1.0.0 • Public • Published


    Build Status Code Climate

    A Passport strategy for authenticating with a JSON Web Token.

    This module is another version of the original passport-jwt by Mike Nicholson that let's you authenticate a Node.js web-application's middleware endpoints using a JSON web token. Unlike, the generic passport-jwt, the following module allows to include JSON web tokens in the http-request body and session authorization variable.

    Supported By

    If you want to quickly add secure token-based authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan at Auth0 Logo


    npm install passport-jwt-site@1.0.0

    What was changed...

    Specifically, I've modified the JwtStrategy.prototype.authenticate(...) method by providing the functionality that allows to retrieve JSON web tokens not only from the standard Authorization header, but also the http-request body and session authorization variable:

    JwtStrategy.prototype.authenticate = function(req, options) {
        var self = this; var token = null;
        // Retrieve JSON web token from the http-request body
        if ((req.body["Authorization"] != null) && 
            (req.body["Authorization"] != undefined)) {
                token = req.body["Authorization"];
        // Retrieve JSON web token from the session Authorization variable
        else if ((req.session["Authorization"] != null) && 
                 (req.session["Authorization"] != undefined)) {
                    token = req.session["Authorization"];
        if ((token != null) && (token != undefined)) {
            // Extract a valid JSON web token string
            token = token.substr(token.indexOf(' ') + 1);
        else {
            // Retrieve JSON web token from the Authorization header
            token = self._jwtFromRequest(req);
        if (!token) {
            return Error("No auth token"));
        // ****

    The following fragment of code listed above, while being executed, first attempts to retrieve JSON web token from the http-request body and assign it to the token local variable. If the http-request body variable Authorization is null or undefined, it performs another check if the JSON web token is included in the session authorization variable instead. If so, it retrieves and assigns a valid token string to the same token variable. Finally, if neither the http-request body nor session authorization variable contains a valid token, it regularly retrieves the token from the authorization header by executing token = self._jwtFromRequest(req) method.


    Normally, with the re-engineered passport-jwt-site strategy module you can include JSON web tokens to the either http-request body or session authorization variable. Here's how:

    Including JWT To The HTTP-Request Body

    With passport-jwt-site, now, you can include JSON web tokens to the Ajax http-request body:


    $.get('/profile', {"Authorization": "Bearer " + token}, function(response) => { ... });
    $.post('/profile', {"Authorization": "Bearer " + token}, function(response) => { ... });

    Including JWT To Session Authorization Variable


    Also, you can include JSON web tokens to the session Authorization variable:'/login', function(req, res, next) {
      auth.passport.authenticate('jwt', {session: false},
       function(err, user, info) {
        if (err) { return next(err); }
        req.logIn(user, function(err) {
          if (user != false) {
               // Include JWT to the session Authorization variable
               req.session.Authorization = req.body["Authorization"];
          return res.status(200).send(user);
      })(req, res, next);

    This is typically done to have an ability to perform authenticated web-page redirects such as:


    $.post('/login', {"Authorization": "Bearer " + token}, 
        (response) => {
            // Redirect to the users profile web page
            $(location).attr('href', '/profile');

    Create an authenticated middleware, rendering the users profile's web page:


    router.get('/profile', passport.authenticate('jwt', {session: false }),
        function(req, res, next) { 
            res.statusCode = 200; res.render('profile');


    The the Migration Guide for help upgrading to the latest major version of passport-jwt


    npm install
    npm test

    To generate test-coverage reports:

    npm install -g istanbul
    npm run-script testcov
    istanbul report


    The MIT License

    Copyright (c) 2019 by Arthur V. Ratz


    npm i passport-jwt-site

    DownloadsWeekly Downloads






    Unpacked Size

    50.2 kB

    Total Files


    Last publish


    • epsilon_dev