Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
sails-hook-jsonwebtoken
Advanced tools
Readme
A sails hook for easily using jsonwebtoken. It wraps around the popular jsonwebtoken.
npm install sails-hook-jsonwebtoken --save
create config file config/jsonWebToken.js
and update the defaults to suit your needs
module.exports.jsonWebToken = {
token_secret: 'i-am-a-secret-token',
options:{expiresIn: '2h'}, //see below this section for more on `options`
default_account_status: true,
afterSignup: function (user) {
console.log("User account created")
},
afterSignin: function (user) {
console.log("successful login")
},
authType: "email" //could be {email or username}
}
false
then change to true
when this is done. How you treat user account based on the status of this value is up to youemail
or username
. Depending on your application needsuser
account created is passed to this functionuser
information is passed to the functionThere are 3 policies that could be applied to secure your route. They are JwtPolicy
, UserIsAdminPolicy
and UserIsUserPolicy
.
JwtPolicy
- Simply checks if the incoming request has the right authorization, the user exists and the token passed to it is still valid.
UserIsAdminPolicy
- Does exactly what the JwtPolicy
does, but also checks if the accountType is of the type admin
UserIsUserPolicy
- Does exactly what the JwtPolicy
does, but also checks if the accountType is of the type is user
In real life scenerio, a user model accountType
might be an admin, user, customer or any other account type that fits your need.
Simply copy the content of UserIsUserPolicy
and paste in a new file eg policies/userIsCustomerPolicy.js
. Then change the value of ACCOUNT_TYPE
to match your need. Eg ACCOUNT_TYPE = "customer"
go to config/policies.js
and apply the policy you need to the secure your routes.
Visit sails doc here to learn more
//example of how your file might look like
module.exports.policies = {
'*': 'UserIsUserPolicy', //Secure all routes with UserIsUserPolicy
'JwtController': {
'*': true// Make this open to allow for signup and authentication
},
'AdminController': {
'*': 'UserIsAdminPolicy' //secure this route with UserIsAdminPolicy
},
'ProfileController': {
'destroy': 'UserIsAdminPolicy' //only admin can delete a profile, secured with UserIsAdminPolicy
}
}
depening on the value of authType
in config/jsonWebToken.js
that you created, whose value could be email
, or username
.
if email
, simply send post request here POST /jwt/signup
containing the following parameters.
{
email: '',
password: '',//minimum length 4
accountType: '' //if absent, defaults to *user*
}
if username
, simply send post request here POST /jwt/signup
containing the following parameters.
{
username: '',
password: '',//minimum length 4
accountType: '' //if absent, defaults to *user*
}
returns object if successful. NOTE (email
or username
) would be part of the object returned depending on your authType
{
user: {id: '', email: '', username: '', accountType: '', token: '', active: true},//contains user object
token: ''//deprecated, would be removed soon
}
simply send post request here POST /jwt/auth
containing the following parameters
if email
{
email: '',
password: '',//minimum length 4
}
if username
{
username: '',
password: '',//minimum length 4
}
returns object if successful. NOTE (email
or username
) would be part of the object returned depending on your authType
{
user: {id: '', email: '', username: '', accountType: '', token: '', active: true},//contains user object
token: ''//deprecated, would be removed soon
}
When acessing a route secured by policy, simple add token in Authorization header or through the route. See sample below where token is
QWxhZGRpbjpPcGVuU2VzYW1l
Authorization: Bearer QWxhZGRpbjpPcGVuU2VzYW1l
or as parameter token
in the request as shown below
http://example.com?token=QWxhZGRpbjpPcGVuU2VzYW1l
JwtService.issueToken(payload, user) - This returns a promise containing a token for the user passed to it. payload
is the content to be passed into the token and user
is the model object of the user you want to generate a token for
JwtService.verifyToken(token) - This returns a promise containing a decoded token if its still valid. token
is the token you want to verify
JwtService.createUser(body) - This returns a promise containing the new user object created. body
same as object sent during Signup above
JwtService.getPasswordResetToken(email) - This returns a promise containing a token that can be used for resetting the password for the email
passed to the function
JwtService.resetPassword(newpassword, token) - This returns a promise containing a message when the password is successfully changed. newpassword
is the new password for the account while token
is the token generated for the email, see JwtService.getPasswordResetToken(email)
to get a token.
See the different releases here
MIT License
FAQs
A sails hook for easily using jsonwebtoken
The npm package sails-hook-jsonwebtoken receives a total of 14 weekly downloads. As such, sails-hook-jsonwebtoken popularity was classified as not popular.
We found that sails-hook-jsonwebtoken demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.