passport-jwt-cookiecombo
Passport strategy for lightning-fast authenticating with a JSON Web Token, based on the JsonWebToken implementation for node.js.
JWT Cookie Combo Strategy for Passport combines the authorization header for native app requests and a more secure secured, http-only, same site, signed and stateless cookie for web requests from a browser.
The best: Every single request saves both techniques a database query, because
the user comes from the token. You just use req.user
in your actions.
Install
npm install passport-jwt-cookiecombo
TL;DR
// =============================================================================// Configure Strategy// =============================================================================var JwtCookieComboStrategy = ; passport;
// =============================================================================// Sign Token// =============================================================================var jwt = ; router;
// =============================================================================// Authenticate Requests// =============================================================================var express = ; app;
Usage
Sample Login with Set-Cookie
// =============================================================================// Dependencies// =============================================================================var cookieParser = ;var passport = ;var jwt = ;var express = ;
// =============================================================================// Express App inits cookie with a secret// =============================================================================var app = ; // Pass a secret to sign the secured http cookieapp;
// =============================================================================// Login route with any Passport authentication strategy// =============================================================================// Passport provides us the authenticated user in the requestrouter;
// =============================================================================// Sample Passport Authentication where the user is set for the jwt payload// =============================================================================passport;
JWT Cookie Combo Passport Strategy
var JwtCookieComboStrategy = ; // Authenticate API calls with the Cookie Combo Strategypassport;
The following possible options for a JsonWebToken will be directly passed on to jsonwebtoken.verify.
secretOrPublicKey:
is a string or buffer containing either the secret for HMAC algorithms, or the PEM
encoded public key for RSA and ECDSA.
jwtVerifyOptions: {
algorithms
: List of strings with the names of the allowed algorithms. For instance,["HS256", "HS384"]
. Default:HS256
.audience
: if you want to check audience (aud
), provide a value hereissuer
(optional): string or array of strings of valid values for theiss
field.ignoreExpiration
: iftrue
do not validate the expiration of the token.ignoreNotBefore
...subject
: if you want to check subject (sub
), provide a value hereclockTolerance
: number of second to tolerate when checking thenbf
andexp
claims, to deal with small clock differences among different servers
}
JWT Cookie Combo global API routes protection
app;
Sample Config
moduleexports = jwt: secret: processenvJWT_SECRET || 'SetStrongSecretInDotEnv' options: audience: 'https://example.io' expiresIn: '12h' // 1d issuer: 'example.io' cookie: httpOnly: true sameSite: true signed: true secure: true ;
Sample Auth-Header
Key | Token |
---|---|
Authorization | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjoiNTc5ZWVkZGRlMDEzNz... |
Sample Token
HEADER: ALGORITHM & TOKEN TYPE
"alg": "HS256" "typ": "JWT"
PAYLOAD: DATA
"user": "id": "577839eeddde013794ae2332" "role": "admin" "iat": 1468340405 "exp": 1468383605 "aud": "https://example.io" "iss": "example.io"
VERIFY SIGNATURE
Tonic Notebook
Try it out on tonic.dev tonic + npm: passport-jwt-cookiecombo