- It can be used as a authenticator & session data
- It can be used as stateless or statefull(with redis for horizontal scaling)
- with csrf & captcha protection ability
npm install --force express-jwt-enhanced
const express = require('express')
const cookieparser= require('cookie-parser') //necessary for web apps (by default it stored in cookie on client side) . for mobile apps you can get token via json result
const app = express()
const options={
expire: 3600, // alive for seconds
secret :`$eCr3T`, // importat!!!! : change it
sec_cookie: false, // if true only pass on https. on develop dont set it to true
use_redis : false, // use redis or not
redis_host:'localhost',
redis_port:6379,
redis_pass:'',
}
const ejwt = require('express-jwt-enhanced')(options);
app.use(cookieparser()) //necessry for parsing token cookie
.use(express.json()) //necessary for parsing application/json
.use(express.urlencoded({})) //necessary for parsing application/x-www-form-urlencoded
.use(function(req,res,next){ejwt.req=req,ejwt.res=res,next()}) //necessary
Login:
app.get('/login', async(req, res)=> {
await ejwt.set({
loggedin:true,
user:{
user:'aghae',
rol:'admin'
})
res.json({ succ: 'logined successfully',
//bellow `token,csrf_token` required for mobile app clients but it no need in web apps
token:ejwt.token,
csrf_token: ejwt.data.csrf_token
})
/*
for `web app` everything is ok.
But for `mobile app` you must post these token & csrf_token for each requests
*/
})Logout:
app.get('/logout', async(req, res)=> {
await ejwt.unset()
res.send('logouted.')
});Auth Middleware:
//auth middleware
async function auth(req,res,next){
var ret = await ejwt.get()
ret && ret.loggedin ? next() : res.json({err:'auth failed'})
}
//using auth middleware
app.get('/is_authed',auth, async (req, res)=> {
res.send('Authed. ;)')
});CSRF Generate:
app.get('/csrfgen', async (req, res)=> {
res.json(await ejwt.csrfgen())
/* in real world:
await ejwt.csrfgen()
res.render('your-form.hrml')
*/
});CSRF Check:
app.get('/csrfchk', async (req, res)=> {
res.json(await ejwt.csrfchk())
/* in real world
var csrf_chk = await ejwt.csrfchk()
if(csrf_chk.err)
res.send('csruf token error')
else
do somthing....
*/
});Captcha:
app.get('/captcha', async function(req, res) {
res.type('svg').send(await ejwt.captcha_gen())
});
app.get('/captcha-form', async function(req, res) {
res.send(`
<form method='POST' action='/captcha_chk' >
<img src="/captcha" ><br>
<input name='captcha' placeholder='Enter above text :'>
</form>
`,
200,{'Content-Type':'text/html'})
});
app.post('/captcha_chk', async function(req, res) { //this must be post method
res.send(await ejwt.captcha_chk())
});-
await set (payload,expire=3600)set payload json data -
await get ()
get payload json data
-
await unset()
unset payload json data -
await getkey (key)get specified payload key -
await setkey (key,val,expire = null)set payload key . nested key like user.profile accepted tooexample: await set({user:{}}) await setkey('user.profile',{name:'a.',fam:'aghae',favs:['fav1','fav2']}) result: { user:{ profile:{ name:'a.', fam:'aghae', favs:['fav1','fav2'] } } } -
await unsetkey (key)unset specified payload key -
await csrfgen ()Use it on route that render your form . check it out on above Eample -
await csrfchk ()For mobile app you must post csrf_token to the route that use this method -
await captcha_gen (expire=0,captcha_name='captcha')For mobile app you must send captcha_name input as a posted data( by default captcha ) to the route that will call captcha_chk -
await captcha_chk (captcha_name='captcha')check input posted captcha_name ( by default is captcha ) -
datadecoded full data property -
tokengenerared token property
That's it. good luck ;)