| 1 | # passport-jwt
|
| 2 |
|
| 3 | A [Passport](http://passportjs.org/) strategy for authenticating with a [JSON Web Token](http://jwt.io).
|
| 4 |
|
| 5 | This module lets you authenticate endpoints using a JSON Web token. It is intended to be used to secure RESTful
|
| 6 | endpoints without sessions.
|
| 7 |
|
| 8 | ## Install
|
| 9 |
|
| 10 | This module has not yet been published to the public NPM repository. Until it is you can install it
|
| 11 | with the command
|
| 12 |
|
| 13 | $ npm install git+https://github.com/themikenicholson/passport-jwt.git
|
| 14 |
|
| 15 | ## Usage
|
| 16 |
|
| 17 | ### Configure Strategy
|
| 18 |
|
| 19 | The jwt authentication strategy is constructed as follows:
|
| 20 |
|
| 21 | new JwtStrategy(secretOrKey, options, verify)
|
| 22 |
|
| 23 | `secretOrKey` is a string or buffer containing the secret (symmetric) or PEM-encoded public key (asymmetric)
|
| 24 | for verifying the token's signature.
|
| 25 |
|
| 26 | `options` is an object literal containing options to control how the token is extracted from the request or verified.
|
| 27 | * `issuer`: If defined the token issuer (iss) will be verified against this value.
|
| 28 | * `audience`: If defined the toekn audience (aud) will be verified against this value.
|
| 29 | * `tokenBodyField`: Field in a request body to search for the jwt. Default is auth_token.
|
| 30 | * `tokenHeader`: Expected authorization scheme if token is submitted through the HTTP Authorization header. Defaults to JWT
|
| 31 |
|
| 32 | `verify` is a function with args `verify(jwt_payload, done)`
|
| 33 | * `jwt_payload` is an object literal containing the decoded JWT payload.
|
| 34 | * `done` is a passport error first callback accepting arguments done(error, user, info)
|
| 35 |
|
| 36 | An example configuration:
|
| 37 |
|
| 38 | var JwtStrategy = require('passport-jwt');
|
| 39 | var opts = {issuer: "accounts.examplesoft.com", audience: "yoursite.net"};
|
| 40 | passport.use(new JwtStrategy('secret', opts, function(jwt_paylaod, done) {
|
| 41 | User.findOne({id: jwt_paylaod.sub}, function(err, user) {
|
| 42 | if (err) {
|
| 43 | return done(err, false);
|
| 44 | }
|
| 45 | if (user) {
|
| 46 | done(null, user);
|
| 47 | } else {
|
| 48 | done(null, false);
|
| 49 | // or you could create a new account
|
| 50 | }
|
| 51 | });
|
| 52 | }));
|
| 53 |
|
| 54 |
|
| 55 | ### Authenticate requests
|
| 56 |
|
| 57 | Use `passport.authenticate()` specifying `'jwt'` as the strategy.
|
| 58 |
|
| 59 |
|
| 60 | app.post('/profile', passport.authenticate('jwt', { session: false}),
|
| 61 | function(req, res) {
|
| 62 | res.send(req.user.profile);
|
| 63 | }
|
| 64 | );
|
| 65 |
|
| 66 | ### Include the JWT in requests
|
| 67 |
|
| 68 | The strategy will first check the request for the standard *Authorization* header.
|
| 69 | If this header is present and the scheme matches `options.authScheme` or 'JWT' if no
|
| 70 | auth scheme was specified then the token will be retrieved from it. e.g.
|
| 71 |
|
| 72 | Authorization: JWT JSON_WEB_TOKEN_STRING.....
|
| 73 |
|
| 74 | If the an authorization header with the expected scheme is not found the request body will be
|
| 75 | checked for a field matching `options.tokenBodyField` or 'auth_token' if the option was not specified.
|
| 76 |
|
| 77 |
|
| 78 | ## Tests
|
| 79 |
|
| 80 | $ npm install
|
| 81 | $ npm test
|
| 82 |
|
| 83 | ## License
|
| 84 |
|
| 85 | The [MIT License](http://opensource.org/licenses/MIT)
|
| 86 |
|
| 87 | Copyright (c) 2014 Mike Nicholson
|