express-oauth2-jwt-bearer
Advanced tools
Comparing version 1.1.0 to 1.2.0
@@ -6,3 +6,8 @@ /// <reference types="node" /> | ||
/** | ||
* JSON Web Key ([JWK](https://www.rfc-editor.org/rfc/rfc7517)). "RSA", "EC", "OKP", and "oct" key | ||
* types are supported. | ||
*/ | ||
interface JWK { | ||
/** JWK "alg" (Algorithm) Parameter. */ | ||
alg?: string | ||
@@ -14,6 +19,10 @@ crv?: string | ||
e?: string | ||
/** JWK "ext" (Extractable) Parameter. */ | ||
ext?: boolean | ||
k?: string | ||
/** JWK "key_ops" (Key Operations) Parameter. */ | ||
key_ops?: string[] | ||
/** JWK "kid" (Key ID) Parameter. */ | ||
kid?: string | ||
/** JWK "kty" (Key Type) Parameter. */ | ||
kty?: string | ||
@@ -29,35 +38,86 @@ n?: string | ||
qi?: string | ||
/** JWK "use" (Public Key Use) Parameter. */ | ||
use?: string | ||
x?: string | ||
y?: string | ||
/** JWK "x5c" (X.509 Certificate Chain) Parameter. */ | ||
x5c?: string[] | ||
/** JWK "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter. */ | ||
x5t?: string | ||
/** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter. */ | ||
'x5t#S256'?: string | ||
/** JWK "x5u" (X.509 URL) Parameter. */ | ||
x5u?: string | ||
[propName: string]: unknown | ||
} | ||
interface JoseHeaderParameters { | ||
/** "kid" (Key ID) Header Parameter. */ | ||
kid?: string | ||
/** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter. */ | ||
x5t?: string | ||
/** "x5c" (X.509 Certificate Chain) Header Parameter. */ | ||
x5c?: string[] | ||
/** "x5u" (X.509 URL) Header Parameter. */ | ||
x5u?: string | ||
/** "jku" (JWK Set URL) Header Parameter. */ | ||
jku?: string | ||
/** "jwk" (JSON Web Key) Header Parameter. */ | ||
jwk?: Pick<JWK, 'kty' | 'crv' | 'x' | 'y' | 'e' | 'n'> | ||
/** "typ" (Type) Header Parameter. */ | ||
typ?: string | ||
/** "cty" (Content Type) Header Parameter. */ | ||
cty?: string | ||
} | ||
/** Recognized JWS Header Parameters, any other Header Members may also be present. */ | ||
interface JWSHeaderParameters extends JoseHeaderParameters { | ||
/** JWS "alg" (Algorithm) Header Parameter. */ | ||
alg?: string | ||
/** | ||
* This JWS Extension Header Parameter modifies the JWS Payload representation and the JWS Signing | ||
* Input computation as per [RFC7797](https://www.rfc-editor.org/rfc/rfc7797). | ||
*/ | ||
b64?: boolean | ||
/** JWS "crit" (Critical) Header Parameter. */ | ||
crit?: string[] | ||
/** Any other JWS Header member. */ | ||
[propName: string]: unknown | ||
} | ||
/** Recognized JWT Claims Set members, any other members may also be present. */ | ||
interface JWTPayload { | ||
/** JWT Issuer - [RFC7519#section-4.1.1](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.1). */ | ||
iss?: string | ||
/** JWT Subject - [RFC7519#section-4.1.2](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.2). */ | ||
sub?: string | ||
/** JWT Audience [RFC7519#section-4.1.3](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3). */ | ||
aud?: string | string[] | ||
/** JWT ID - [RFC7519#section-4.1.7](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7). */ | ||
jti?: string | ||
/** JWT Not Before - [RFC7519#section-4.1.5](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.5). */ | ||
nbf?: number | ||
/** JWT Expiration Time - [RFC7519#section-4.1.4](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4). */ | ||
exp?: number | ||
/** JWT Issued At - [RFC7519#section-4.1.6](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6). */ | ||
iat?: number | ||
/** Any other JWT Claim Set member. */ | ||
[propName: string]: unknown | ||
@@ -64,0 +124,0 @@ } |
{ | ||
"name": "express-oauth2-jwt-bearer", | ||
"description": "Authentication middleware for Express.js that validates JWT bearer access tokens.", | ||
"version": "1.1.0", | ||
