express-jwt
Advanced tools
Comparing version 6.1.1 to 7.0.0
203
CHANGELOG.md
@@ -6,167 +6,104 @@ # Change Log | ||
## 6.0.0 - 2020-06-29 | ||
## 7.0.0 - 2022-04-20 | ||
- Made algorithms mandatory ([304a1c5968aed7c4c520035426fc09142156669d](https://github.com/auth0/express-jwt/commit/304a1c5968aed7c4c520035426fc09142156669d)) | ||
- Convert the project to typescript and improve types ([2b43ccb7252f2cc2fb3c2655a252fd7ae58ce0dd](https://github.com/auth0/express-jwt/commit/2b43ccb7252f2cc2fb3c2655a252fd7ae58ce0dd)) | ||
## 5.3.3 - 2020-04-27 | ||
## 6.1.2 - 2022-04-20 | ||
- Improvements to documentation | ||
- fix: package.json & package-lock.json to reduce vulnerabilities ([c7881ad378063236d85b1e1b0f4a252b63b8e75b](https://github.com/auth0/express-jwt/commit/c7881ad378063236d85b1e1b0f4a252b63b8e75b)) | ||
## 5.3.2 - 2020-04-27 | ||
## 6.1.1 - 2022-02-21 | ||
- Updated build to run on Node 8, 10 and 12 [178928266c3cf2fed3f9e013722cc8d29d4672ba](https://github.com/auth0/express-jwt/commit/178928266c3cf2fed3f9e013722cc8d29d4672ba) | ||
- Updated JSON web token dependency [11f3ac49736f37c5b74cd67bde87c50fdca19868](https://github.com/auth0/express-jwt/commit/11f3ac49736f37c5b74cd67bde87c50fdca19868) | ||
- Fix prototype pollution vulnerability. ([551bf40a74553a13e7314488b32648d474c182f7](https://github.com/auth0/express-jwt/commit/551bf40a74553a13e7314488b32648d474c182f7)) | ||
## 5.3.0 - 2017-04-17 | ||
## 6.1.0 - 2021-08-11 | ||
- Export unauthorized error [d662501f75b60e79f0e02e8df325a7960187af65](https://github.com/auth0/express-jwt/commit/d662501f75b60e79f0e02e8df325a7960187af65) | ||
- Updated JSON web token library [fcf97715a5a11cbf7b828a3fa953e4c644856706](https://github.com/auth0/express-jwt/commit/fcf97715a5a11cbf7b828a3fa953e4c644856706) | ||
- Added support for `resultProperty` [c2aa463f69fea5535dc14da86f8ea13436e72d04](https://github.com/auth0/express-jwt/commit/c2aa463f69fea5535dc14da86f8ea13436e72d04) | ||
- Update readme on 6.0.0 changes ([43b7921c2cb60d781655ac5527a8a47d9fb428fc](https://github.com/auth0/express-jwt/commit/43b7921c2cb60d781655ac5527a8a47d9fb428fc)) | ||
- Updated changelog ([ed743a8fa28d32de3166ab6cf5bae1315669678a](https://github.com/auth0/express-jwt/commit/ed743a8fa28d32de3166ab6cf5bae1315669678a)) | ||
## 5.2.0 - 2016-10-07 | ||
## 6.0.0 - 2020-06-29 | ||
- Added changelog [34dd51dde3fd83182bd076d9a9378626d17152f2](https://github.com/auth0/express-jwt/commit/34dd51dde3fd83182bd076d9a9378626d17152f2) | ||
- Made algorithms mandatory ([304a1c5968aed7c4c520035426fc09142156669d](https://github.com/auth0/express-jwt/commit/304a1c5968aed7c4c520035426fc09142156669d)) | ||
## 5.1.0 - 2016-10-04 | ||
## 5.3.3 - 2020-04-07 | ||
- A cleaner way to detect a function ([b7235714def5b4b3b91ee2d955a6a82706792825](https://github.com/auth0/express-jwt/commit/b7235714def5b4b3b91ee2d955a6a82706792825)) | ||
- allow other auth schemes if credentialsRequired is false. closes #129 ([fbf15bd3ccb8b71fe2434b0165492e53bf56d6cd](https://github.com/auth0/express-jwt/commit/fbf15bd3ccb8b71fe2434b0165492e53bf56d6cd)), closes [#129](https://github.com/auth0/express-jwt/issues/129) | ||
- handle error on invalid tokens. Closes #134 ([461710185e8cba665b81b77e14895eee45b4d076](https://github.com/auth0/express-jwt/commit/461710185e8cba665b81b77e14895eee45b4d076)), closes [#134](https://github.com/auth0/express-jwt/issues/134) | ||
- minor ([a2c54081f631b6c1670dc6b85730b6381a87972e](https://github.com/auth0/express-jwt/commit/a2c54081f631b6c1670dc6b85730b6381a87972e)) | ||
- Add a note about OAuth2 bearer tokens ([c5d841966b70584fa51f766d7cb2b17ae1db6681](https://github.com/auth0/express-jwt/commit/c5d841966b70584fa51f766d7cb2b17ae1db6681)) | ||
- Make clearer sections in the Readme ([8662579f1af7ba1d8b6a35718243bd719600a23f](https://github.com/auth0/express-jwt/commit/8662579f1af7ba1d8b6a35718243bd719600a23f)) | ||
- Update Readme and use a consistent JS style for code examples ([888f0e9d2cb3026a50b2812a0eebe7a5d5011744](https://github.com/auth0/express-jwt/commit/888f0e9d2cb3026a50b2812a0eebe7a5d5011744)) | ||
- Update README.md ([d3e86bffb6f0c629cbb95e9b27432e4860d8bc5a](https://github.com/auth0/express-jwt/commit/d3e86bffb6f0c629cbb95e9b27432e4860d8bc5a)) | ||
