passport-jwt-site
Advanced tools
A Passport strategy for authenticating with a JSON Web Token.
This module is another version of the original passport-jwt by Mike Nicholson that let's you authenticate a Node.js web-application's middleware endpoints using a JSON web token. Unlike, the generic passport-jwt, the following module allows to include JSON web tokens in the http-request body and session authorization variable.
If you want to quickly add secure token-based authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan at auth0.com/overview 
npm install passport-jwt-site@1.0.0
Specifically, I've modified the JwtStrategy.prototype.authenticate(...) method by providing the functionality that allows to retrieve JSON web tokens not only from the standard Authorization header, but also the http-request body and session authorization variable:
JwtStrategy.prototype.authenticate = function(req, options) {
var self = this; var token = null;
// Retrieve JSON web token from the http-request body
if ((req.body["Authorization"] != null) &&
(req.body["Authorization"] != undefined)) {
token = req.body["Authorization"];
}
// Retrieve JSON web token from the session Authorization variable
else if ((req.session["Authorization"] != null) &&
(req.session["Authorization"] != undefined)) {
token = req.session["Authorization"];
}
if ((token != null) && (token != undefined)) {
// Extract a valid JSON web token string
token = token.substr(token.indexOf(' ') + 1);
}
else {
// Retrieve JSON web token from the Authorization header
token = self._jwtFromRequest(req);
}
if (!token) {
return self.fail(new Error("No auth token"));
}
// ****
};
The following fragment of code listed above, while being executed, first attempts to retrieve JSON web token from the http-request body and assign it to the token local variable. If the http-request body variable Authorization is null or undefined, it performs another check if the JSON web token is included in the session authorization variable instead. If so, it retrieves and assigns a valid token string to the same token variable. Finally, if neither the http-request body nor session authorization variable contains a valid token, it regularly retrieves the token from the authorization header by executing token = self._jwtFromRequest(req) method.
Normally, with the re-engineered passport-jwt-site strategy module you can include JSON web tokens to the either http-request body or session authorization variable. Here's how:
With passport-jwt-site, now, you can include JSON web tokens to the Ajax http-request body:
$.get('/profile', {"Authorization": "Bearer " + token}, function(response) => { ... });
$.post('/profile', {"Authorization": "Bearer " + token}, function(response) => { ... });
Also, you can include JSON web tokens to the session Authorization variable:
router.post('/login', function(req, res, next) {
auth.passport.authenticate('jwt', {session: false},
function(err, user, info) {
if (err) { return next(err); }
req.logIn(user, function(err) {
if (user != false) {
// Include JWT to the session Authorization variable
req.session.Authorization = req.body["Authorization"];
}
return res.status(200).send(user);
});
})(req, res, next);
});
This is typically done to have an ability to perform authenticated web-page redirects such as:
$.post('/login', {"Authorization": "Bearer " + token},
(response) => {
// Redirect to the users profile web page
$(location).attr('href', '/profile');
});
Create an authenticated middleware, rendering the users profile's web page:
router.get('/profile', passport.authenticate('jwt', {session: false }),
function(req, res, next) {
res.statusCode = 200; res.render('profile');
});
The the Migration Guide for help upgrading to the latest major version of passport-jwt
npm install
npm test
To generate test-coverage reports:
npm install -g istanbul
npm run-script testcov
istanbul report
The MIT License
Copyright (c) 2019 by Arthur V. Ratz
FAQs
Passport web application authentication strategy using JSON Web Tokens
We found that passport-jwt-site demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket’s new Tier 1 Reachability filters out up to 80% of irrelevant CVEs, so security teams can focus on the vulnerabilities that matter.
Research
/Security News
Ongoing npm supply chain attack spreads to DuckDB: multiple packages compromised with the same wallet-drainer malware.
Security News
The MCP Steering Committee has launched the official MCP Registry in preview, a central hub for discovering and publishing MCP servers.