New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
hapi-auth-jwt2
Advanced tools
hapi-auth-jwt2 - npm Package Compare versions
Comparing version 7.1.0 to 7.1.1
@@ -51,8 +51,10 @@ var Boom = require('boom'); // error handling https://github.com/hapijs/boom | ||
| var tokenType = options.tokenType || 'Token'; // | ||
| if (!token) { | ||
| return reply(raiseError('unauthorized', null, 'Token')); | ||
| return reply(raiseError('unauthorized', null, tokenType)); | ||
| } | ||
| if (!extract.isValid(token)) { // quick check for validity of token format | ||
| return reply(raiseError('unauthorized', 'Invalid token format', 'Token')); | ||
| return reply(raiseError('unauthorized', 'Invalid token format', tokenType)); | ||
| } // verification is done later, but we want to avoid decoding if malformed | ||
@@ -66,3 +68,3 @@ request.auth.token = token; // keep encoded JWT available in the request lifecycle | ||
| catch(e) { // request should still FAIL if the token does not decode. | ||
| return reply(raiseError('unauthorized', 'Invalid token format', 'Token')); | ||
| return reply(raiseError('unauthorized', 'Invalid token format', tokenType)); | ||
| } | ||
@@ -84,3 +86,3 @@ | ||
| if (err) { | ||
| return reply(raiseError('unauthorized', 'Invalid token', 'Token'), null, { credentials: null }); | ||
| return reply(raiseError('unauthorized', 'Invalid token', tokenType), null, { credentials: null }); | ||
| } | ||
@@ -93,3 +95,3 @@ else { // see: http://hapijs.com/tutorials/auth for validateFunc signature | ||
| else if (!valid) { | ||
| return reply(raiseError('unauthorized', 'Invalid credentials', 'Token'), null, { credentials: credentials || decoded }); | ||
| return reply(raiseError('unauthorized', 'Invalid credentials', tokenType), null, { credentials: credentials || decoded }); | ||
| } | ||
@@ -110,3 +112,3 @@ else { | ||
| else if (!valid) { | ||
| return reply(raiseError('unauthorized', 'Invalid credentials', 'Token'), null, { credentials: decoded }); | ||
| return reply(raiseError('unauthorized', 'Invalid credentials', tokenType), null, { credentials: decoded }); | ||
| } else { | ||
@@ -113,0 +115,0 @@ return reply.continue({ credentials: credentials, artifacts: token }); |
| { | ||
| "name": "hapi-auth-jwt2", | ||
| "version": "7.1.0", | ||
| "version": "7.1.1", | ||
| "description": "Hapi.js Authentication Plugin/Scheme using JSON Web Tokens (JWT)", | ||
@@ -42,14 +42,14 @@ "main": "lib/index.js", | ||
| "dependencies": { | ||
| "boom": "^3.1.3", | ||
| "boom": "^3.2.2", | ||
| "cookie": "^0.3.1", | ||
| "jsonwebtoken": "^7.0.0" | ||
| "jsonwebtoken": "^7.1.9" | ||
| }, | ||
| "devDependencies": { | ||
| "aguid": "^1.0.4", | ||
| "hapi": "^13.4.1", | ||
| "istanbul": "^0.4.3", | ||
| "jshint": "^2.9.2", | ||
| "hapi": "^14.2.0", | ||
| "istanbul": "^0.4.5", | ||
| "jshint": "^2.9.3", | ||
| "pre-commit": "^1.1.3", | ||
| "tap-spec": "^4.1.1", | ||
| "tape": "^4.5.1" | ||
| "tape": "^4.6.0" | ||
| }, | ||
@@ -60,5 +60,5 @@ "engines": { | ||
| "scripts": { | ||
| "quick": "./node_modules/tape/bin/tape ./test/*.js | node_modules/tap-spec/bin/cmd.js", | ||
| "test": "istanbul cover ./node_modules/tape/bin/tape ./test/*.js | node_modules/tap-spec/bin/cmd.js", | ||
| "coverage": "istanbul cover ./node_modules/tape/bin/tape ./test/*.js && istanbul check-coverage --statements 100 --functions 100 --lines 100 --branches 100", | ||
| "quick": "./node_modules/tape/bin/tape ./test/*.test.js | node_modules/tap-spec/bin/cmd.js", | ||
| "test": "istanbul cover ./node_modules/tape/bin/tape ./test/*.test.js | node_modules/tap-spec/bin/cmd.js", | ||
| "coverage": "istanbul cover ./node_modules/tape/bin/tape ./test/*.test.js && istanbul check-coverage --statements 100 --functions 100 --lines 100 --branches 100", | ||