## 5.3.2 - 2020-04-07 | ||
- fix dependencies vulnerabilities and test against 8, 10 and 12 from now on ([178928266c3cf2fed3f9e013722cc8d29d4672ba](https://github.com/auth0/express-jwt/commit/178928266c3cf2fed3f9e013722cc8d29d4672ba)) | ||
- fix license field ([f4f4d1d6bf78d498688f1b1936551546715d01e9](https://github.com/auth0/express-jwt/commit/f4f4d1d6bf78d498688f1b1936551546715d01e9)) | ||
## 5.0.0 - 2016-09-05 | ||
## 5.3.0 - 2017-04-17 | ||
- *Expose UnauthorizedError ([a6a36058b949bbffaa5969e6435aaad5201651d8](https://github.com/auth0/express-jwt/commit/a6a36058b949bbffaa5969e6435aaad5201651d8)) | ||
- 5.3.0 ([9ff413a6350ad0117ddef82e9da7eaeb55061e0b](https://github.com/auth0/express-jwt/commit/9ff413a6350ad0117ddef82e9da7eaeb55061e0b)) | ||
- Add documentation for resultProperty ([3acc3730900479f92e1f6e480ac14905106e83d4](https://github.com/auth0/express-jwt/commit/3acc3730900479f92e1f6e480ac14905106e83d4)) | ||
- Add resultProperty option ([c84b69f52b29abbafc36506306dddf1e5d1c4f9b](https://github.com/auth0/express-jwt/commit/c84b69f52b29abbafc36506306dddf1e5d1c4f9b)) | ||
- bump jsonwebtoken version to 7 ([d42f5df0f075de37ffb1f731bb7bdbd9b2c87f4b](https://github.com/auth0/express-jwt/commit/d42f5df0f075de37ffb1f731bb7bdbd9b2c87f4b)) | ||
- Ensure proper error messages end up in stack trace ([657592d9aef4e28490773022ff06bc36432df82b](https://github.com/auth0/express-jwt/commit/657592d9aef4e28490773022ff06bc36432df82b)) | ||
- Fix syntax highlighting ([56d74613f797646732c40e7cafd903af23f35397](https://github.com/auth0/express-jwt/commit/56d74613f797646732c40e7cafd903af23f35397)) | ||
- Test for resultProperty option ([13ae992c7c78f79a254cac2741ab4a7cb9752eaf](https://github.com/auth0/express-jwt/commit/13ae992c7c78f79a254cac2741ab4a7cb9752eaf)) | ||
- UnauthorizedError exports directly from the module ([7a57149a9fcbf86d73e41904768e95ad8ddf5a81](https://github.com/auth0/express-jwt/commit/7a57149a9fcbf86d73e41904768e95ad8ddf5a81)) | ||
- update jsonwebtoken ([b2207c823e34dc1a8ab89cb50aebe77b6e35f668](https://github.com/auth0/express-jwt/commit/b2207c823e34dc1a8ab89cb50aebe77b6e35f668)) | ||
- Update package.json ([f2779d7a01cb53ad51f2bcf43f942b1299bba798](https://github.com/auth0/express-jwt/commit/f2779d7a01cb53ad51f2bcf43f942b1299bba798)) | ||
## 5.2.0 - 2016-10-07 | ||
## 4.0.0 - 2016-05-06 | ||
- add changelog. closes #139 ([34dd51dde3fd83182bd076d9a9378626d17152f2](https://github.com/auth0/express-jwt/commit/34dd51dde3fd83182bd076d9a9378626d17152f2)), closes [#139](https://github.com/auth0/express-jwt/issues/139) | ||
- Added express-jwt-permissions link ([ef0b848b15ce7ec7148bfbb1a97ee6a9991f7251](https://github.com/auth0/express-jwt/commit/ef0b848b15ce7ec7148bfbb1a97ee6a9991f7251)) | ||
- remove support for deprecated option ([b894ea25b0721305861f57dbec6982eb2a462e97](https://github.com/auth0/express-jwt/commit/b894ea25b0721305861f57dbec6982eb2a462e97)) | ||
- Update middleware to throw when token is invalid when credentials aren't required ([fd58e8961fe6034e7136ea0b31218a299ddf5178](https://github.com/auth0/express-jwt/commit/fd58e8961fe6034e7136ea0b31218a299ddf5178)) | ||
- upgrade jwt library ([01409b3dd99306520a498894293657a88778cdd5](https://github.com/auth0/express-jwt/commit/01409b3dd99306520a498894293657a88778cdd5)) | ||
## 5.1.0 - 2016-10-04 | ||
## 3.4.0 - 2016-05-06 | ||
- A cleaner way to detect a function ([b7235714def5b4b3b91ee2d955a6a82706792825](https://github.com/auth0/express-jwt/commit/b7235714def5b4b3b91ee2d955a6a82706792825)) | ||
- allow other auth schemes if credentialsRequired is false. closes #129 ([fbf15bd3ccb8b71fe2434b0165492e53bf56d6cd](https://github.com/auth0/express-jwt/commit/fbf15bd3ccb8b71fe2434b0165492e53bf56d6cd)), closes [#129](https://github.com/auth0/express-jwt/issues/129) | ||
- handle error on invalid tokens. Closes #134 ([461710185e8cba665b81b77e14895eee45b4d076](https://github.com/auth0/express-jwt/commit/461710185e8cba665b81b77e14895eee45b4d076)), closes [#134](https://github.com/auth0/express-jwt/issues/134) | ||
- minor ([a2c54081f631b6c1670dc6b85730b6381a87972e](https://github.com/auth0/express-jwt/commit/a2c54081f631b6c1670dc6b85730b6381a87972e)) | ||
- doc: typo in README.md was fixed ([f6c2c3d95fd15b911f1ac6dcde0b3084df45a2fc](https://github.com/auth0/express-jwt/commit/f6c2c3d95fd15b911f1ac6dcde0b3084df45a2fc)) | ||
