UNPKG

jsonwebtoken-redis

Version:

Json Web Token Redis

ayro.io

ayrolabs/jsonwebtoken-redis

136 lines (103 loc) 4.83 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# jsonwebtoken-redis This library completely repeats the entire functionality of the library [jsonwebtoken](https://www.npmjs.com/package/jsonwebtoken), with four important additions: 1. The token expiration time can be completely managed by Redis. 2. You can invalidate the token by removing it from Redis. 3. You can postpone the expiration a token. 4. There's no callback. All functions returns Promises. # Installation ```javascript npm install jsonwebtoken-redis ``` # Quick start ```javascript const Redis = require('redis'); const redis = new Redis(); const JwtRedis = require('jsonwebtoken-redis'); const jwtRedis = new JwtRedis(redis, { prefix: 'session:' // The prefix used in Redis keys (optional). Defaults to "session:". expiresKeyIn: '24 hours' // The default Redis expiration time (optional) promiseImpl: Promise // Custom promise library (optional). Defaults to native Promise. }); const secret = 'shhhhhh'; const payload = { scope: 'user', user: '1', }; // Sign function call overriding the default Redis expiration time provided above jwtRedis.sign(payload, secret, {expiresKeyIn: '48 hours'}).bind({}).then((token) => { this.token = token; // Returns the decoded payload without verifying if the signature is valid return jwtRedis.decode(token, secret, {complete: true}); }).then((decoded) => { // Returns the decoded payload verifying if the signature is valid return jwtRedis.verify(this.token, secret); }).then((decoded) => { // Increases the expiration time by 48 hours return jwtRedis.touch(this.token); }).then(() => { // Removes the token from Redis, invalidating it in the next "verify" function calls. return jwtRedis.destroy(this.token); }); ``` # Expiration time managed by Redis There's a new option ````expiresKeyIn```` when you call [sign](https://www.npmjs.com/package/jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback). This option is used to set the expiration time of the key/value created in Redis. Using this option the expiration time is completely managed by Redis, in other words, the key/value is created in Redis through the command ````expire````. The token it self doesn't contain any expiration data. ```javascript jwtRedis.sign(payload, secret, {expiresKeyIn: '48 hours'}).then((token) => { }); ``` You can continue to use the option ````expiresIn```` or the payload attribute ````exp````, but the option ````expiresKeyIn```` will be completely ignore. The key/value will be created in Redis with the expiration based on jwt option or payload attriute mentioned previously. Attention: Implementing this way, you can't postpone the expiration in Redis because the token it self will expire. # Defining the jti claim The "jti" (JWT ID) claim provides a unique identifier for the JWT. This is used to create the key for the token in Redis. If you don't provide the "jti", a new one will be generated using [uuid](https://www.npmjs.com/package/uuid) version 4 (random). ```javascript const jwtRedis = new JwtRedis(client, {prefix: 'session:'}) const payload = {jti: 'test'}; // The key for the token in Redis will be "session:test" const secret = 'shhhhhh'; jwtRedis.sign(payload, secret, {expiresKeyIn: '1 hour'}).then((token) => { return jwtRedis.decode(token, secret); }).then((decoded) => { console.log(decoded.jti) // Will print "test" }); ``` # Touching the token When you set the jwt expiration time, you can't change it anymore. By using the option ````expiresKeyIn```` when you call ````sign````, you have the power to postpone the expiration time. ```javascript jwtRedis.sign(payload, secret, {expiresKeyIn: '1 hour'}).then((token) => { // Do what you need here }); // After 30 minutes... jwtRedis.touch(token).then(() => { // Now the token will be valid for more 1 hour. Without this the token would expire in 30 minutes. }); ``` # Destroying the token You can invalidate the token by calling ````destroy```` function. This will remove the key/value associated to the token from Redis. All future calls to ````verify```` will throw ````JwtRedis.TokenExpiredError````. ```javascript jwtRedis.destroy(token).then(() => { // The token was removed from Redis }); ``` # Promises All functions will return a Promise. You can set the Promise implementation by passing the option ````promiseImpl```` when you instantiate a new ````JwtRedis````. ```javascript const Promise = require('bluebird') const jwtRedis = new JwtRedis(redis, { promiseImpl: Promise, }); ``` # API Create a token ### jwtRedis.sign(payload, secretOrPrivateKey [, options]) ### Verify the token ### jwtRedis.verify(token, secretOrPublicKey [, options]) ### Decode the token ### jwt.decode(token [, options]) ### Postpone the token expiration ### jwtRedis.touch(token) ### Destroy the token ### jwtRedis.destroy(token) ###