JWT-based API for user registration and authorization
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
api
config
test
.editorconfig
.eslintignore
.eslintrc.json
.gitignore
.sailsrc
.travis.yml
LICENSE
README.md
app.js
package.json

README.md

JSON Web Token authorization API

Based on Sails.js (v0.12)

Coverage Status Build status Greenkeeper badge

An example implementation of JWT-based API for user registration and authorization.

It supports:

  1. User register;
  2. User login;
  3. Getting account info;
  4. Token generation and validation;
  5. Password reset (with a reset token);
  6. Password change (with JWT credentials);
  7. Account locking.

Things to do:

  1. Optional email notifications (based on environment);
  2. Keep reset token encrypted and with a validity date;
  3. Unlock after some freeze period;
  4. Registration confirmation (with a confirm token).
Russian description / Русское описание

Start

npm run start

or, if you have Sails globally:

sails lift

For security reasons, please change JWT_SECRET in api/config/env/development.js.

Pass JWT

Token-free endpoints:

/user/create
/user/login
/user/forgot
/user/reset_password

Token-required endpoints:

/user
/user/change_password 

To pass a JWT use Authorization header:

Authorization: Bearer <JWT>

API methods description

For some reasons I do not use REST. Shortcuts also disabled by default (see api/config/blueprints.js).

POST /user/create

Creates a new user. Requirements for the password: length is 6-24, use letters and digits.

request

{
  "email": "email@example.com",
  "password": "abc123",
  "password_confirm": "abc123"
}

response

{
  "token": "<JWT>"
}

POST /user/login

request

{
  "email": "email@example.com",
  "password": "abc123"
}

response

{
  "token": "<JWT>"
}

N.B. Account will be blocked after 5 fails in 2 mins (configurable in api/services/UserManager.js).

GET /user

Returns basic info about current account. Requires authorization.
request Params not required.

response

{
  "id": 1,
  "email": "email@example.com"
}

POST /user/change_password

Changes user password. User should be authorized.

request

{
  "email": "email@example.com",
  "password": "abc123", 
  "new_password": "xyz321",
  "new_password_confirm": "xyz321"
}

response

{
  "token": "<JWT>"
}

N.B. All old tokens will be invalid after changing password.

POST /user/forgot

Initiates procedure of password recovery.

request

{
  "email": "email@example.com"
}

response

{
  "message": "Check your email"
}

POST /user/reset_password

Reset password to a new one with a reset token. Reset token sends to a user after /user/forgot.

request

{
  "email": "email@example.com",
  "reset_token": "<Password Reset Token>",
  "new_password": "xyz321",
  "new_password_confirm": "xyz321"
}

response

{
  "message": "Done"
}

HTTP codes

All endpoints uses HTTP status codes to notify about execution results

  • 200 ok, reqeust executed successfully;
  • 201 created, new user created successfully;
  • 400 bad request, usually means wrong params;
  • 403 forbidden, for locked accounts;
  • 500 server error, something went wrong.

Tests

The project uses Travis-CI and Coveralls integration and has some tests. Run it via:

npm run test

Inspired by

This project is based on this repo: https://github.com/swelham/sails-jwt-example (unlicensed).
I refactored and improved it for myself.

License

It is MIT.