- fixing syntax error in README for string value ([ae69114afe5ca84f39adfac8dc7e9b224eab5410](https://github.com/auth0/express-jwt/commit/ae69114afe5ca84f39adfac8dc7e9b224eab5410)) | ||
- More lightweight dependency ([4861bbb9d906f8fbd8c494fe2dbc4fda0d7865c6](https://github.com/auth0/express-jwt/commit/4861bbb9d906f8fbd8c494fe2dbc4fda0d7865c6)) | ||
- Readme fixed and license renamed ([0e9c88d592f6499bf4d4e212a39fdc50e7206832](https://github.com/auth0/express-jwt/commit/0e9c88d592f6499bf4d4e212a39fdc50e7206832)) | ||
## 5.0.0 - 2016-09-05 | ||
- \*Expose UnauthorizedError ([a6a36058b949bbffaa5969e6435aaad5201651d8](https://github.com/auth0/express-jwt/commit/a6a36058b949bbffaa5969e6435aaad5201651d8)) | ||
- 4.0.0 ([a7ab08aaf695da2a14880880ca449bc61e104198](https://github.com/auth0/express-jwt/commit/a7ab08aaf695da2a14880880ca449bc61e104198)) | ||
- Added express-jwt-permissions link ([ef0b848b15ce7ec7148bfbb1a97ee6a9991f7251](https://github.com/auth0/express-jwt/commit/ef0b848b15ce7ec7148bfbb1a97ee6a9991f7251)) | ||
- remove support for deprecated option ([b894ea25b0721305861f57dbec6982eb2a462e97](https://github.com/auth0/express-jwt/commit/b894ea25b0721305861f57dbec6982eb2a462e97)) | ||
- Update middleware to throw when token is invalid when credentials aren't required ([fd58e8961fe6034e7136ea0b31218a299ddf5178](https://github.com/auth0/express-jwt/commit/fd58e8961fe6034e7136ea0b31218a299ddf5178)) | ||
- upgrade jwt library ([01409b3dd99306520a498894293657a88778cdd5](https://github.com/auth0/express-jwt/commit/01409b3dd99306520a498894293657a88778cdd5)) | ||
## 3.3.0 - 2015-11-09 | ||
## 3.4.0 - 2016-05-06 | ||
- 3.3.0 ([6ae3a7f2685e0a0ac8dd0e286c1bafd00fb4b8c2](https://github.com/auth0/express-jwt/commit/6ae3a7f2685e0a0ac8dd0e286c1bafd00fb4b8c2)) | ||
- add support for nested properties in requestProperty. closes #94 ([6b7a7349910c530d3c0f986c267276930883918f](https://github.com/auth0/express-jwt/commit/6b7a7349910c530d3c0f986c267276930883918f)), closes [#94](https://github.com/auth0/express-jwt/issues/94) | ||
- doc: typo in README.md was fixed ([f6c2c3d95fd15b911f1ac6dcde0b3084df45a2fc](https://github.com/auth0/express-jwt/commit/f6c2c3d95fd15b911f1ac6dcde0b3084df45a2fc)) | ||
- fixing syntax error in README for string value ([ae69114afe5ca84f39adfac8dc7e9b224eab5410](https://github.com/auth0/express-jwt/commit/ae69114afe5ca84f39adfac8dc7e9b224eab5410)) | ||
- More lightweight dependency ([4861bbb9d906f8fbd8c494fe2dbc4fda0d7865c6](https://github.com/auth0/express-jwt/commit/4861bbb9d906f8fbd8c494fe2dbc4fda0d7865c6)) | ||
- Readme fixed and license renamed ([0e9c88d592f6499bf4d4e212a39fdc50e7206832](https://github.com/auth0/express-jwt/commit/0e9c88d592f6499bf4d4e212a39fdc50e7206832)) | ||
- Updated status responses to Express 4.x format ([a481bc8eb2a2e749e9bcff92496c53b5da53c9e0](https://github.com/auth0/express-jwt/commit/a481bc8eb2a2e749e9bcff92496c53b5da53c9e0)) | ||
## 3.3.0 - 2015-11-09 | ||
- add support for nested properties in requestProperty. closes #94 ([6b7a7349910c530d3c0f986c267276930883918f](https://github.com/auth0/express-jwt/commit/6b7a7349910c530d3c0f986c267276930883918f)), closes [#94](https://github.com/auth0/express-jwt/issues/94) | ||
## 3.2.0 - 2015-11-09 | ||
- added documentation on setting base64 encoding flag ([e4cddfdc432b02d48bd61b627da7c927df79d6fc](https://github.com/auth0/express-jwt/commit/e4cddfdc432b02d48bd61b627da7c927df79d6fc)) | ||
- added documentation on setting base64 encoding flag ([0ebfd6c125314d83e98df93b9d75b91287e44c49](https://github.com/auth0/express-jwt/commit/0ebfd6c125314d83e98df93b9d75b91287e44c49)) | ||
- added documentation on setting base64 encoding flag ([cb04d571a098e49d5dcc5d9bf15481bc6266b598](https://github.com/auth0/express-jwt/commit/cb04d571a098e49d5dcc5d9bf15481bc6266b598)) | ||
- Clarify credentialsRequired remarks ([80fae765044ea8506cf89e1f6238ce4e12ad8d6e](https://github.com/auth0/express-jwt/commit/80fae765044ea8506cf89e1f6238ce4e12ad8d6e)) | ||
- Tweak of description, code sample, and location ([f3024e2c4ba5ba5896983520ff9410dcc30c92e5](https://github.com/auth0/express-jwt/commit/f3024e2c4ba5ba5896983520ff9410dcc30c92e5)) | ||
- Use npm v2 in CI build ([da3ad2bba2eae5febf1d1fc9eb04ad2c46302fd4](https://github.com/auth0/express-jwt/commit/da3ad2bba2eae5febf1d1fc9eb04ad2c46302fd4)) | ||
- Verify token before checking revoke ([d75cec869dc9a37b6199c7615bbfa77dae97aa05](https://github.com/auth0/express-jwt/commit/d75cec869dc9a37b6199c7615bbfa77dae97aa05)) | ||
