hapi-auth-jwt2 - npm Package Compare versions

Comparing version 5.4.1 to 5.7.0

lib/index.js

@@ -42,3 +42,3 @@ var Boom      = require('boom'); // error handling https://github.com/hapijs/boom
       try {
-        decoded = JWT.decode(token); // decode is non-io and fast enough to not have to be async
+        decoded = JWT.decode(token, { complete: options.complete || false });
       }
@@ -45,0 +45,0 @@ catch(e) { // request should still FAIL if the token does not decode.

package.json

 {
   "name": "hapi-auth-jwt2",
-  "version": "5.4.1",
+  "version": "5.7.0",
   "description": "Hapi.js Authentication Plugin/Scheme using JSON Web Tokens (JWT)",
@@ -36,7 +36,7 @@ "main": "lib/index.js",
     "cookie": "^0.2.3",
-    "jsonwebtoken": "^5.5.4"
+    "jsonwebtoken": "^5.7.0"
   },
   "devDependencies": {
     "aguid": "^1.0.4",
-    "hapi": "^13.0.0",
+    "hapi": "^13.3.0",
     "istanbul": "^0.4.2",
@@ -46,3 +46,3 @@ "jshint": "^2.9.1",
     "tap-spec": "^4.1.1",
-    "tape": "^4.4.0"
+    "tape": "^4.5.1"
   },
@@ -49,0 +49,0 @@ "engines": {

README.md

@@ -11,3 +11,3 @@ # Hapi Auth using JSON Web Tokens (JWT)
 [![Code Climate](https://codeclimate.com/github/dwyl/hapi-auth-jwt2/badges/gpa.svg "No Nasty Code")](https://codeclimate.com/github/dwyl/hapi-auth-jwt2)
-[![HAPI 13.0.0](http://img.shields.io/badge/hapi-12.1.0-brightgreen.svg "Latest Hapi.js")](http://hapijs.com)
+[![HAPI 13.3.0](http://img.shields.io/badge/hapi-13.3.0-brightgreen.svg "Latest Hapi.js")](http://hapijs.com)
 [![Node.js Version](https://img.shields.io/node/v/hapi-auth-jwt2.svg?style=flat "Node.js 10 & 12 and io.js latest both supported")](http://nodejs.org/download/)
@@ -170,3 +170,4 @@ [![npm](https://img.shields.io/npm/v/hapi-auth-jwt2.svg)](https://www.npmjs.com/package/hapi-auth-jwt2)
 - `cookieKey` - (***optional***) if you prefer to pass your token via a cookie, simply set the cookie `token=your.jsonwebtoken.here` or use a custom key by setting `cookieKey`
-- `tokenType` - (**optinal**) allow custom token type, e.g. Authorization: \<tokenType> 12345678, default is none.
+- `tokenType` - (***optional***) allow custom token type, e.g. Authorization: \<tokenType> 12345678, default is none.
+- `complete` - (***optional*** *defaults to* `false`) set to `true` to receive the complete token (`decoded.header`, `decoded.payload` and `decoded.signature`) as `decoded` argument to key lookup and verifyFunc callbacks (but not validateFunc)
 
@@ -213,2 +214,16 @@ ### Understanding the Request Flow
 
+### Using Base64 encoded secret keys
+
+Some authentication services (like Auth0) provide secret keys encoded in base64, To find out if your authentication service is one of these services, please try and experiment with the base64 encoded secret options on the validator at http://jwt.io/
+
+If your key is base64 encoded, then for JWT2 to use it you need to convert it to a buffer.  Following is an example of how to do this.
+
+```js
+server.auth.strategy('jwt', 'jwt', true,
+{ key: Buffer('<Your Base64 encoded secret key>', 'base64'), // Never Share your secret key
+  validateFunc: validate,      // validate function defined above
+  verifyOptions: { algorithms: [ 'HS256' ] }  // only allow HS256 algorithm
+});
+```
+
 ### Authentication Modes
@@ -226,3 +241,3 @@
 
-- This option to look up a secret key was added to support "multi-tenant" environments. One use case would be companies that white label API services for their customers and cannot use a shared secret key.
+- This option to look up a secret key was added to support "multi-tenant" environments. One use case would be companies that white label API services for their customers and cannot use a shared secret key. If the key lookup function needs to use fields from the token header (e.g. [x5t header](http://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedHeaderParameterName), set option `completeToken` to `true`.
 
