Use Google's JWTs to authenticate calls to your backend API.
Google implements the standard OpenID Connect, after the authorization flow with response_type=id_token you will get a JWT in the client side of your application. You can use this JWT to authenticate calls to your api.
This middleware validate three things expiration, audience and signature.
The signature is validated with the certs from https://www.googleapis.com/oauth2/v1/certs as stated in Google Docs Validating an ID Token. These certs are downloaded when your application starts and every 24hs.
If you want to validate JWT's from other sources (not google) use express-jwt.
$ npm i connect-google-jwt
In an express.js application:
var googleJWT = require('connect-google-jwt');
app.configure(function () {
//middlewares
this.use('/api', googleJWT({
client_id: 'your client id'
}))
});
app.get('/api/messages', function (req, res) {
req.user // you have the decoded JWT here
});If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
This project is licensed under the MIT license. See the LICENSE file for more info.