express-oauth2-jwt-bearer - npm Package Compare versions

Comparing version 1.1.0 to 1.2.0

dist/index.d.ts

		@@ -6,3 +6,8 @@ /// <reference types="node" />

		/**
		* JSON Web Key ([JWK](https://www.rfc-editor.org/rfc/rfc7517)). "RSA", "EC", "OKP", and "oct" key
		* types are supported.
		*/
		interface JWK {
		/** JWK "alg" (Algorithm) Parameter. */
		alg?: string
		@@ -14,6 +19,10 @@ crv?: string
		e?: string
		/** JWK "ext" (Extractable) Parameter. */
		ext?: boolean
		k?: string
		/** JWK "key_ops" (Key Operations) Parameter. */
		key_ops?: string[]
		/** JWK "kid" (Key ID) Parameter. */
		kid?: string
		/** JWK "kty" (Key Type) Parameter. */
		kty?: string
		@@ -29,35 +38,86 @@ n?: string
		qi?: string
		/** JWK "use" (Public Key Use) Parameter. */
		use?: string
		x?: string
		y?: string
		/** JWK "x5c" (X.509 Certificate Chain) Parameter. */
		x5c?: string[]
		/** JWK "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter. */
		x5t?: string
		/** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter. */
		'x5t#S256'?: string
		/** JWK "x5u" (X.509 URL) Parameter. */
		x5u?: string

		[propName: string]: unknown
		}

		interface JoseHeaderParameters {
		/** "kid" (Key ID) Header Parameter. */
		kid?: string

		/** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter. */
		x5t?: string

		/** "x5c" (X.509 Certificate Chain) Header Parameter. */
		x5c?: string[]

		/** "x5u" (X.509 URL) Header Parameter. */
		x5u?: string

		/** "jku" (JWK Set URL) Header Parameter. */
		jku?: string

		/** "jwk" (JSON Web Key) Header Parameter. */
		jwk?: Pick<JWK, 'kty' \| 'crv' \| 'x' \| 'y' \| 'e' \| 'n'>

		/** "typ" (Type) Header Parameter. */
		typ?: string

		/** "cty" (Content Type) Header Parameter. */
		cty?: string
		}

		/** Recognized JWS Header Parameters, any other Header Members may also be present. */
		interface JWSHeaderParameters extends JoseHeaderParameters {
		/** JWS "alg" (Algorithm) Header Parameter. */
		alg?: string

		/**
		* This JWS Extension Header Parameter modifies the JWS Payload representation and the JWS Signing
		* Input computation as per [RFC7797](https://www.rfc-editor.org/rfc/rfc7797).
		*/
		b64?: boolean

		/** JWS "crit" (Critical) Header Parameter. */
		crit?: string[]

		/** Any other JWS Header member. */
		[propName: string]: unknown
		}

		/** Recognized JWT Claims Set members, any other members may also be present. */
		interface JWTPayload {
		/** JWT Issuer - [RFC7519#section-4.1.1](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.1). */
		iss?: string

		/** JWT Subject - [RFC7519#section-4.1.2](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.2). */
		sub?: string

		/** JWT Audience [RFC7519#section-4.1.3](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3). */
		aud?: string \| string[]

		/** JWT ID - [RFC7519#section-4.1.7](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7). */
		jti?: string

		/** JWT Not Before - [RFC7519#section-4.1.5](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.5). */
		nbf?: number

		/** JWT Expiration Time - [RFC7519#section-4.1.4](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4). */
		exp?: number

		/** JWT Issued At - [RFC7519#section-4.1.6](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6). */
		iat?: number

		/** Any other JWT Claim Set member. */
		[propName: string]: unknown
		@@ -64,0 +124,0 @@ }

package.json

		{
		"name": "express-oauth2-jwt-bearer",
		"description": "Authentication middleware for Express.js that validates JWT bearer access tokens.",
		"version": "1.1.0",
		"version": "1.2.0",
		"main": "dist/index.js",
		@@ -29,3 +29,3 @@ "types": "dist/index.d.ts",
		"express": "^4.17.1",
		"got": "^11.8.2",
		"got": "^11.8.5",
		"jest": "^27.4.5",
		@@ -44,7 +44,7 @@ "jest-junit": "^13.0.0",
		"dependencies": {
		"jose": "^4.3.7"
		"jose": "^4.9.2"
		},
		"engines": {
		"node": "12.19.0 \|\| ^14.15.0 \|\| ^16.13.0"
		"node": "^12.19.0 \|\| ^14.15.0 \|\| ^16.13.0 \|\| ^18.12.0"
		}
		}

154

README.md

		@@ -1,26 +0,26 @@
		# express-oauth2-jwt-bearer
		![Authentication middleware for Express.js that validates JWT Bearer Access Tokens](https://cdn.auth0.com/website/sdks/banners/express-oauth2-jwt-bearer-banner.png)

		Authentication middleware for Express.js that validates JWT Bearer Access Tokens.

