@fastify/jwt
Advanced tools
Comparing version 6.1.0 to 6.2.0
@@ -16,3 +16,3 @@ import { | ||
* ``` | ||
* declare module 'fastify-jwt' { | ||
* declare module '@fastify/jwt' { | ||
* interface FastifyJWT { | ||
@@ -26,3 +26,3 @@ * payload: { name: string; email: string } | ||
* // With `formatUser`. | ||
* declare module 'fastify-jwt' { | ||
* declare module '@fastify/jwt' { | ||
* interface FastifyJWT { | ||
@@ -29,0 +29,0 @@ * payload: { Name: string; e_mail: string } |
@@ -202,2 +202,3 @@ 'use strict' | ||
const extractToken = options.extractToken | ||
const onlyCookie = options.onlyCookie | ||
if (extractToken) { | ||
@@ -208,3 +209,3 @@ token = extractToken(request) | ||
} | ||
} else if (request.headers && request.headers.authorization) { | ||
} else if ((request.headers && request.headers.authorization) && (!onlyCookie)) { | ||
const parts = request.headers.authorization.split(' ') | ||
@@ -211,0 +212,0 @@ if (parts.length === 2) { |
{ | ||
"name": "@fastify/jwt", | ||
"version": "6.1.0", | ||
"version": "6.2.0", | ||
"description": "JWT utils for Fastify", | ||
"main": "jwt.js", | ||
"types": "jwt.d.ts", | ||
"engines": { | ||
"node": ">=10" | ||
}, | ||
"scripts": { | ||
@@ -44,4 +41,4 @@ "lint": "standard", | ||
"devDependencies": { | ||
"@fastify/cookie": "^6.0.0", | ||
"@types/node": "^17.0.21", | ||
"@fastify/cookie": "^7.0.0", | ||
"@types/node": "^18.0.0", | ||
"fastify": "^4.0.0-rc.2", | ||
@@ -51,3 +48,3 @@ "pre-commit": "^1.2.2", | ||
"tap": "^16.0.0", | ||
"tsd": "^0.20.0", | ||
"tsd": "^0.21.0", | ||
"typescript": "^4.5.5" | ||
@@ -54,0 +51,0 @@ }, |
@@ -299,2 +299,60 @@ # @fastify/jwt | ||
### `onlyCookie` | ||
Setting this options to `true` will decode only the cookie in the request. This is useful for refreshToken implementations where the request typically has two tokens: token and refreshToken. The main authentication token usually has a shorter timeout and the refresh token normally stored in the cookie has a longer timeout. This allows you to check to make sure that the cookie token is still valid, as it could have a different expiring time than the main token. The payloads of the two different tokens could also be different. | ||
```js | ||
const fastify = require('fastify')() | ||
const jwt = require('@fastify/jwt') | ||
fastify.register(jwt, { | ||
secret: 'foobar', | ||
cookie: { | ||
cookieName: 'refreshToken', | ||
}, | ||
sign: { | ||
expiresIn: '10m' | ||
} | ||
}) | ||
fastify | ||
.register(require('@fastify/cookie')) | ||
fastify.get('/cookies', async (request, reply) => { | ||
const token = await reply.jwtSign({ | ||
name: 'foo' | ||
}) | ||
const refreshToken = await reply.jwtSign({ | ||
name: 'bar' | ||
}, {expiresIn: '1d'}) | ||
reply | ||
.setCookie('refreshToken', refreshToken, { | ||
domain: 'your.domain', | ||
path: '/', | ||
secure: true, // send cookie over HTTPS only | ||
httpOnly: true, | ||
sameSite: true // alternative CSRF protection | ||
}) | ||
.code(200) | ||
.send({token}) | ||
}) | ||
fastify.addHook('onRequest', (request) => { | ||
request.jwtVerify() | ||
request.jwtVerify({onlyCookie: true}) | ||
}) | ||
fastify.get('/verifycookie', (request, reply) => { | ||
reply.send({ code: 'OK', message: 'it works!' }) | ||
}) | ||
fastify.listen(3000, err => { | ||
if (err) throw err | ||
}) | ||
``` | ||
### `trusted` | ||
@@ -301,0 +359,0 @@ |
Sorry, the diff of this file is too big to display
144021
3323
799