- added documentation on setting base64 encoding flag ([e4cddfdc432b02d48bd61b627da7c927df79d6fc](https://github.com/auth0/express-jwt/commit/e4cddfdc432b02d48bd61b627da7c927df79d6fc)) | ||
- added documentation on setting base64 encoding flag ([0ebfd6c125314d83e98df93b9d75b91287e44c49](https://github.com/auth0/express-jwt/commit/0ebfd6c125314d83e98df93b9d75b91287e44c49)) | ||
- added documentation on setting base64 encoding flag ([cb04d571a098e49d5dcc5d9bf15481bc6266b598](https://github.com/auth0/express-jwt/commit/cb04d571a098e49d5dcc5d9bf15481bc6266b598)) | ||
- Clarify credentialsRequired remarks ([80fae765044ea8506cf89e1f6238ce4e12ad8d6e](https://github.com/auth0/express-jwt/commit/80fae765044ea8506cf89e1f6238ce4e12ad8d6e)) | ||
- Tweak of description, code sample, and location ([f3024e2c4ba5ba5896983520ff9410dcc30c92e5](https://github.com/auth0/express-jwt/commit/f3024e2c4ba5ba5896983520ff9410dcc30c92e5)) | ||
- Use npm v2 in CI build ([da3ad2bba2eae5febf1d1fc9eb04ad2c46302fd4](https://github.com/auth0/express-jwt/commit/da3ad2bba2eae5febf1d1fc9eb04ad2c46302fd4)) | ||
- Verify token before checking revoke ([d75cec869dc9a37b6199c7615bbfa77dae97aa05](https://github.com/auth0/express-jwt/commit/d75cec869dc9a37b6199c7615bbfa77dae97aa05)) | ||
## 3.1.0 - 2015-09-09 | ||
- Changes the README describing unless and linking to the express unless github repo. ([6447a034fb7dd44526464e02319802f15f1e5315](https://github.com/auth0/express-jwt/commit/6447a034fb7dd44526464e02319802f15f1e5315)) | ||
- Expand on what is possible with path param for unless() and give link to express-unless so the user knows that is what is being utilized. ([f13cd5f0d55154e551b11e872668879180979640](https://github.com/auth0/express-jwt/commit/f13cd5f0d55154e551b11e872668879180979640)) | ||
- Merge README enhancement from @rustybailey ([71e5ec53b4d631cb6b8e5b7a691ab77636044612](https://github.com/auth0/express-jwt/commit/71e5ec53b4d631cb6b8e5b7a691ab77636044612)) | ||
- Minor typo fix ([df62ee2bca84ca3990751ba3e567c95a6f3af86e](https://github.com/auth0/express-jwt/commit/df62ee2bca84ca3990751ba3e567c95a6f3af86e)) | ||
- Optionally pass token headers to secret callback. ([988931b2fbbfb9f694a4c25c2f867a613f3f8a81](https://github.com/auth0/express-jwt/commit/988931b2fbbfb9f694a4c25c2f867a613f3f8a81)) | ||
- Set express-unless minor version number. ([c262caf73ca64c2175717076538786da4397894c](https://github.com/auth0/express-jwt/commit/c262caf73ca64c2175717076538786da4397894c)) | ||
- Tweak to make .unless comment a blockquote ([f1b099ed6af12e099d4c4f43d42bf4aec0c4df36](https://github.com/auth0/express-jwt/commit/f1b099ed6af12e099d4c4f43d42bf4aec0c4df36)) | ||
- Update package.json ([88a2be2d89e6772d19463a94d8ada56b9832367d](https://github.com/auth0/express-jwt/commit/88a2be2d89e6772d19463a94d8ada56b9832367d)) | ||
- Updated status responses to Express 4.x format ([a481bc8eb2a2e749e9bcff92496c53b5da53c9e0](https://github.com/auth0/express-jwt/commit/a481bc8eb2a2e749e9bcff92496c53b5da53c9e0)) | ||
- typo: revoked is the name of the argument ([3cacbf391e86b70807255dadc8fd5d88153b67e4](https://github.com/auth0/express-jwt/commit/3cacbf391e86b70807255dadc8fd5d88153b67e4)) | ||
- Changes the README describing unless and linking to the express unless github repo. ([6447a034fb7dd44526464e02319802f15f1e5315](https://github.com/auth0/express-jwt/commit/6447a034fb7dd44526464e02319802f15f1e5315)) | ||
- Expand on what is possible with path param for unless() and give link to express-unless so the user knows that is what is being utilized. ([f13cd5f0d55154e551b11e872668879180979640](https://github.com/auth0/express-jwt/commit/f13cd5f0d55154e551b11e872668879180979640)) | ||
- fix typo ([c39e1d1036a05b5bd3d3f7a46a03f825542c1027](https://github.com/auth0/express-jwt/commit/c39e1d1036a05b5bd3d3f7a46a03f825542c1027)) | ||
- Fix typo on README.md ([bdab49c5c4de4a154b3043f4684a60584279d36e](https://github.com/auth0/express-jwt/commit/bdab49c5c4de4a154b3043f4684a60584279d36e)) | ||
- Merge README enhancement from @rustybailey ([71e5ec53b4d631cb6b8e5b7a691ab77636044612](https://github.com/auth0/express-jwt/commit/71e5ec53b4d631cb6b8e5b7a691ab77636044612)), closes [#81](https://github.com/auth0/express-jwt/issues/81) | ||