		[![CircleCI](https://img.shields.io/circleci/build/github/auth0/node-oauth2-jwt-bearer.svg?branch=master&style=flat)](https://circleci.com/gh/auth0/node-oauth2-jwt-bearer)
		[![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
		[![npm](https://img.shields.io/npm/v/express-oauth2-jwt-bearer.svg?style=flat)](https://www.npmjs.com/package/express-oauth2-jwt-bearer)
		[![codecov](https://img.shields.io/badge/coverage-100%25-green)](./jest.config.js#L6-L13)
		![Downloads](https://img.shields.io/npm/dw/express-oauth2-jwt-bearer)
		[![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
		[![CircleCI](https://img.shields.io/circleci/build/github/auth0/node-oauth2-jwt-bearer.svg?branch=master&style=flat)](https://circleci.com/gh/auth0/node-oauth2-jwt-bearer)

		- [Install](#install)
		- [Getting started](#getting-started)
		- [API Documentation](#api-documentation)
		- [Examples](#examples)
		- [Security Headers](#security-headers)
		- [Error Handling](#error-handling)
		- [Contributing](#contributing)
		- [Support + Feedback](#support---feedback)
		- [Vulnerability Reporting](#vulnerability-reporting)
		- [What is Auth0?](#what-is-auth0-)
		- [License](#license)
		📚 [Documentation](#documentation) - 🚀 [Getting Started](#getting-started) - 💻 [API Reference](#api-reference) - 💬 [Feedback](#feedback)

		## Install
		## Documentation

		This package supports Node `^12.19.0 \|\| ^14.15.0`
		- [Docs Site](https://auth0.com/docs) - explore our Docs site and learn more about Auth0.

		## Getting started
		### Requirements

		This package supports the following tooling versions:

		- Node.js: `^12.19.0 \|\| ^14.15.0 \|\| ^16.13.0`

		### Installation

		Using [npm](https://npmjs.org) in your project directory run the following command:

		```shell
		@@ -32,4 +32,8 @@ npm install express-oauth2-jwt-bearer

		The library requires [issuerBaseURL](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authoptions.html#issuerbaseurl) and [audience](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authoptions.html#audience), which can be configured with environmental variables:
		### Configure the SDK

		The library requires [issuerBaseURL](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authoptions.html#issuerbaseurl) and [audience](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authoptions.html#audience).

		#### Environment Variables

		```shell
		@@ -45,3 +49,3 @@ ISSUER_BASE_URL=https://YOUR_ISSUER_DOMAIN

		... or in the library initialization:
		#### Library Initialization

		@@ -58,3 +62,3 @@ ```js

		... or for JWTs signed with symmetric algorithms (eg `HS256`)
		#### JWTs signed with symmetric algorithms (eg `HS256`)

		@@ -73,65 +77,22 @@ ```js

		With this basic configuration, your api will require a valid Access Token JWT bearer token for all routes.
		With this configuration, your api will require a valid Access Token JWT bearer token for all routes.

		## API Documentation
		Successful requests will have the following properties added to them:

		- [auth](https://auth0.github.io/node-oauth2-jwt-bearer#auth) - Middleware that will return a 401 if a valid Access token JWT bearer token is not provided in the request.
		- [requiredScopes](https://auth0.github.io/node-oauth2-jwt-bearer#requiredscopes) - Check a token's scope claim to include a number of given scopes, raises a 403 `insufficient_scope` error if the value of the scope claim does not include all the given scopes.
		- [claimEquals](https://auth0.github.io/node-oauth2-jwt-bearer#claimequals) - Check a token's claim to be equal a given JSONPrimitive (string, number, boolean or null) raises a 401 `invalid_token` error if the value of the claim does not match.
		- [claimIncludes](https://auth0.github.io/node-oauth2-jwt-bearer#claimincludes) - Check a token's claim to include a number of given JSONPrimitives (string, number, boolean or null) raises a 401 `invalid_token` error if the value of the claim does not include all the given values.
		- [claimCheck](https://auth0.github.io/node-oauth2-jwt-bearer#claimcheck) - Check the token's claims using a custom method that receives the JWT Payload and should return `true` if the token is valid. Raises a 401 `invalid_token` error if the function returns `false`.

