restify-jwt
Restify middleware that validates JsonWebTokens and sets req.user
.
This module lets you authenticate HTTP requests using JWT tokens in your restify applications.
Install
$ npm install restify-jwt
Usage
The JWT authentication middleware authenticates callers using a JWT.
If the token is valid, req.user
will be set with the JSON object decoded
to be used by later middleware for authorization and access control.
For example,
var jwt = ; app;
You can specify audience and/or issuer as well:
If the JWT has an expiration (
exp
), it will be checked.
If you are using a base64 URL-encoded secret, pass a Buffer
with base64
encoding as the secret instead of a string:
Optionally you can make some paths unprotected as follows:
app;
This is especially useful when applying to multiple routes. In the example above, path
can be a string, a regexp, or an array of any of those.
For more details on the
.unless
syntax including additional options, please see express-unless.
This module also support tokens signed with public/private key pairs. Instead of a secret, you can specify a Buffer with the public key
var publicKey = fs;;
By default, the decoded token is attached to req.user
but can be configured with the requestProperty
option.
;
A custom function for extracting the token from a request can be specified with
the getToken
option. This is useful if you need to pass the token through a
query parameter or a cookie. You can throw an error in this function and it will
be handled by restify-jwt
.
app;
Multi-tenancy
If you are developing an application in which the secret used to sign tokens is not static, you can provide a callback function as the secret
parameter. The function has the signature: function(req, payload, done)
:
req
(Object
) - The restifyrequest
object.payload
(Object
) - An object with the JWT claims.done
(Function
) - A function with signaturefunction(err, secret)
to be invoked when the secret is retrieved.err
(Any
) - The error that occurred.secret
(String
) - The secret to use to verify the JWT.
For example, if the secret varies based on the JWT issuer:
var jwt = ;var data = ;var utilities = ; var { var issuer = payloadiss; data;}; app;
Revoked tokens
It is possible that some tokens will need to be revoked so they cannot be used any longer. You can provide a function as the isRevoked
option. The signature of the function is function(req, payload, done)
:
req
(Object
) - The restifyrequest
object.payload
(Object
) - An object with the JWT claims.done
(Function
) - A function with signaturefunction(err, revoked)
to be invoked once the check to see if the token is revoked or not is complete.err
(Any
) - The error that occurred.revoked
(Boolean
) -true
if the JWT is revoked,false
otherwise.
For example, if the (iss, jti)
claim pair is used to identify a JWT:
var jwt = ;var data = ;var utilities = ; var { var issuer = payloadiss; var tokenId = payloadjti; data;}; app;
Error handling
The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:
app;
You might want to use this module to identify registered users without preventing unregistered clients to access to some data, you can do it using the option credentialsRequired:
app.use(jwt({
secret: 'hello world !',
credentialsRequired: false
}));
Tests
$ npm install
$ npm test
Credits
Based on auth0/express-jwt. The major difference is that restify-jwt tries to use built in restify errors wherever possible.