UNPKG

toa-token

Version:

Json web token (JWT) module for toa.

github.com/toajs/toa-token

toajs/toa-token

144 lines (98 loc) 4.39 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# toa-token Json web token (JWT) module for toa. It sign and verify token through a rotating credential system, in which new server keys can be added and old ones removed regularly, without invalidating client credentials. [![NPM version][npm-image]][npm-url] [![Build Status][travis-image]][travis-url] [![Downloads][downloads-image]][downloads-url] ## [toa](https://github.com/toajs/toa) ## [JSON Web Tokens](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html) This module lets you authenticate HTTP requests using JWT tokens in toa applications. JWTs are typically used protect API endpoints, and are often issued using OpenID Connect. ## Demo ```js const Toa = require('toa') const toaToken = require('toa-token') const Router = require('toa-router') const toaBody = require('toa-body') const router = new Router() router .get('/auth', function * () { let user = yield this.parseBody() // verify with user.name and user.passwd, get user._id let token = this.signToken({ name: user.name, _id: user._id }) this.body = token }) .get('/', function (Thunk) { // should have this.token when client request with authorization header. // var token = this.token // {_id: 'user id', name: 'user name'} // .... }) const app = Toa(function * () { yield router.route(this) }) toaBody(app) toaToken(app, 'secretKeyxxx', { expiresIn: 60 }) app.listen(3000) ``` ## Installation ```bash npm install toa-token ``` ## API ```js const toaToken = require('toa-token') ``` ### toaToken(app, secretOrPrivateKeys, [options])) - `secretOrPrivateKeys`: `secretOrPrivateKeys` is a array of string or buffer containing either the secret for HMAC algorithms, or the PEM encoded private key for RSA and ECDSA. - `options.authScheme`: `String`, Authorization scheme name, default to `Bearer`. In HTTP header fields: `Authorization: Bearer QWxhZGRpbjpvcGVuIHNld2FtZQ==`. - `options.useProperty`: `String`, token name add to `context`, default to `token`. - `options.getToken`: `Function`, A custom function for extracting the token, This is useful if you need to pass the token through a query parameter or a cookie. - `options.algorithm` (default: `HS256`) - `options.expiresIn`: expressed in seconds or a string describing a time span [rauchg/ms](https://github.com/rauchg/ms.js). Eg: `60`, `"2 days"`, `"10h"`, `"7d"` - `options.notBefore`: expressed in seconds or a string describing a time span [rauchg/ms](https://github.com/rauchg/ms.js). Eg: `60`, `"2 days"`, `"10h"`, `"7d"` - `options.audience` - `options.issuer` - `options.jwtid` - `options.subject` - `options.noTimestamp` - `options.header` **More options is same as [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken)** ### context.token This is a getter that auto verify the token. if authorization is invalid, context will throw error. `token` maybe custom by `options.useProperty`. ```js console.log(this.token) ``` ### app.signToken(payload) / context.signToken(payload) Generate a token string. `payload` could be an literal, buffer or string, If `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`. ### app.decodeToken(token, options) / context.decodeToken(token, options) Returns the decoded payload without verifying if the signature is valid. - `token`: `String`, the JsonWebToken string. - `options.json`: `Boolean`, force JSON.parse on the payload even if the header doesn't contain `"typ":"JWT"`. ### app.verifyToken(token, options) / context.verifyToken(token, options) Returns the decoded payload with verifying if the signature is valid. - `token`: `String`, the JsonWebToken string. ### toaToken.jwt It is a reference of `jsonwebtoken` module. ### toaToken.JWT(secretOrPrivateKeys) It is a wrap of `jsonwebtoken` module. ```js const jwt = new toaToken.JWT(secretOrPrivateKeys) ``` #### jwt.signToken(payload, options) #### jwt.decodeToken(token, options) #### jwt.verifyToken(token, options) ## Licences (The MIT License) [npm-url]: https://npmjs.org/package/toa-token [npm-image]: http://img.shields.io/npm/v/toa-token.svg [travis-url]: https://travis-ci.org/toajs/toa-token [travis-image]: http://img.shields.io/travis/toajs/toa-token.svg [downloads-url]: https://npmjs.org/package/toa-token [downloads-image]: http://img.shields.io/npm/dm/toa-token.svg?style=flat-square