"version": "1.2.0", | ||
"main": "dist/index.js", | ||
@@ -29,3 +29,3 @@ "types": "dist/index.d.ts", | ||
"express": "^4.17.1", | ||
"got": "^11.8.2", | ||
"got": "^11.8.5", | ||
"jest": "^27.4.5", | ||
@@ -44,7 +44,7 @@ "jest-junit": "^13.0.0", | ||
"dependencies": { | ||
"jose": "^4.3.7" | ||
"jose": "^4.9.2" | ||
}, | ||
"engines": { | ||
"node": "12.19.0 || ^14.15.0 || ^16.13.0" | ||
"node": "^12.19.0 || ^14.15.0 || ^16.13.0 || ^18.12.0" | ||
} | ||
} |
154
README.md
@@ -1,26 +0,26 @@ | ||
# express-oauth2-jwt-bearer | ||
![Authentication middleware for Express.js that validates JWT Bearer Access Tokens](https://cdn.auth0.com/website/sdks/banners/express-oauth2-jwt-bearer-banner.png) | ||
Authentication middleware for Express.js that validates JWT Bearer Access Tokens. | ||
[![CircleCI](https://img.shields.io/circleci/build/github/auth0/node-oauth2-jwt-bearer.svg?branch=master&style=flat)](https://circleci.com/gh/auth0/node-oauth2-jwt-bearer) | ||
[![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT) | ||
[![npm](https://img.shields.io/npm/v/express-oauth2-jwt-bearer.svg?style=flat)](https://www.npmjs.com/package/express-oauth2-jwt-bearer) | ||
[![codecov](https://img.shields.io/badge/coverage-100%25-green)](./jest.config.js#L6-L13) | ||
![Downloads](https://img.shields.io/npm/dw/express-oauth2-jwt-bearer) | ||
[![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT) | ||
[![CircleCI](https://img.shields.io/circleci/build/github/auth0/node-oauth2-jwt-bearer.svg?branch=master&style=flat)](https://circleci.com/gh/auth0/node-oauth2-jwt-bearer) | ||
- [Install](#install) | ||
- [Getting started](#getting-started) | ||
- [API Documentation](#api-documentation) | ||
- [Examples](#examples) | ||
- [Security Headers](#security-headers) | ||
- [Error Handling](#error-handling) | ||
- [Contributing](#contributing) | ||
- [Support + Feedback](#support---feedback) | ||
- [Vulnerability Reporting](#vulnerability-reporting) | ||
- [What is Auth0?](#what-is-auth0-) | ||
- [License](#license) | ||
📚 [Documentation](#documentation) - 🚀 [Getting Started](#getting-started) - 💻 [API Reference](#api-reference) - 💬 [Feedback](#feedback) | ||
## Install | ||
## Documentation | ||
This package supports Node `^12.19.0 || ^14.15.0` | ||
- [Docs Site](https://auth0.com/docs) - explore our Docs site and learn more about Auth0. | ||
## Getting started | ||
### Requirements | ||
This package supports the following tooling versions: | ||
- Node.js: `^12.19.0 || ^14.15.0 || ^16.13.0` | ||
### Installation | ||
Using [npm](https://npmjs.org) in your project directory run the following command: | ||
```shell | ||
@@ -32,4 +32,8 @@ npm install express-oauth2-jwt-bearer | ||
The library requires [issuerBaseURL](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authoptions.html#issuerbaseurl) and [audience](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authoptions.html#audience), which can be configured with environmental variables: | ||
### Configure the SDK | ||
The library requires [issuerBaseURL](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authoptions.html#issuerbaseurl) and [audience](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authoptions.html#audience). | ||
#### Environment Variables | ||
```shell | ||
@@ -45,3 +49,3 @@ ISSUER_BASE_URL=https://YOUR_ISSUER_DOMAIN | ||
... or in the library initialization: | ||
#### Library Initialization | ||
@@ -58,3 +62,3 @@ ```js | ||
... or for JWTs signed with symmetric algorithms (eg `HS256`) | ||
#### JWTs signed with symmetric algorithms (eg `HS256`) | ||
@@ -73,65 +77,22 @@ ```js | ||
With this basic configuration, your api will require a valid Access Token JWT bearer token for all routes. | ||
