express-simple-jwt-auth

WORK IN PROGRESS, NOT FULLY TESTED, DO NOT USE.

Automates validation and decoding of JWT tokens, incorporation of the decoded JWT into req.user as an object, and the addition of role based security in an opinionated database, and an /auth route to validate the JWT and decode it for the client, and a role based security method for end points.

The authenticator is intended to be used with the jwt-simple-login component.

New Notes

Uses password-validator so configuration for that works for passwords

Ensure your custom methods return the not a mongoose object but a json object... use .toJSON() on the result you return.

Authentication requires objects which contain:

{
  ...
  email: '...',
  salt: '...',
  password: '...'
}

Login and create endpoint requires fields: username and password along with any other fields.

Create returns { body, saltHash: { salt: '...', hash: '...' } }

Login returns { body }

Installation

npm i -S jwt-simple-auth

Requirements

Your Mongo database model must include the following:

{
	"email": String,     // For matching with what's in the '.mail' within the jwt.
	"roles": [ String ], // Array of strings of Role names
	"locations": [       // Array of location objects user is associated with (below)
	  { 
	    "city": String,
	    "state": String
	  }
	] // 
}

Usage

Within the app.js file on your node application, require in the component. Somewhere you must define the jwtSecret to validate your Authorization token. Do not store this in your source code as in the example below Use docker-secreto or some other secret management method.

NOTE: If you are using app.use(cors()) you will need to include the route after you add the cors module in.

This module uses express-jwt to manage unless operations

app.js

const { authenticator, authRoute } = require('sso-api-authenticator')

...
const jwtSecret = 'my-secret-password', // Do NOT do this!
      mongoOptions = {
        uri: 'mongodb://someserver.com:27017/db',
        options: {
          ...
        }
      },
      expressJwtOptions = {}
...
// AFTER database connection and mongoose model are defined...

app.use(authenticator(jwtSecret, mongoOptions, expressJwtOptions, {
  path: [
    '/users',
    '/login',
    /\/login\/.*/
  ]
}))

app.use('/auth', authRoute)

After including the above code in your server setup you will gain access to a new object, req.user. This contains all data within the JWT, unencoded as well as relevant roles and locations.

Now, securing a route by role is as simple as adding either req.user.allow() or req.user.deny()

route/users.js

...

router.get('/allow', (req, res, next) => {
  req.user.allow(['Developer'], () => {
    return res.send('The user is a Developer')
  })
  .otherwise(() => {
    res.send('The user does not have the Developer role.')
  })
})


router.get('/deny', (req, res, next) => {
  req.user.deny(['Developer'], () => {
    return res.send('The user does not have the Developer role, so is allowed access.')
  })
  .otherwise(() => {
    res.send('The user is a Developer. None Shall Pass!')
  })
})

...

Parameters

middleware(jwtSecret, MongooseModelForPermissions, expressJwtOptions, unlessObject)

|Param|Required|Definition| |:----|:----:|:---| | jwtSecret|Y|The secret to use for validating your JWT token| | mongoOptions |Y|The database connection object: { uri: 'mongodb://server.com:2017, options: { ... } }.| | expressJwtOptions |N|A passthrough to give access to the express-jwt options. Defaults to {}| |unlessObject|N|An object which is placed into the express-jwt.unless() method. This defines which end points not to protect with JWT security ... like /login |

See express-jwt documentation for details on the expressJwtOptions and unless object settings