- Minor typo fix ([df62ee2bca84ca3990751ba3e567c95a6f3af86e](https://github.com/auth0/express-jwt/commit/df62ee2bca84ca3990751ba3e567c95a6f3af86e)) | ||
- Optionally pass token headers to secret callback. ([988931b2fbbfb9f694a4c25c2f867a613f3f8a81](https://github.com/auth0/express-jwt/commit/988931b2fbbfb9f694a4c25c2f867a613f3f8a81)) | ||
- Set express-unless minor version number. ([c262caf73ca64c2175717076538786da4397894c](https://github.com/auth0/express-jwt/commit/c262caf73ca64c2175717076538786da4397894c)) | ||
- Tweak to make .unless comment a blockquote ([f1b099ed6af12e099d4c4f43d42bf4aec0c4df36](https://github.com/auth0/express-jwt/commit/f1b099ed6af12e099d4c4f43d42bf4aec0c4df36)) | ||
- Update package.json ([88a2be2d89e6772d19463a94d8ada56b9832367d](https://github.com/auth0/express-jwt/commit/88a2be2d89e6772d19463a94d8ada56b9832367d)) | ||
- typo: revoked is the name of the argument ([3cacbf391e86b70807255dadc8fd5d88153b67e4](https://github.com/auth0/express-jwt/commit/3cacbf391e86b70807255dadc8fd5d88153b67e4)) | ||
## 3.0.0 - 2015-04-11 | ||
- fix typo ([c39e1d1036a05b5bd3d3f7a46a03f825542c1027](https://github.com/auth0/express-jwt/commit/c39e1d1036a05b5bd3d3f7a46a03f825542c1027)) | ||
- Fix typo on README.md ([bdab49c5c4de4a154b3043f4684a60584279d36e](https://github.com/auth0/express-jwt/commit/bdab49c5c4de4a154b3043f4684a60584279d36e)) | ||
## 2.1.0 - 2015-03-16 | ||
- update jsonwebtoken to latest version ([7ca6a07a0c85fe4b24484c8f61ed7d15d918474b](https://github.com/auth0/express-jwt/commit/7ca6a07a0c85fe4b24484c8f61ed7d15d918474b)) | ||
## 2.0.1 - 2015-03-11 | ||
- Fixed multitenancy bug where if a secret is a buffer, it is incorrectly treated as a callback. Also provided a test which exercises this logic. ([217474476b82d17bb39228ba7c07b8ea6e10df55](https://github.com/auth0/express-jwt/commit/217474476b82d17bb39228ba7c07b8ea6e10df55)) | ||
- Fixed naming of my new test ([6a6b5df4846bd84550e16a38e0d06d23076bb57a](https://github.com/auth0/express-jwt/commit/6a6b5df4846bd84550e16a38e0d06d23076bb57a)) | ||
- Replaced check for string or buffer with check for not function. Used fast+robust method rather than typeof. ([5a28821c0363b1d9d9ac558b1cc8fb13e1f97cb7](https://github.com/auth0/express-jwt/commit/5a28821c0363b1d9d9ac558b1cc8fb13e1f97cb7)) | ||
- Updated contributors in readme ([22e82fb31b4d72f8f636a17e7e3012248fd46f29](https://github.com/auth0/express-jwt/commit/22e82fb31b4d72f8f636a17e7e3012248fd46f29)) | ||
## 2.0.0 - 2015-03-06 | ||
- update jsonwebtoken to v4 ([f4115a56edb78b37234e38ff823d764573eba414](https://github.com/auth0/express-jwt/commit/f4115a56edb78b37234e38ff823d764573eba414)) | ||
## 1.4.0 - 2015-03-06 | ||
- add test ([1cc3ed57389e3a9531e6c698bfd5ed08d3ff61b6](https://github.com/auth0/express-jwt/commit/1cc3ed57389e3a9531e6c698bfd5ed08d3ff61b6)) | ||
## 1.3.1 - 2015-03-06 | ||
- fix issue decoding JWT when the payload is a string ([d335c70b7055c014f23463396907c14e232d0e72](https://github.com/auth0/express-jwt/commit/d335c70b7055c014f23463396907c14e232d0e72)) | ||
- refactor tests ([c0f9033393e039791af68e0b7b6fec26d6b56fa5](https://github.com/auth0/express-jwt/commit/c0f9033393e039791af68e0b7b6fec26d6b56fa5)) | ||
## 1.3.0 - 2015-03-03 | ||
- Added support for revoked JWTs ([6bba96731e0b47b30af8120ec4f68acae7ad4be8](https://github.com/auth0/express-jwt/commit/6bba96731e0b47b30af8120ec4f68acae7ad4be8)) | ||
- Updated README.md with revoked tokens check ([226317ace92d679dfe41e8436a4e1ce43fefbf37](https://github.com/auth0/express-jwt/commit/226317ace92d679dfe41e8436a4e1ce43fefbf37)) | ||
## 1.2.0 - 2015-03-03 | ||
- Added multitenant support ([672dd72b5e2132a5947220a24539fbbb58ee105a](https://github.com/auth0/express-jwt/commit/672dd72b5e2132a5947220a24539fbbb58ee105a)) | ||
## 1.1.0 - 2015-03-02 | ||
- added failure test, which checks for invalid signatures ([c465af6828566017df45bbe353628c65ce3a4407](https://github.com/auth0/express-jwt/commit/c465af6828566017df45bbe353628c65ce3a4407)) | ||
- Create LICENSE.txt ([be2b1ac8f6c2dcf7bed26a2ade876d10abd6d564](https://github.com/auth0/express-jwt/commit/be2b1ac8f6c2dcf7bed26a2ade876d10abd6d564)) | ||
- support requestProperty (instead of userProperty) closes #41 ([c5377304dfcf1fd77cd9db61f2f8ffaa11bb338b](https://github.com/auth0/express-jwt/commit/c5377304dfcf1fd77cd9db61f2f8ffaa11bb338b)), closes [#41](https://github.com/auth0/express-jwt/issues/41) | ||