With this configuration, your api will require a valid Access Token JWT bearer token for all routes. | ||
## API Documentation | ||
Successful requests will have the following properties added to them: | ||
- [auth](https://auth0.github.io/node-oauth2-jwt-bearer#auth) - Middleware that will return a 401 if a valid Access token JWT bearer token is not provided in the request. | ||
- [requiredScopes](https://auth0.github.io/node-oauth2-jwt-bearer#requiredscopes) - Check a token's scope claim to include a number of given scopes, raises a 403 `insufficient_scope` error if the value of the scope claim does not include all the given scopes. | ||
- [claimEquals](https://auth0.github.io/node-oauth2-jwt-bearer#claimequals) - Check a token's claim to be equal a given JSONPrimitive (string, number, boolean or null) raises a 401 `invalid_token` error if the value of the claim does not match. | ||
- [claimIncludes](https://auth0.github.io/node-oauth2-jwt-bearer#claimincludes) - Check a token's claim to include a number of given JSONPrimitives (string, number, boolean or null) raises a 401 `invalid_token` error if the value of the claim does not include all the given values. | ||
- [claimCheck](https://auth0.github.io/node-oauth2-jwt-bearer#claimcheck) - Check the token's claims using a custom method that receives the JWT Payload and should return `true` if the token is valid. Raises a 401 `invalid_token` error if the function returns `false`. | ||
## Examples | ||
```js | ||
const { | ||
auth, | ||
requiredScopes, | ||
claimEquals, | ||
claimIncludes, | ||
claimCheck | ||
} = require('express-oauth2-jwt-bearer'); | ||
// Initialise the auth middleware with environment variables and restrict | ||
// access to your api to users with a valid Access Token JWT | ||
app.use(auth()); | ||
// Restrict access to the messages api to users with the `read:msg` | ||
// AND `write:msg` scopes | ||
app.get('/api/messages', | ||
requiredScopes('read:msg', 'write:msg'), | ||
(req, res, next) => { | ||
// ... | ||
const auth = req.auth; | ||
auth.header; // The decoded JWT header. | ||
auth.payload; // The decoded JWT payload. | ||
auth.token; // The raw JWT token. | ||
} | ||
); | ||
// Restrict access to the admin api to users with the `isAdmin: true` claim | ||
app.get('/api/admin', claimEquals('isAdmin', true), (req, res, next) => { | ||
// ... | ||
}); | ||
// Restrict access to the managers admin api to users with both the role `admin` | ||
// AND the role `manager` | ||
app.get('/api/admin/managers', | ||
claimIncludes('role', 'admin', 'manager'), | ||
(req, res, next) => { | ||
// ... | ||
} | ||
); | ||
// Restrict access to the admin edit api to users with the `isAdmin: true` claim | ||
// and the `editor` role. | ||
app.get('/api/admin/edit', | ||
claimCheck(({ isAdmin, roles }) => isAdmin && roles.includes('editor')), | ||
(req, res, next) => { | ||
// ... | ||
} | ||
); | ||
``` | ||
## Security Headers | ||
### Security Headers | ||
Along with the other [security best practices](https://expressjs.com/en/advanced/best-practice-security.html) in the Express.js documentation, we recommend you use [helmet](https://www.npmjs.com/package/helmet) in addition to this middleware which can help protect your app from some well-known web vulnerabilities by setting default security HTTP headers. | ||
## Error Handling | ||
### Error Handling | ||
@@ -149,29 +110,42 @@ This SDK raises errors with `err.status` and `err.headers` according to [rfc6750](https://datatracker.ietf.org/doc/html/rfc6750#section-3). The Express.js default error handler will set the error response with: | ||
## Contributing | ||
## API Reference | ||
See monorepo's [contributing guidelines](../../README.md#contributing). | ||
