npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

node-bits-jwt

v0.0.22

Published

Provides the logic to add jwt to a node-bits server

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jgretzjgretz

Keywords

Readme

node-bits-jwt

node-bits-jwt provides json web token security to any node-bits server.

Install

npm install node-bits-jwt --save

or

yarn add node-bits-jwt

Configuration

node-bits-jwt can have one of the larger config objects of all the bits. The bit tries to cut down on this size with intelligent defaults where possible.

Simplest Config:

import nodeBitsJwt from 'node-bits-jwt';

nodeBitsExpress({
  hooks: [
    nodeBitsJwt({
      secret: 'reallylongrandomstring',
      user: { model: 'user', key: 'email', password: 'password' },
      restrict: ['/api'],
    }),
  ],
}),

Complex Config:

import nodeBitsJwt, { secureByRole } from 'node-bits-jwt';

nodeBitsExpress({
  hooks: [
    nodeBitsJwt({
      authorizeUrl: '/authorize',
      expiresIn: '1w',
      secret: 'reallylongrandomstring',
      user: (database, request, config) => {
        return database.find({ where: { name: request.query.name }});
      },
      restrict: ['/api'],
      returnData: ['email', 'role'],
      securitySchemes: [
        secureByRole({
          roleKey: 'role',
          map: {
            admin: '*',
            sales: {
              '/api/customer*': [GET,POST,PUT],
              '/api/order': [GET,POST,PUT],
            },
            it: {
              '/api/*': [GET,POST,PUT,DELETE]
            }
          },
        }),
      ],
    })
  ],
}),

authorizeUrl

This is the url to which a caller may post their authorization credentials in order to obtain a token. By default this is /api/authorize.

expiresIn

The length of time a token is valid. By default this is 1 day. node-bits-jwt uses momentjs notation to express duration.

secret

This is the secret key that is used to encrypt the token. I recommend loading this in from an environment variable for production.

user or findUser

This is the model against which the bit needs to authorize the post data.

At its simplest, specify the model name along with the key and password fields:

user: {
  model: 'user',
  key: 'email',
  password: 'password',
  active: 'active',
},

Alternatively, you can specify a findUser method that has the signature: (database, request, config). node-bits-express expects you to return a promise which resolves with a user object if the authorization is successful, or is rejected if the authorization fails.

restrict

This is an array of routes to which to apply the jwt security. node-bits-jwt will treat each string in this array as value* (i.e. /api will apply to all routes that start with /api such as /api/order or /api/foo).

tokenData and returnData

tokenData is the data encrypted and stored in the token. Any data needed to apply the selected security scheme should be included in this token.

returnData is the data to be included in the json object that is returned by authorize post to the caller.

If only one of these is supplied, it will be used for both. If neither is specified, node-bits-jwt will use the full user object for both.

Both can be specified one of two ways:

  • array: an array of strings that match the properties of the user object to included
  • function: a function that accepts the user object and returns the json object to be use

securitySchemes

An array of schemes to be applied. These are simple functions with the signature: (request, token) which should return true or false based on the ability of the token to access the route requested.

If not specified, all routes are available to all tokens.

node-bits-jwt provides the following schemes out of the box:

secureByRole

secureByRole requires two pieces of data: the field that represents the role on the user object and a map of potential values of that field to routes that role is allowed to access. This scheme is pessimistic meaning that if a role is not explicitly granted access, it will be rejected.

Example configuration:

securitySchemes: [
  secureByRole({
    roleKey: 'role',
    map: {
      admin: '*',
      sales: {
        '/api/customer*': [GET,POST,PUT],
        '/api/order': [GET,POST,PUT],
      },
      it: {
        '/api/*': [GET,POST,PUT,DELETE]
      }
    },
  }),
],

secureManual

secureManual allows you to craft the security check to meet any requirement. It requires as its parameter a function with the signature (req, tokenData, database) that returns a Promise. If the promise resolves true, then the check will be considered as passed, if false, then failed.

Example configuration:

securitySchemes: [
  secureManual((req, tokenData, database) => {
    // do some database queries
    return Promise.resolve(true);
  }),
],