UNPKG

@veloze/jwt

Version:

todo

github.com/commenthol/veloze-jwt

commenthol/veloze-jwt

145 lines (113 loc) 3.49 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
[![npm-badge][npm-badge]][npm] [![actions-badge][actions-badge]][actions] ![types-badge][types-badge] # @veloze/jwt Middleware to verify JSON-Web-Tokens (JWT) sent in Bearer Authorization Header. If public-keys are required to verify JWTs the JWKS URI can be detected by issuer using `.well-known/openid-configuration` URLs. Supports multiple issuers with the `jwks()` method. Works also with [express][] using `jwtAuthExpress()`. # usage Installation ``` npm i @veloze/jwt ``` In your code: ```js import { Server } from 'veloze' import { jwtAuth } from '@veloze/jwt' const server = new Server() const issuer = 'https://sym.oau.th' // for HS256, HS384, HS512 token provide secret const protect = jwtAuth({ issuer, secret: 's€cr3t' }) server.get('/', protect, (req, res) => res.end()) server.listen(443) // ---- await fetch('https://server', { headers: { authorization: 'Bearer <TOKEN>' // H256 Token with issuer https://my.oau.th } }) ``` For OIDC servers with `.well-known/openid-configuration` ```js import { jwtAuth, jwks } from '@veloze/jwt' // with asymmetric keys const issuer = 'https://my.oau.th' const issuer2 = 'https://oauth.other' // (optionally) add issuer with symmetric keys const secretsByIssuer = { 'https://sym.oau.th': 's€cr3t' } // supports multiple issuers const secret = await jwks([issuer, issuer2], { secretsByIssuer }) const protect = jwtAuth({ secret }) ``` # API ## jwtAuth ```ts import { JWTHeaderParameters, JWTPayload, JWTVerifyOptions, KeyLike } from 'jose' interface DecodedJWT { header: JWTHeaderParameters, payload: JWTPayload, signature: string } type GetKeyLikeFn = (decodedToken: DecodedJWT, req: Request) => Promise<KeyLike>; interface JwtOptions extends JWTVerifyOptions { /** * for HS256...HS512 provide secret as Buffer or string * for asymmetric JWT provide publicKey as secret */ secret: string|Buffer|KeyLike|GetKeyLikeFn /** * if verification is successful then payload of decoded token is added to * request using this property e.g. default is `req.auth` * @default 'auth' */ requestProperty: string } function jwtAuth (options: JwtOptions): Promise<(req: Request, res: Response): void> function jwtAuthExpress (options: JwtOptions): (req: Request, res: Response, next: Function): void ``` ## jwks ```ts type JwksOptions = { /** * allows to set custom fetch function */ fetcher?: typeof fetch | undefined /** * expiry in ms, JWKS uris are cached until this expiry timeout */ expiresIn?: number | undefined /** * jwksUri by issuer (for PS, RS, ES alg JWTs) * allows to overwrite the default jwks_uri which usually is looked-up from * .well-known/openid-configuration */ jwksByIssuer?: Record<string, string> | undefined /** * secret by issuer (for HS JWTs) */ secretsByIssuer?: Record<string, string | Uint8Array> | undefined } /** * issuers: provide a list of different issuers which shall be supported */ function jwks(issuers: string[], options: JwksOptions): Promise<GetKeyLikeFn> ``` # license MIT licensed [npm-badge]: https://badgen.net/npm/v/@veloze/jwt [npm]: https://www.npmjs.com/package/@veloze/jwt [types-badge]: https://badgen.net/npm/types/@veloze/jwt [actions-badge]: https://github.com/commenthol/veloze-jwt/workflows/CI/badge.svg?branch=main&event=push [actions]: https://github.com/commenthol/veloze-jwt/actions/workflows/ci.yml?query=branch%3Amain [express]: https://expressjs.com