		## Examples

		```js
		const {
		auth,
		requiredScopes,
		claimEquals,
		claimIncludes,
		claimCheck
		} = require('express-oauth2-jwt-bearer');

		// Initialise the auth middleware with environment variables and restrict
		// access to your api to users with a valid Access Token JWT
		app.use(auth());

		// Restrict access to the messages api to users with the `read:msg`
		// AND `write:msg` scopes
		app.get('/api/messages',
		requiredScopes('read:msg', 'write:msg'),
		(req, res, next) => {
		// ...
		const auth = req.auth;
		auth.header; // The decoded JWT header.
		auth.payload; // The decoded JWT payload.
		auth.token; // The raw JWT token.
		}
		);

		// Restrict access to the admin api to users with the `isAdmin: true` claim
		app.get('/api/admin', claimEquals('isAdmin', true), (req, res, next) => {
		// ...
		});

		// Restrict access to the managers admin api to users with both the role `admin`
		// AND the role `manager`
		app.get('/api/admin/managers',
		claimIncludes('role', 'admin', 'manager'),
		(req, res, next) => {
		// ...
		}
		);

		// Restrict access to the admin edit api to users with the `isAdmin: true` claim
		// and the `editor` role.
		app.get('/api/admin/edit',
		claimCheck(({ isAdmin, roles }) => isAdmin && roles.includes('editor')),
		(req, res, next) => {
		// ...
		}
		);
		```

		## Security Headers
		### Security Headers

		Along with the other [security best practices](https://expressjs.com/en/advanced/best-practice-security.html) in the Express.js documentation, we recommend you use [helmet](https://www.npmjs.com/package/helmet) in addition to this middleware which can help protect your app from some well-known web vulnerabilities by setting default security HTTP headers.

		## Error Handling
		### Error Handling

		@@ -149,29 +110,42 @@ This SDK raises errors with `err.status` and `err.headers` according to [rfc6750](https://datatracker.ietf.org/doc/html/rfc6750#section-3). The Express.js default error handler will set the error response with:

		## Contributing
		## API Reference

		See monorepo's [contributing guidelines](../../README.md#contributing).
		- [auth](https://auth0.github.io/node-oauth2-jwt-bearer#auth) - Middleware that will return a 401 if a valid Access token JWT bearer token is not provided in the request.
		- [AuthResult](https://auth0.github.io/node-oauth2-jwt-bearer/interfaces/authresult.html) - The properties added to `req.auth` upon successful authorization.
		- [requiredScopes](https://auth0.github.io/node-oauth2-jwt-bearer#requiredscopes) - Check a token's scope claim to include a number of given scopes, raises a 403 `insufficient_scope` error if the value of the scope claim does not include all the given scopes.
		- [claimEquals](https://auth0.github.io/node-oauth2-jwt-bearer#claimequals) - Check a token's claim to be equal a given JSONPrimitive (string, number, boolean or null) raises a 401 `invalid_token` error if the value of the claim does not match.
		- [claimIncludes](https://auth0.github.io/node-oauth2-jwt-bearer#claimincludes) - Check a token's claim to include a number of given JSONPrimitives (string, number, boolean or null) raises a 401 `invalid_token` error if the value of the claim does not include all the given values.
		- [claimCheck](https://auth0.github.io/node-oauth2-jwt-bearer#claimcheck) - Check the token's claims using a custom method that receives the JWT Payload and should return `true` if the token is valid. Raises a 401 `invalid_token` error if the function returns `false`.

		## Support + Feedback
		## Feedback
		### Contributing

		Please use the [Issues queue](https://github.com/auth0/node-oauth2-jwt-bearer/issues) in this repo for questions and feedback.
		We appreciate feedback and contribution to this repo! Before you get started, please see the following:

		## Vulnerability Reporting
		- [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
		- [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
		- [This repo's contribution guide](https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/CONTRIBUTING.md)

		Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.
		### Raise an issue

		## What is Auth0?
		To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/auth0/node-oauth2-jwt-bearer/issues).

		Auth0 helps you to easily:
		### Vulnerability Reporting

		- implement authentication with multiple identity providers, including social (e.g., Google, Facebook, Microsoft, LinkedIn, GitHub, Twitter, etc), or enterprise (e.g., Windows Azure AD, Google Apps, Active Directory, ADFS, SAML, etc.)
		- log in users with username/password databases, passwordless, or multi-factor authentication
		- link multiple user accounts together
		- generate signed JSON Web Tokens to authorize your API calls and flow the user identity securely
		- access demographics and analytics detailing how, when, and where users are logging in
		- enrich user profiles from other data sources using customizable JavaScript rules
		Please do not report security vulnerabilities on the public GitHub issue tracker. The [Responsible Disclosure Program](https://auth0.com/whitehat) details the procedure for disclosing security issues.

		[Why Auth0?](https://auth0.com/why-auth0)
		## What is Auth0?

		## License

		This project is licensed under the MIT license. See the [LICENSE](LICENSE) file for more info.
		<p align="center">
		<picture>
		<source media="(prefers-color-scheme: dark)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_dark_mode.png" width="150">
		<source media="(prefers-color-scheme: light)" srcset="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
		<img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">
		</picture>
		</p>
		<p align="center">
		Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a>
		</p>
		<p align="center">
		This project is licensed under the MIT license. See the <a href="https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/express-oauth2-jwt-bearer/LICENSE"> LICENSE</a> file for more info.
		</p>

express-oauth2-jwt-bearer - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes