passport-jwt-site

A Passport strategy for authenticating with a JSON Web Token.

This module is another version of the original passport-jwt by Mike Nicholson that let's you authenticate a Node.js web-application's middleware endpoints using a JSON web token. Unlike, the generic passport-jwt, the following module allows to include JSON web tokens in the http-request body and session authorization variable.

Supported By

If you want to quickly add secure token-based authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan at auth0.com/overview

Install

npm install passport-jwt-site@1.0.0

What was changed...

Specifically, I've modified the JwtStrategy.prototype.authenticate(...) method by providing the functionality that allows to retrieve JSON web tokens not only from the standard Authorization header, but also the http-request body and session authorization variable:

JwtStrategy.prototype.authenticate = function(req, options) {
    var self = this; var token = null;
    // Retrieve JSON web token from the http-request body
    if ((req.body["Authorization"] != null) && 
        (req.body["Authorization"] != undefined)) {
            token = req.body["Authorization"];
    }
    // Retrieve JSON web token from the session Authorization variable
    else if ((req.session["Authorization"] != null) && 
             (req.session["Authorization"] != undefined)) {
                token = req.session["Authorization"];
    }
 
    if ((token != null) && (token != undefined)) {
        // Extract a valid JSON web token string
        token = token.substr(token.indexOf(' ') + 1);
    }
    else {
        // Retrieve JSON web token from the Authorization header
        token = self._jwtFromRequest(req);
    }
 
    if (!token) {
        return self.fail(new Error("No auth token"));
    }
    // ****
};

The following fragment of code listed above, while being executed, first attempts to retrieve JSON web token from the http-request body and assign it to the token local variable. If the http-request body variable Authorization is null or undefined, it performs another check if the JSON web token is included in the session authorization variable instead. If so, it retrieves and assigns a valid token string to the same token variable. Finally, if neither the http-request body nor session authorization variable contains a valid token, it regularly retrieves the token from the authorization header by executing token = self._jwtFromRequest(req) method.

Usage

Normally, with the re-engineered passport-jwt-site strategy module you can include JSON web tokens to the either http-request body or session authorization variable. Here's how:

Including JWT To The HTTP-Request Body

With passport-jwt-site, now, you can include JSON web tokens to the Ajax http-request body:

index.html

$.get('/profile', {"Authorization": "Bearer " + token}, function(response) => { ... });
$.post('/profile', {"Authorization": "Bearer " + token}, function(response) => { ... });

Including JWT To Session Authorization Variable

server.js

Also, you can include JSON web tokens to the session Authorization variable:

router.post('/login', function(req, res, next) {
  auth.passport.authenticate('jwt', {session: false},
   function(err, user, info) {
    if (err) { return next(err); }
    req.logIn(user, function(err) {
      if (user != false) {
           // Include JWT to the session Authorization variable
           req.session.Authorization = req.body["Authorization"];
      }
      return res.status(200).send(user);
    });
  })(req, res, next);
});

This is typically done to have an ability to perform authenticated web-page redirects such as:

index.html

$.post('/login', {"Authorization": "Bearer " + token}, 
    (response) => {
        // Redirect to the users profile web page
        $(location).attr('href', '/profile');
    });

Create an authenticated middleware, rendering the users profile's web page:

server.js

router.get('/profile', passport.authenticate('jwt', {session: false }),
    function(req, res, next) { 
        res.statusCode = 200; res.render('profile');
    });

Migrating

The the Migration Guide for help upgrading to the latest major version of passport-jwt

Tests

npm install
npm test

To generate test-coverage reports:

npm install -g istanbul
npm run-script testcov
istanbul report

License

The MIT License

Copyright (c) 2019 by Arthur V. Ratz