1 | # passport-jwt
|
2 |
|
3 | A [Passport](http://passportjs.org/) strategy for authenticating with a [JSON Web Token](http://jwt.io).
|
4 |
|
5 | This module lets you authenticate endpoints using a JSON Web token. It is intended to be used to secure RESTful
|
6 | endpoints without sessions.
|
7 |
|
8 | ## Install
|
9 |
|
10 | This module has not yet been published to the public NPM repository. Until it is you can install it
|
11 | with the command
|
12 |
|
13 | $ npm install git+https://github.com/themikenicholson/passport-jwt.git
|
14 |
|
15 | ## Usage
|
16 |
|
17 | ### Configure Strategy
|
18 |
|
19 | The jwt authentication strategy is constructed as follows:
|
20 |
|
21 | new JwtStrategy(secretOrKey, options, verify)
|
22 |
|
23 | `secretOrKey` is a string or buffer containing the secret (symmetric) or PEM-encoded public key (asymmetric)
|
24 | for verifying the token's signature.
|
25 |
|
26 | `options` is an object literal containing options to control how the token is extracted from the request or verified.
|
27 | * `issuer`: If defined the token issuer (iss) will be verified against this value.
|
28 | * `audience`: If defined the toekn audience (aud) will be verified against this value.
|
29 | * `tokenBodyField`: Field in a request body to search for the jwt. Default is auth_token.
|
30 | * `tokenHeader`: Expected authorization scheme if token is submitted through the HTTP Authorization header. Defaults to JWT
|
31 |
|
32 | `verify` is a function with args `verify(jwt_payload, done)`
|
33 | * `jwt_payload` is an object literal containing the decoded JWT payload.
|
34 | * `done` is a passport error first callback accepting arguments done(error, user, info)
|
35 |
|
36 | An example configuration:
|
37 |
|
38 | var JwtStrategy = require('passport-jwt');
|
39 | var opts = {issuer: "accounts.examplesoft.com", audience: "yoursite.net"};
|
40 | passport.use(new JwtStrategy('secret', opts, function(jwt_paylaod, done) {
|
41 | User.findOne({id: jwt_paylaod.sub}, function(err, user) {
|
42 | if (err) {
|
43 | return done(err, false);
|
44 | }
|
45 | if (user) {
|
46 | done(null, user);
|
47 | } else {
|
48 | done(null, false);
|
49 | // or you could create a new account
|
50 | }
|
51 | });
|
52 | }));
|
53 |
|
54 |
|
55 | ### Authenticate requests
|
56 |
|
57 | Use `passport.authenticate()` specifying `'jwt'` as the strategy.
|
58 |
|
59 |
|
60 | app.post('/profile', passport.authenticate('jwt', { session: false}),
|
61 | function(req, res) {
|
62 | res.send(req.user.profile);
|
63 | }
|
64 | );
|
65 |
|
66 | ### Include the JWT in requests
|
67 |
|
68 | The strategy will first check the request for the standard *Authorization* header.
|
69 | If this header is present and the scheme matches `options.authScheme` or 'JWT' if no
|
70 | auth scheme was specified then the token will be retrieved from it. e.g.
|
71 |
|
72 | Authorization: JWT JSON_WEB_TOKEN_STRING.....
|
73 |
|
74 | If the an authorization header with the expected scheme is not found the request body will be
|
75 | checked for a field matching `options.tokenBodyField` or 'auth_token' if the option was not specified.
|
76 |
|
77 |
|
78 | ## Tests
|
79 |
|
80 | $ npm install
|
81 | $ npm test
|
82 |
|
83 | ## License
|
84 |
|
85 | The [MIT License](http://opensource.org/licenses/MIT)
|
86 |
|
87 | Copyright (c) 2014 Mike Nicholson
|