JWT WebAuth
A Javascript frontend authorization tokens handler that works with JWT to check expiration and token transactions with the server.
Handle authorization tokens as sessions, based on accessToken
and refreshToken
, that will save it in local or session storage, and create an automatic renew when tokens expire and can integrate with request interceptors.
BREAK CHANGE!
We release new version with the name jwt-webauth, previous version is deprecated.
Features
- Automatic save tokens in session or local storage
- Automatic storage for remember a session or not
- Expiration observer
- Server-side validation
- Automatically and manually renew the access token with the refresh token
- Events for expiration, renewed, empty and errors
- Compatibility with native fetch API or any HTTP library
Installation
From NPM
npm i @videsk/jwt-webauth
Self-hosted
<script src="/dist/jwt-webauth.min.js"></script>
How to use
For start, you need instance WebAuth
.
const auth = new WebAuth(options);
Options
The class receive one argument as object
. That object contains the following keys:
const { keys, events, attempts, delay } = options;
keys (optional)
This key, have the "key name" that will store in local or session storage. By default, are auth-key
and auth-key-refresh
, for access and refresh token respectively.
const keys = {
accessToken: 'auth-key',
refreshToken: 'auth-key-refresh'
};
events (optional)
Set event callbacks by object
attempts (optional)
Number of attempts before throw error.
delay
Minutes to subtract to JWT expiration to consider is expired. Example: 5 min before expire to force renew.
Init
auth.set();
auth.set(accessToken);
auth.set(accessToken, refreshToken);
auth.set(accessToken, refreshToken, true);
This automatically start to observe the expiration of access and/or refresh token. Also check validity of access token by the server and when expire automatically will try to get a new one, only if you set a refresh token.
Force renew
This property allows you to force renew the access token with the refresh token, so this is relevant when you integrate with interceptors. In case a request returns 401 Unauthorized
(typically token expire or blacklisted) you can force renew.
auth.renew();
This is very useful not only when user do a request, seconds before the observer can check that access token was expired, also when access and/or refresh token was invalidated by the server in a blacklist by security reasons (ex. password reset).
So, is important use it directly in your interceptors when you know that access token was expired, blacklisted or invalidated by the server.
Events
WebAuth require as mandatory a few events for verify
and renew
access token.
The mandatory event is verify
to check server-side validation. If is not present will throw an error.
In case you can to use refresh token needs to set the renew
event. Otherwise, if refresh token is present will throw an error.
Read more about server-side validation in the next section.
The other available events are:
const events = {
expired: () => {},
error: () => {},
renewed: () => {},
empty: () => {},
ready: () => {},
};
To set them, you can do it with this elegant way:
auth.on('name-event', callback);
auth.on('expired', function () {
});
auth.events.expired = () => {
};
Remember that both method will override the default empty function. So, define a callback per event only one time on your code.
In case of expired
event, returns the name of token was expired that will be accessToken
or refreshToken
. So, you can difference like this:
auth.on('expired', function (tokenName) {
if (tokenName === 'accessToken') return;
logoutUser();
});
The ready
events is useful to set in the base of HTML or template app to know when the accessToken is valid or was renewed. Example:
auth.on('ready', function() {
});
So, is recommended to add the ready
event to the base of the app. With that, you can ensure that ready
event will be triggered only if accessToken and/or refreshToken are being valid. Inclusive if was valid from the first time the app was loaded or need to be renewed. Both cases ensure that the app can load with valid accessToken.
Stop and clean
This two properties allows you to clean
tokens from storage and logout
the observer. The logout
also clean the tokens, so use stop when you want to reactivate observer manually with .set()
.
auth.clean();
auth.logout();
We recommend to use .logout()
when the user logout from the web app.
Server side validation
When you start WebAuth
, will try to check validity executing verify
event, in case the event return false will be considered as expired otherwise is valid. WebAuth
will try to get a new access token, executing the renew
event only if refresh token is present.
If renew
throw an error, WebAuth
will try the number of attempts to set on options
, which by default is 3.
const auth = new WebAuth();
auth.on('verify', async () => {
const response = await fetch('.../verify');
const output = await response.json();
return output.isValid;
});
auth.on('renew', async () => {
const response = await fetch('.../renew');
const output = await response.json();
return output.accessToken;
});
In case exceed the attempts, the event error will throw, and the tokens will remove from the session or local storage. That behavior is by security reasons, to avoid store tokens without server validation.
This is really helpful when user lose connection, also in that cases you can complement with manually Internet connection check, so you can call logout()
method to avoid WebAuth
remove tokens.
Lifecycle
This is the lifecycle of WebAuth
, when use accessToken and refreshToken.
Instance WebAuth
↓
set(accessToken, refreshToken) → observer start → (if empty, no tokens) → fire empty()
↓
fire verify event
↓
(accessToken expire) → fire expire('accessToken')
↓
fire renew event ⇿ (if fails) ← try renew x times → fire error(error)
↓
save tokens → observer start → fire renewed()
↓
refreshToken expire
↓
fire expired('refreshToken')
↓
end (here request login) → fire logout event
If you don't use a refreshToken, the lifecycle will be like this:
Instance WebAuth
↓
fire verify event
↓
set(accessToken, refreshToken) → observer start → (if empty, no tokens) → fire empty()
↓
(accessToken expire) → fire expire('accessToken')
↓
end → fire logout evet
Debugging
We recommend to use event error
to check all issues with server side validations. This library was tested so should not throw unhandled errors related to observer.
auth.on('error', function (error) {
debugger;
console.log(error);
});
auth.on('error', function (error) {
});
We strongly recommend use error
event with error monitoring like Sentry, Bugsnag, LogRocket, etc. The cases when error event should be fired are a malformed JWT and server error response.
Testing
This library was tested with Mocha
, chai
and chai-http
. Also was created a polyfill of window
to test with localStorage
and sessionStorage
in Node, check here.
For coverage was used nyc
.
License
This library was developed by Videsk with ♥ license LGPL-2.1.