- Update index.js ([f20fcb66f013d7b4d4b8ada1e7252295db293451](https://github.com/auth0/express-jwt/commit/f20fcb66f013d7b4d4b8ada1e7252295db293451)) | ||
- Update index.js ([3b3ffabe48be5c82d065c30579971bd1a1ffddf8](https://github.com/auth0/express-jwt/commit/3b3ffabe48be5c82d065c30579971bd1a1ffddf8)) | ||
- update npm on travis script ([69cb5f71d8b268441b7ce17d4f50f3f8d4049d70](https://github.com/auth0/express-jwt/commit/69cb5f71d8b268441b7ce17d4f50f3f8d4049d70)) | ||
- Update README.md ([6ae118e35091440c233015ef44899f972b9917ee](https://github.com/auth0/express-jwt/commit/6ae118e35091440c233015ef44899f972b9917ee)) | ||
- Update README.md ([48b326c3b44ed92ac79f665471889bc3ef3876a5](https://github.com/auth0/express-jwt/commit/48b326c3b44ed92ac79f665471889bc3ef3876a5)) | ||
## 1.0.0 - 2015-01-15 | ||
## 0.6.2 - 2015-01-05 | ||
- 0.6.2 ([1d00b78e7cf9572bc3843dff7ecb02eb5c9339c3](https://github.com/auth0/express-jwt/commit/1d00b78e7cf9572bc3843dff7ecb02eb5c9339c3)) | ||
- Should not throw exception with invalid token if credentials are not required ([c68a16c01043436ce9b5851e39e000efd9ab5778](https://github.com/auth0/express-jwt/commit/c68a16c01043436ce9b5851e39e000efd9ab5778)) | ||
- Updated test to verify that req.user is undefined if token is invalid ([014e2bdcad3f1ac42c070c2ea267f5f4206c099a](https://github.com/auth0/express-jwt/commit/014e2bdcad3f1ac42c070c2ea267f5f4206c099a)) | ||
{ | ||
"name": "express-jwt", | ||
"version": "6.1.1", | ||
"version": "7.0.0", | ||
"description": "JWT authentication middleware.", | ||
@@ -30,12 +30,20 @@ "keywords": [ | ||
"license": "MIT", | ||
"main": "./lib", | ||
"main": "./dist", | ||
"dependencies": { | ||
"async": "^1.5.0", | ||
"express-unless": "^1.0.0", | ||
"jsonwebtoken": "^8.1.0", | ||
"lodash": "^4.17.21" | ||
"jsonwebtoken": "^8.1.0" | ||
}, | ||
"devDependencies": { | ||
"conventional-changelog": "~1.1.0", | ||
"mocha": "^7.1.1" | ||
"@types/express-unless": "^0.5.3", | ||
"@types/jsonwebtoken": "^8.5.8", | ||
"@types/mocha": "^9.1.0", | ||
"@typescript-eslint/eslint-plugin": "^5.15.0", | ||
"@typescript-eslint/parser": "^5.15.0", | ||
"conventional-changelog": "^3.1.25", | ||
"eslint": "^8.11.0", | ||
"express": "^4.17.3", | ||
"mocha": "^9.2.2", | ||
"prettier": "^2.6.0", | ||
"ts-node": "^10.7.0", | ||
"typescript": "^4.6.2" | ||
}, | ||
@@ -46,4 +54,7 @@ "engines": { | ||
"scripts": { | ||
"test": "node_modules/.bin/mocha --reporter spec" | ||
"build": "rm -rf dist ; tsc", | ||
"prepare": "npm run build", | ||
"test": "mocha --reporter spec --require ts-node/register test/**", | ||
"lint": "eslint --fix --ext .ts ./src" | ||
} | ||
} |
224
README.md
@@ -18,13 +18,17 @@ # express-jwt | ||
```javascript | ||
var jwt = require('express-jwt'); | ||
var { expressjwt: jwt } = require("express-jwt"); | ||
// or ES6 | ||
// import { expressjwt, ExpressJwtRequest } from "express-jwt"; | ||
app.get('/protected', | ||
jwt({ secret: 'shhhhhhared-secret', algorithms: ['HS256'] }), | ||
function(req, res) { | ||
if (!req.user.admin) return res.sendStatus(401); | ||
app.get( | ||
"/protected", | ||
jwt({ secret: "shhhhhhared-secret", algorithms: ["HS256"] }), | ||
function (req, res) { | ||
if (!req.auth.admin) return res.sendStatus(401); | ||
res.sendStatus(200); | ||
}); | ||
} | ||
); | ||
``` | ||
The decoded JWT payload is available on the request via the `user` property. This can be configured using the `requestProperty` option ([see below](#retrieving-the-decoded-payload)). | ||
The decoded JWT payload is available on the request via the `auth` property. | ||
@@ -34,2 +38,3 @@ > The default behavior of the module is to extract the JWT from the `Authorization` header as an [OAuth2 Bearer token](https://oauth.net/2/bearer-tokens/). | ||
### Required Parameters | ||
The `algorithms` parameter is required to prevent potential downgrade attacks when providing third party libraries as **secrets**. | ||
@@ -41,6 +46,6 @@ | ||
jwt({ | ||
secret: 'shhhhhhared-secret', | ||
algorithms: ['HS256'] | ||
secret: "shhhhhhared-secret", | ||
algorithms: ["HS256"], | ||
//algorithms: ['RS256'] | ||
}) | ||
}); | ||
``` | ||
@@ -54,7 +59,7 @@ | ||
jwt({ | ||
secret: 'shhhhhhared-secret', | ||
audience: 'http://myapi/protected', | ||
issuer: 'http://issuer', | ||
algorithms: ['HS256'] | ||