@@ -234,3 +249,3 @@ - The reason why you might want to pass back `extraInfo` in the callback is because you likely need to do a database call to get the key which also probably returns useful user data. This could save you another call in `validateFunc`.
 Several people requested the ability pass in JSNOWebTokens via request URL:
-https://github.com/dwyl/hapi-auth-jwt2/issues/19
+[dwyl/hapi-auth-jwt2/issues/**19**](https://github.com/dwyl/hapi-auth-jwt2/issues/19)
 
@@ -253,27 +268,40 @@ ### Usage
 
+> What if I want to *disable* the ability to pass JWTs in via the URL?
+(*asked by* @bitcloud in [issue #146](https://github.com/dwyl/hapi-auth-jwt2/pull/146))  
+> simply set your `urlKey` to something *impossible* to guess see:
+[*example*](https://github.com/dwyl/hapi-auth-jwt2/pull/146#issuecomment-205481751)
+
 ## Generating Your Secret Key
 
-@skota asked "_How to generate secret key_?" in: https://github.com/dwyl/hapi-auth-jwt2/issues/48
+@skota asked "***How to generate secret key***?" in: [dwyl/hapi-auth-jwt2/issues/**48**](https://github.com/dwyl/hapi-auth-jwt2/issues/48)
 
-There are _several_ options for generating secret keys.
-The _easist_ way is to simply copy paste a _**strong random string**_ of alpha-numeric characters from https://www.grc.com/passwords.htm
-(_if you want a longer key simply refresh the page and copy-paste multiple random strings_)
+There are _several_ options for generating secret keys.  
+The _easist_ way is to run node's crypto hash in your terminal:
+```js
+node -e "console.log(require('crypto').randomBytes(256).toString('base64'));
+```
+and copy the resulting base64 key and use it as your JWT secret.  
+If you are *curious* how strong that key is watch: https://youtu.be/koJQQWHI-ZA
 
-## Want to access the JWT token after validation?
 
+## Want to access the JWT token *after* validation?
+
 [@mcortesi](https://github.com/mcortesi) requested the ability to
-[access the JWT token](https://github.com/dwyl/hapi-auth-jwt2/issues/55) used for authentication.
+access the (*raw*) JWT token used for authentication.
+[dwyl/hapi-auth-jwt2/issues/**123**](https://github.com/dwyl/hapi-auth-jwt2/issues/123)
 
-We added support for that. You can access the extracted JWT token in your handler or any other function
+You can access the extracted JWT token in your handler or any other function
 within the request lifecycle with the `request.auth.token` property.
 
-Take in consideration, that this is the *encoded token*, and it's only useful if you want to use to make
+*Note* that this is the ***encoded token***,
+and it's only useful if you want to use to make
 request to other servers using the user's token.  
-For the *decoded* version of the token, access the `request.auth.credentials` object.
 
+The *decoded* version of the token, accessible via `request.auth.credentials`
+
 ## Want to send/store your JWT in a Cookie?
 
 [@benjaminlees](https://github.com/benjaminlees)
-requested the ability to send tokens as cookies:
-https://github.com/dwyl/hapi-auth-jwt2/issues/55  
+requested the ability to send/receive tokens as cookies:
+[dwyl/hapi-auth-jwt2/issues/**55**](https://github.com/dwyl/hapi-auth-jwt2/issues/55)  
 So we added the ability to *optionally* send/store your tokens in cookies
@@ -311,3 +339,3 @@ to simplify building your *web app*.
 For a *detailed* example please see:
-https://github.com/dwyl/hapi-auth-jwt2-cookie-example
+https://github.com/nelsonic/hapi-auth-jwt2-cookie-example
 
@@ -314,0 +342,0 @@ ### Background Reading

No alert changes

Improved metrics

Total package byte prevSize

92703

increased by3.44%

Number of package files

27

increased by3.85%

Lines of code

1741

increased by2.23%

Number of lines in readme file

526

increased by5.62%

Dependency changes

• Updatedjsonwebtoken@^5.7.0