
 
// Register jot 
 
server.register(require('jot'), (err) => {
 
    server.auth.strategy('jwt', 'jwt', {
        secret: 'ADifferentPasswordAlsoAtLeast32!',
        cookie: 'cookie-name'
    });
 
    server.auth.default({
        strategy: 'jwt',
        scope: ['admin']
    });
});
 
 
/* routes.js */
 
 
// Login route 
 
server.route({
    method: 'POST',
    path: '/login',
    config: {
        auth: false,
        handler: (request, reply) => {
 
            // ... validate user credentials, yada yada yada ... 
 
            // Set the token inside of the cookie 
 
            request.cookieAuth.set(Jwt.sign({
                scope: ['admin']
            }, 'ADifferentPasswordAlsoAtLeast32!', {
                expiresIn: 60 * 60 * 2 // 2 hrs, but can be anything 
            }));
 
            reply('ok!');
        }
    }
});
 
 
// Resource 
 
server.route({
    method: 'GET',
    path: '/trade-secrets',
    config: {
        handler: (request, reply) => {
 
            // User is already authorized, time to check out those trade secrets 
 
            reply('secrets!');
        }
    }
});

For more examples, check out the tests.