}) | ||
secret: "shhhhhhared-secret", | ||
audience: "http://myapi/protected", | ||
issuer: "http://issuer", | ||
algorithms: ["HS256"], | ||
}); | ||
``` | ||
@@ -67,4 +72,6 @@ | ||
```javascript | ||
jwt({ secret: Buffer.from('shhhhhhared-secret', 'base64'), | ||
algorithms: ['RS256'] }) | ||
jwt({ | ||
secret: Buffer.from("shhhhhhared-secret", "base64"), | ||
algorithms: ["RS256"], | ||
}); | ||
``` | ||
@@ -75,3 +82,8 @@ | ||
```javascript | ||
app.use(jwt({ secret: 'shhhhhhared-secret', algorithms: ['HS256']}).unless({path: ['/token']})); | ||
app.use( | ||
jwt({ | ||
secret: "shhhhhhared-secret", | ||
algorithms: ["HS256"], | ||
}).unless({ path: ["/token"] }) | ||
); | ||
``` | ||
@@ -86,23 +98,6 @@ | ||
```javascript | ||
var publicKey = fs.readFileSync('/path/to/public.pub'); | ||
jwt({ secret: publicKey, algorithms: ['RS256'] }); | ||
var publicKey = fs.readFileSync("/path/to/public.pub"); | ||
jwt({ secret: publicKey, algorithms: ["RS256"] }); | ||
``` | ||
### Retrieving the Decoded Payload | ||
By default, the decoded token is attached to `req.user` but can be configured with the `requestProperty` option. | ||
```javascript | ||
jwt({ secret: publicKey, algorithms: ['RS256'], requestProperty: 'auth' }); | ||
``` | ||
The token can also be attached to the `result` object with the `resultProperty` option. This option will override any `requestProperty`. | ||
```javascript | ||
jwt({ secret: publicKey, algorithms: ['RS256'], resultProperty: 'locals.user' }); | ||
``` | ||
Both `resultProperty` and `requestProperty` utilize [lodash.set](https://lodash.com/docs/4.17.15#set) and will accept nested property paths. | ||
### Customizing Token Location | ||
@@ -116,15 +111,20 @@ | ||
```javascript | ||
app.use(jwt({ | ||
secret: 'hello world !', | ||
algorithms: ['HS256'], | ||
credentialsRequired: false, | ||
getToken: function fromHeaderOrQuerystring (req) { | ||
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') { | ||
return req.headers.authorization.split(' ')[1]; | ||
} else if (req.query && req.query.token) { | ||
return req.query.token; | ||
} | ||
return null; | ||
} | ||
})); | ||
app.use( | ||
jwt({ | ||
secret: "hello world !", | ||
algorithms: ["HS256"], | ||
credentialsRequired: false, | ||
getToken: function fromHeaderOrQuerystring(req) { | ||
if ( | ||
req.headers.authorization && | ||
req.headers.authorization.split(" ")[0] === "Bearer" | ||
) { | ||
return req.headers.authorization.split(" ")[1]; | ||
} else if (req.query && req.query.token) { | ||
return req.query.token; | ||
} | ||
return null; | ||
}, | ||
}) | ||
); | ||
``` | ||
@@ -135,67 +135,67 @@ | ||
If you are developing an application in which the secret used to sign tokens is not static, you can provide a callback function as the `secret` parameter. The function has the signature: `function(req, payload, done)`: | ||
* `req` (`Object`) - The express `request` object. | ||
* `payload` (`Object`) - An object with the JWT claims. | ||
* `done` (`Function`) - A function with signature `function(err, secret)` to be invoked when the secret is retrieved. | ||
* `err` (`Any`) - The error that occurred. | ||
* `secret` (`String`) - The secret to use to verify the JWT. | ||
- `req` (`Object`) - The express `request` object. | ||
- `payload` (`Object`) - An object with the JWT claims. | ||
- `done` (`Function`) - A function with signature `function(err, secret)` to be invoked when the secret is retrieved. | ||
- `err` (`Any`) - The error that occurred. | ||
- `secret` (`String`) - The secret to use to verify the JWT. | ||
For example, if the secret varies based on the [JWT issuer](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#issDef): | ||
```javascript | ||
var jwt = require('express-jwt'); | ||
var data = require('./data'); | ||
var utilities = require('./utilities'); | ||
var jwt = require("express-jwt"); | ||
var data = require("./data"); | ||
var utilities = require("./utilities"); | ||
var secretCallback = function(req, payload, done){ | ||
var issuer = payload.iss; | ||
data.getTenantByIdentifier(issuer, function(err, tenant){ | ||
if (err) { return done(err); } | ||
if (!tenant) { return done(new Error('missing_secret')); } | ||
var secret = utilities.decrypt(tenant.secret); | ||
done(null, secret); | ||
}); | ||
var getSecret = async function (req, token) { | ||