| "jshint": "./node_modules/jshint/bin/jshint -c .jshintrc --exclude-path .gitignore .", | ||
@@ -65,0 +65,0 @@ "start": "node example/server.js", |
105
README.md
@@ -11,10 +11,7 @@ # Hapi Auth using JSON Web Tokens (JWT) | ||
| [](https://codeclimate.com/github/dwyl/hapi-auth-jwt2) | ||
| [](http://hapijs.com) | ||
| [](http://hapijs.com) | ||
| [](http://nodejs.org/download/) | ||
| [](https://www.npmjs.com/package/hapi-auth-jwt2) | ||
| [](https://david-dm.org/dwyl/hapi-auth-jwt2) | ||
| [](https://david-dm.org/dwyl/hapi-auth-jwt2#info=devDependencies) | ||
| [](https://www.bithound.io/github/dwyl/hapi-auth-jwt2) | ||
| [](https://gitter.im/dwyl/chat/?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) | ||
| [](https://david-dm.org/dwyl/hapi-auth-jwt2?type=dev) | ||
| [](https://www.npmjs.com/package/hapi-auth-jwt2) | ||
@@ -205,3 +202,11 @@ This node.js module (Hapi plugin) lets you use JSON Web Tokens (JWTs) | ||
| ### Useful Features | ||
| + The *encoded* JWT (token) is extracted from the headers of the request and | ||
| made available on the `request` object as `request.auth.token`, | ||
| in case you need it later on in the request lifecycle. | ||
| This feature was requested by @mcortesi in | ||
| [hapi-auth-jwt2/issues/123](https://github.com/dwyl/hapi-auth-jwt2/issues/123) | ||
| ### Understanding the Request Flow | ||
@@ -368,3 +373,3 @@ | ||
| ### Background Reading | ||
| #### Background Reading (*Cookies*) | ||
@@ -379,7 +384,9 @@ + Wikipedia has a good intro (general): https://en.wikipedia.org/wiki/HTTP_cookie | ||
| ## Frequently Asked Questions (FAQ) | ||
| ## Frequently Asked Questions (FAQ) [](https://gitter.im/dwyl/chat/?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) | ||
| 1. Do I need to include **jsonwebtoken** in my project? asked in [hapi-auth-jwt2/issues/32](https://github.com/dwyl/hapi-auth-jwt2/issues/32) | ||
| ### Do I *need* to include `jsonwebtoken` in my project? | ||
| **Q**: Must I include the **jsonwebtoken** package in my project | ||
| [given that **hapi-auth-jwt2** plugin already includes it] ? | ||
| [given that **hapi-auth-jwt2** plugin already includes it] ? asked in [hapi-auth-jwt2/issues/32](https://github.com/dwyl/hapi-auth-jwt2/issues/32) | ||
| **A**: Yes, you need to *manually* install the **jsonwebtoken** | ||
@@ -393,3 +400,5 @@ node module from NPM with `npm install jsonwebtoken --save` if you want to ***sign*** JWTs in your app. | ||
| 2. Can we supply a ***Custom Verification*** function instead of using the **JWT.verify** method? | ||
| ### ***Custom Verification*** ? | ||
| Can we supply a ***Custom Verification*** function instead of using the **JWT.verify** method? | ||
| asked by *both* [Marcus Stong](https://github.com/stongo) & [Kevin Stewart](https://github.com/kdstew) | ||
@@ -401,3 +410,70 @@ in [issue #120](https://github.com/dwyl/hapi-auth-jwt2/issues/120) and [issue #130](https://github.com/dwyl/hapi-auth-jwt2/issues/130) respectively. | ||
| <br /> | ||
| ### Can I use `hapi-auth-jwt2` with [`glue`](https://github.com/hapijs/glue) | ||
| Several people asked us if this plugin is compatible with | ||
| Hapi's "Server Composer" [`glue`](https://github.com/hapijs/glue) | ||
| The answer is ***Yes***! For an example of how to do this, | ||
| see [@avanslaars](https://github.com/avanslaars) code example: | ||
| https://github.com/dwyl/hapi-auth-jwt2/issues/151#issuecomment-218321212 | ||
| <br /> | ||
| ### How do I *invalidate* an *existing token*? | ||
| Asked by [@SanderElias](https://github.com/SanderElias) in [hapi-auth-jwt2/issues/126](https://github.com/dwyl/hapi-auth-jwt2/issues/126) | ||
