UNPKG

fastify-jwt-jwks

Version:

JWT JWKS verification plugin for Fastify

github.com/nearform/fastify-jwt-jwks

nearform/fastify-jwt-jwks

92 lines (82 loc) 3.09 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
import { FastifyPluginCallback, FastifyReply, FastifyRequest } from 'fastify' import { UserType, SignPayloadType } from '@fastify/jwt' import NodeCache from 'node-cache' export interface FastifyJwtJwksOptions { /** * JSON Web Key Set url (JWKS). * The public endpoint returning the set of keys that contain amongst other things the keys needed to verify JSON Web Tokens (JWT) * Eg. https://domain.com/.well-known/jwks.json */ readonly jwksUrl?: string /** * The intended consumer of the token. * This is typically a set of endpoints at which the token can be used. * If you provide the value `true`, the domain will be also used as audience. * Accepts a string value, or an array of strings for multiple audiences. */ readonly audience?: string | readonly string[] | boolean /** * The domain of the system which is issuing OAuth access tokens. * By default the domain will be also used as audience. * Accepts a string value, or an array of strings for multiple issuers. */ readonly issuer?: string | RegExp | (RegExp | string)[] /** * The OAuth client secret. It enables verification of HS256 encoded JWT tokens. */ readonly secret?: string /** * If to return also the header and signature of the verified token. */ readonly complete?: boolean /** * How long (in milliseconds) to cache RS256 secrets before getting them * again using well known JWKS URLS. Setting to 0 or less disables the cache. */ readonly secretsTtl?: string | number /** * Used to indicate that the token can be passed using cookie, instead of the Authorization header. */ readonly cookie?: { /** * The name of the cookie. */ cookieName: string /** * Indicates whether the cookie is signed or not. If set to `true`, the JWT * will be verified using the unsigned value. */ signed?: boolean } /** * You may customize the request.user object setting a custom sync function as parameter: */ readonly formatUser?: (payload: SignPayloadType) => UserType /** * A string used to namespace the decorators of this plugin. This is to allow this plugin to be applied multiple times * to a single Fastify instance. See the description of the namespace parameter in @fastify/jwt. */ readonly namespace?: string } export interface JwtJwks extends Pick<FastifyJwtJwksOptions, 'jwksUrl' | 'audience' | 'secret'> { readonly verify: FastifyJwtJwksOptions & { readonly algorithms: readonly string[] readonly audience?: string | readonly string[] } } export type Authenticate = (request: FastifyRequest) => Promise<void> /** * JWT JWKS verification plugin for Fastify, internally uses @fastify/jwt and jsonwebtoken. */ export const fastifyJwtJwks: FastifyPluginCallback<FastifyJwtJwksOptions> export default fastifyJwtJwks declare module 'fastify' { interface FastifyInstance { authenticate: Authenticate jwtJwks: JwtJwks } interface FastifyRequest { jwtJwks: JwtJwks jwtJwksSecretsCache: Pick<NodeCache, 'get' | 'set' | 'close'> } }