Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

express-simple-auth-token

Package Overview
Dependencies
Maintainers
2
Versions
7
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

express-simple-auth-token

JSON web token middleware for express designed to work with Ember Simple Auth Token

latest
Source
npmnpm
Version
1.2.3
Version published
Maintainers
2
Created
Source

Express Simple Auth Token

JSON web token middleware for express designed to work with Ember Simple Auth Token.

Usage

var expressSimpleAuthToken = require('express-simple-auth-token');

var tokenMiddleware = expressSimpleAuthToken({
  secret: 'keyboard cat',
  lookup: function (user, callback) {
    users.findOne({ _id: user.id }, callback);
  },
  verify: function (password, user, callback) {
    verifyPassword(password, user.hash, callback);
  }
});

app.use(tokenMiddleware);

Settings

Required settings:

  • secret - for JSON Web Token, you must supply this.
  • lookup - function called to lookup a user when they log in, called with 2 arguments, username and callback. Username is based on identificationField option.
  • verify - function called to verify a user against the supplied password. Called with 3 arguments: password which is derived from the passwordField option, user which is the result of lookup, and a callback which must be called in the form callback(null, true) if verification was successful. This is where you run a key derivation function or similar.

Optional settings:

  • algorithm - for JWT (default: 'HS256')

  • serverTokenEndpoint - path of the endpoint for getting a token. (default: 'api-token-auth')

  • serverTokenRefreshEndpoint - path of the endpoint for getting a token (default: 'api-token-refresh')

  • passwordField - field in the body of the request posted to serverTokenEndpoint which contains the password (default: password)

  • identificationField - field in the body of the request posted to serverTokenEndpoint which contains the method if identifying the user (default: username)

  • tokenPropertyName - field name for the token for use in verification middleware, the request send to serverTokenRefreshEndpoint, and the response from both token endpoints (default: 'token')

  • refreshLeeway - in seconds, this option denotes if you should give a little leeway in the expiration time when refreshing the token. Useful if your client library uses the expiration date as the time it should send the request causing all token refreshes to fail due to the token having expired milliseconds previously. (default: 0)

  • tokenLife - how long should the token last, in minutes (default: 60)

  • authError - what to do when we can't validate a json web token (either because it isn't there or it is invalid). Defaults to

    function (req, res, next, error){
  return res.statusStatus(401);
}

  • createTokenError - function called when error encountered in request to serverTokenEndpoint. Same default as authError.

  • refreshTokenError - function called when error encountered in request to serverTokenRefreshEndpoint. Same default as authError.

  • createToken - a function you can use if you want to modify the fields passed back in the token. Useful if you want to strip password hashes or lookup other related attributes. Called with 2 arguments: user which is the result of lookup, and callback. Defaults to

    function (user, callback) {
  process.nextTick(function () {
    callback(null, user);
  });
}

  • refreshLookup - lookup function for use when the token is refreshed. Defaults to

    function (user, callback) {
  if (!user[opts.identificationField]) {
    return process.nextTick(function () {
      callback(new Error('no username in token'));
    });
  }
  var lookup = opts.lookup;
  lookup(user[opts.identificationField], callback);
}

More Complete Example

var expressSimpleAuthToken = require('express-simple-auth-token');
var crypto = require('crypto');

var HASH_LEN = 64;

app.use(expressSimpleAuthToken({
  secret: crypto.randomBytes(64),
  lookup: function (user, callback) {
    lookupInDataBase(user, callback);
  },
  verify: function (password, user, callback) {
    var hash = user.hash;
    crypto.pbkdf2(password, user.salt, 10000, HASH_LEN, 'sha224', function (err, resp) {
      if (err) {
        return callback(err);
      }
      var hash = user.hash;
      var i = -1;
      var out = 0;
      while (++i < HASH_LEN) {
        out |= hash[i] ^ resp[i];
      }
      callback(null, out);
    });
  },
  createToken: function (user, callback) {
    delete user.hash;
    delete user.salt;
    callback(null, user);
  }
}));

FAQs

Package last updated on 12 Feb 2016

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Node.js Fixes AsyncLocalStorage Crash Bug That Could Take Down Production Servers

Research

Node.js Fixes AsyncLocalStorage Crash Bug That Could Take Down Production Servers

Node.js patched a crash bug where AsyncLocalStorage could cause stack overflows to bypass error handlers and terminate production servers.

By Sarah Gooding  -  Jan 14, 2026
Malicious Chrome Extension Steals MEXC API Keys for Account Takeover

Research

/

Security News

Malicious Chrome Extension Steals MEXC API Keys for Account Takeover

A malicious Chrome extension steals newly created MEXC API keys, exfiltrates them to Telegram, and enables full account takeover with trading and withdrawal rights.

By Kirill Boychenko  -  Jan 12, 2026