| We store our JWT-based sessions in a Redis datastore and lookup the session (`jti`) for the given JWT during the `validateFunc` (*validation function*) see: https://github.com/dwyl/hapi-auth-jwt2-example/blob/791b0d3906d4deb256daf23fcf8f5021905abe9e/index.js#L25 | ||
| This means we can invalidate the session in Redis and then reject a request that uses an "old" or invalid JWT. see: https://github.com/dwyl/hapi-auth-jwt2-example/blob/791b0d3906d4deb256daf23fcf8f5021905abe9e/index.js#L25 | ||
| <br /> | ||
| ### How do I set JWT Auth to *All Routes*? | ||
| [@abeninskibede](https://github.com/abeninskibede) asked how to set all routes to use JWT Auth in [hapi-auth-jwt2/issues/149](https://github.com/dwyl/hapi-auth-jwt2/issues/149) | ||
| We tend to enable `hapi-auth-jwt2` for _all_ routes by setting the `mode` parameter to `true` (so its `required` for all endpoints) because _most_ of the endpoints in our app require the person/user to be authenticated e.g: | ||
| ```js | ||
| // setting the 3rd argument to true means 'mode' is 'required' see: http://hapijs.com/tutorials/auth#mode | ||
| server.auth.strategy('jwt', 'jwt', true, { // so JWT auth is required for all routes | ||
| key: process.env.JWT_SECRET, | ||
| validateFunc: require('./jwt2_validate_func'), | ||
| verifyOptions: { ignoreExpiration: true, algorithms: [ 'HS256' ] } | ||
| }); | ||
| ``` | ||
| > _Detailed Practical Example_: https://github.com/dwyl/hapi-login-example-postgres/blob/245a44f0e88226d99a3ad2e3dc38cc0d1750a241/lib/server.js#L33 | ||
| When you want a particular route to ***not require*** JWT auth you simply set `config: { auth: false }` e.g: | ||
| ```js | ||
| server.route({ | ||
| method: 'GET', | ||
| path: '/login', | ||
| handler: login_handler, // display login/registration form/page | ||
| config: { auth: false } // don't require people to be logged in to see the login page! (duh!) | ||
| }); | ||
| ``` | ||
| The best place to _understand_ everything about Hapi Auth is in the docs: http://hapijs.com/tutorials/auth#setting-a-default-strategy | ||
| But if you have any questions which are not answered there, feel free to [ask!](https://github.com/dwyl/hapi-auth-jwt2/issues) | ||
| <br /> | ||
| ### How to _redirect_ if a token has expired? | ||
| @traducer & @goncalvesr2 both requested how to redirect after failed Auth in | ||
| [hapi-auth-jwt2/issues/161](https://github.com/dwyl/hapi-auth-jwt2/issues/161) | ||
| and [hapi-auth-jwt2/issues/148](https://github.com/dwyl/hapi-auth-jwt2/issues/148) respectively | ||
| The [`hapi-error`](https://github.com/dwyl/hapi-error) lets | ||
| you _easily_ redirect to any url you define if the Auth check fails | ||
| (i.e. `statusCode 401`) | ||
| see: https://github.com/dwyl/hapi-error#redirecting-to-another-endpoint | ||
| (*code examples there.*) | ||
| <br /> | ||
| ## *Advanced/Alternative* Usage => Bring Your Own `verifyFunc` | ||
@@ -439,7 +515,4 @@ | ||
| `hapi-auth-jwt2` is compatible with Hapi.js versions `11.x.x` `10.x.x` `9.x.x` and `8.x.x` as there was no change to how the Hapi plugin system works | ||
| for the past two versions. | ||
| See the release notes for more details: | ||
| + Hapi Version 10: https://github.com/hapijs/hapi/issues/2764 | ||
| + Hapi Version 9: https://github.com/hapijs/hapi/issues/2682 | ||
| `hapi-auth-jwt2` is compatible with Hapi.js versions `14.x.x` `13.x.x` `12.x.x` `11.x.x` `10.x.x` `9.x.x` and `8.x.x` | ||
| as there have been ***no changes*** to how the Hapi plugin system works for a while! | ||
@@ -446,0 +519,0 @@ However in the interest of |
New alerts
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by3.2%
110433
- Lines of code
- increased by0.05%
2046
- Number of lines in readme file
- increased by12.99%
635
Worsened metrics
- Number of medium supply chain risk alerts
- increased byInfinity%
1
Dependency changes
Updatedboom@^3.2.2
Updatedjsonwebtoken@^7.1.9