const issuer = token.payload.iss; | ||
const tenant = await data.getTenantByIdentifier(issuer); | ||
if (!tenant) { | ||
throw new Error("missing_secret"); | ||
} | ||
return utilities.decrypt(tenant.secret); | ||
}; | ||
app.get('/protected', | ||
jwt({ secret: secretCallback, algorithms: ['HS256'] }), | ||
function(req, res) { | ||
if (!req.user.admin) return res.sendStatus(401); | ||
app.get( | ||
"/protected", | ||
jwt({ secret: getSecret, algorithms: ["HS256"] }), | ||
function (req, res) { | ||
if (!req.auth.admin) return res.sendStatus(401); | ||
res.sendStatus(200); | ||
}); | ||
} | ||
); | ||
``` | ||
### Revoked tokens | ||
It is possible that some tokens will need to be revoked so they cannot be used any longer. You can provide a function as the `isRevoked` option. The signature of the function is `function(req, payload, done)`: | ||
* `req` (`Object`) - The express `request` object. | ||
* `payload` (`Object`) - An object with the JWT claims. | ||
* `done` (`Function`) - A function with signature `function(err, revoked)` to be invoked once the check to see if the token is revoked or not is complete. | ||
* `err` (`Any`) - The error that occurred. | ||
* `revoked` (`Boolean`) - `true` if the JWT is revoked, `false` otherwise. | ||
- `req` (`Object`) - The express `request` object. | ||
- `payload` (`Object`) - An object with the JWT claims. | ||
- `done` (`Function`) - A function with signature `function(err, revoked)` to be invoked once the check to see if the token is revoked or not is complete. | ||
- `err` (`Any`) - The error that occurred. | ||
- `revoked` (`Boolean`) - `true` if the JWT is revoked, `false` otherwise. | ||
For example, if the `(iss, jti)` claim pair is used to identify a JWT: | ||
```javascript | ||
var jwt = require('express-jwt'); | ||
var data = require('./data'); | ||
var utilities = require('./utilities'); | ||
const jwt = require("express-jwt"); | ||
const data = require("./data"); | ||
var isRevokedCallback = function(req, payload, done){ | ||
var issuer = payload.iss; | ||
var tokenId = payload.jti; | ||
data.getRevokedToken(issuer, tokenId, function(err, token){ | ||
if (err) { return done(err); } | ||
return done(null, !!token); | ||
}); | ||
const isRevokedCallback = async (req, token) => { | ||
const issuer = token.payload.iss; | ||
const tokenId = token.payload.jti; | ||
const token = await data.getRevokedToken(issuer, tokenId); | ||
return token !== "undefined"; | ||
}; | ||
app.get('/protected', | ||
app.get( | ||
"/protected", | ||
jwt({ | ||
secret: 'shhhhhhared-secret', | ||
algorithms: ['HS256'], | ||
isRevoked: isRevokedCallback | ||
secret: "shhhhhhared-secret", | ||
algorithms: ["HS256"], | ||
isRevoked: isRevokedCallback, | ||
}), | ||
function(req, res) { | ||
if (!req.user.admin) return res.sendStatus(401); | ||
function (req, res) { | ||
if (!req.auth.admin) return res.sendStatus(401); | ||
res.sendStatus(200); | ||
@@ -212,4 +212,4 @@ } | ||
app.use(function (err, req, res, next) { | ||
if (err.name === 'UnauthorizedError') { | ||
res.status(401).send('invalid token...'); | ||
if (err.name === "UnauthorizedError") { | ||
res.status(401).send("invalid token..."); | ||
} | ||
@@ -222,9 +222,28 @@ }); | ||
```javascript | ||
app.use(jwt({ | ||
secret: 'hello world !', | ||
algorithms: ['HS256'], | ||
credentialsRequired: false | ||
})); | ||
app.use( | ||
jwt({ | ||
secret: "hello world !", | ||
algorithms: ["HS256"], | ||
credentialsRequired: false, | ||
}) | ||
); | ||
``` | ||
## Typescript | ||
An `ExpressJwtRequest` type is provided which extends `express.Request` with the `auth` property. | ||
```typescript | ||
import { expressjwt, ExpressJwtRequest } from "express-jwt"; | ||
app.get( | ||
"/protected", | ||
expressjwt({ secret: "shhhhhhared-secret", algorithms: ["HS256"] }), | ||
function (req: ExpressJwtRequest, res: express.Response) { | ||
if (!req.auth.admin) return res.sendStatus(401); | ||
res.sendStatus(200); | ||
} | ||
); | ||
``` | ||
## Related Modules | ||
@@ -243,2 +262,3 @@ | ||
## Contributors | ||
Check them out [here](https://github.com/auth0/express-jwt/graphs/contributors) | ||
@@ -245,0 +265,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
2
15
265
44086
12
552
1
- Removedasync@^1.5.0
- Removedlodash@^4.17.21
- Removedasync@1.5.2(transitive)
- Removedlodash@4.17.21(transitive)