npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@tsmx/express-jwt-validator

v1.1.3

Published

Simple express middleware for validating JWT bearer tokens.

Downloads

42

Readme

@tsmx/express-jwt-validator

License: MIT npm (scoped) node-current (scoped) Build Status Coverage Status Snyk Vulnerabilities for GitHub Repo

Simple express middleware for validating JWT bearer tokens.

Stop writing boilerplate code to protect express routes with JWT bearer tokens in your projects.

Supports optional log output using winston, log4js or any other compatible logger. For details refer to the log configuration section

Usage

const express = require('express');
const app = express();

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'YOUR_JWT_SECRET' 
});

app.get('/secret', verifyToken, (req, res) => {
  // token payload available in req.authData
  res.send('Only accessible with a valid JWT bearer token.');
});

For further customizing please refer to the configuration options.

How it works

This module exports a middleware function for express to check a request for a valid JSON Web token authorization. The token must be provided as a bearer token in the HTTP request header according to the RFC standard.

Requests with a failed JWT validation will be rejected with HTTP status 401 by default. If the validations succeeds, the verified JWT payload will be added to the request and it will be passed to the next element of the middleware chain.

verify-token-schema

Configuration options

When requiring in the middleware with...

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  /* configuration object */ 
});

...the passed configuration object supports the following properties.

| Property | Description | |----------|-------------| | secret | The JWT validation secret | | header | Custom header HTTP name | | strictBearerValidation | Enable/disable strict validation | | rejectHttpStatus | Custom HTTP response status for failed validations | | sendExpiredMessage | Enable/disable error message for expired tokens | | requestAuthProp | Custom property name to store token data in req | | logger | An optional logger to receive log output |

secret

Type: String

Default: undefined

Mandatory: yes

The sceret used to verify the JWT bearer token. Must be present, otherwise an exception will be thrown.

Example:

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'MySecretKey-123456' 
});

header

Type: String

Default: authorization

Mandatory: no

Can be used if the bearer token will be supplied in another header field than authorization (Note: HTTP header field names are case-insensitive).

Example:

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'MySecretKey-123456', 
  header: 'auth' 
});

strictBearerValidation

Type: Boolean

Default: false

Mandatory: no

If set to true, the authorization header is strictly validated against the schema Bearer <JWT> (including the whitespace), like Bearer eyJhb.... If set to false (default), it is sufficient if the header consists of two strings separated by a whitespace whereas the second entry is considered to be the JWT.

Example:

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'MySecretKey-123456', 
  strictBearerValidation: true
});

rejectHttpStatus

Type: Number

Default: 401

Mandatory: no

The HTTP status to be sent back to the client if the bearer token validation fails. Defaults to 401 for Unauthorized, could also be set to 403 Forbidden for example. Please note that although any status is possible here you should use an appropriate HTTP client error code.

Example:

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'MySecretKey-123456',
  rejectHttpStatus: 403 
});

sendExpiredMessage

Type: Boolean

Default: true

Mandatory: no

If set to true, the rejection response will contain a JSON body with one property error and value TokenExpiredError indicating the client that the token has expired. This can be useful to allow the client to check that the token must be refreshed.

If set to false, an expired token will be rejected without any response body.

Example:

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'MySecretKey-123456', 
  sendExpiredMessage: false 
});

requestAuthProp

Type: String

Default: authData

Mandatory: no

The name of the property in req where the JWT bearer token payload should be stored for further processing. Can be changed to any property name, please make sure it is unique and no other properties are overwritten.

Example:

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'MySecretKey-123456', 
  requestAuthProp: 'tokenPayload' 
});

Token data would now be accessible with req.tokenPayload instead of req.authData in following middleware functions.

logger

Type: Object

Default: undefined

Mandatory: no

You can pass a winston or log4js logger instance (or any compatible) to get log output from the middleware. Compatible means that the logger must provide info, warn and error functions receiving a string to be logged.

Note: the package contains tests for winston and log4js.

The following events will be logged:

| Event | Log level | |-------|-----------| | Rejected - No auth header present | WARN | | Rejected - No valid 'Bearer TOKEN' entry in auth header | WARN | | Rejected - Strict Bearer validation failed | WARN | | Rejected - Expired token was sent | WARN | | Rejected - Invalid token was sent (potential attack) | ERROR | | Passed - Valid Bearer token was sent | INFO |

Example for winston:

const winston = require('winston');

winstonLogger = winston.createLogger({ /*... winston options ...*/ });

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'MySecretKey-123456', 
  logger:  winstonLogger
});

Example for log4js:

const log4js = require('log4js');

log4js.configure({ /*... log4js options ...*/ });
log4jsLogger = log4js.getLogger();

const verifyToken = require('@tsmx/express-jwt-validator')({ 
  secret: 'MySecretKey-123456', 
  logger:  log4jsLogger
});