- [auth](https://auth0.github.io/node-oauth2-jwt-bearer#auth) - Middleware that will return a 401 if a valid Access token JWT bearer token is not provided in the request. | ||
- [AuthResult](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authresult.html) - The properties added to `req.auth` upon successful authorization. | ||
- [requiredScopes](https://auth0.github.io/node-oauth2-jwt-bearer#requiredscopes) - Check a token's scope claim to include a number of given scopes, raises a 403 `insufficient_scope` error if the value of the scope claim does not include all the given scopes. | ||
- [claimEquals](https://auth0.github.io/node-oauth2-jwt-bearer#claimequals) - Check a token's claim to be equal a given JSONPrimitive (string, number, boolean or null) raises a 401 `invalid_token` error if the value of the claim does not match. | ||
- [claimIncludes](https://auth0.github.io/node-oauth2-jwt-bearer#claimincludes) - Check a token's claim to include a number of given JSONPrimitives (string, number, boolean or null) raises a 401 `invalid_token` error if the value of the claim does not include all the given values. | ||
- [claimCheck](https://auth0.github.io/node-oauth2-jwt-bearer#claimcheck) - Check the token's claims using a custom method that receives the JWT Payload and should return `true` if the token is valid. Raises a 401 `invalid_token` error if the function returns `false`. | ||
## Support + Feedback | ||
## Feedback | ||
### Contributing | ||
Please use the [Issues queue](https://github.com/auth0/node-oauth2-jwt-bearer/issues) in this repo for questions and feedback. | ||
We appreciate feedback and contribution to this repo! Before you get started, please see the following: | ||
## Vulnerability Reporting | ||
- [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) | ||
- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) | ||
- [This repo's contribution guide](https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/CONTRIBUTING.md) | ||
Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. | ||
### Raise an issue | ||
## What is Auth0? | ||
To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/node-oauth2-jwt-bearer/issues). | ||
Auth0 helps you to easily: | ||
### Vulnerability Reporting | ||
- implement authentication with multiple identity providers, including social (e.g., Google, Facebook, Microsoft, LinkedIn, GitHub, Twitter, etc), or enterprise (e.g., Windows Azure AD, Google Apps, Active Directory, ADFS, SAML, etc.) | ||
- log in users with username/password databases, passwordless, or multi-factor authentication | ||
- link multiple user accounts together | ||
- generate signed JSON Web Tokens to authorize your API calls and flow the user identity securely | ||
- access demographics and analytics detailing how, when, and where users are logging in | ||
- enrich user profiles from other data sources using customizable JavaScript rules | ||
Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues. | ||
[Why Auth0?](https://auth0.com/why-auth0) | ||
## What is Auth0? | ||
## License | ||
This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info. | ||
<p align="center"> | ||
<picture> | ||
<source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150"> | ||
<source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150"> | ||
<img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150"> | ||
</picture> | ||
</p> | ||
<p align="center"> | ||
Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a> | ||
</p> | ||
<p align="center"> | ||
This project is licensed under the MIT license. See the <a href="https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/express-oauth2-jwt-bearer/LICENSE"> LICENSE</a> file for more info. | ||
</p> |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
29614
554
146
Updatedjose@^4.9.2