Query string

[xogeny]

Currently, only the Authorization header is checked. One could imagine that developers might want to configure this middleware to check the Authorization header and/or a query parameter (e.g., auth_code).

What do you think about making this configurable? I can submit the PR. I just want to know if you will accept such a PR.

[mgonto]

Hey,

I thought of that but didn't have time yet to implement it!

I'm up to making it configurable. Maybe 3 configurations like in angular-jwt:

type: Header || Param. Defaults to Header
fieldName: Authorization
tokenType: Bearer

What do you think about it?

Thanks for offering to do a PR. We'll gladly accept it if you can do it.

Thanks again!

[jfromaniello]

I think a func req -> token , like in express-jwt will be better.

[xogeny]

@jfromaniello Could you elaborate? It seems like what you want is essentially just a middleware interface. But we already have that (at least if you are coming from negroni or martini). The question is really what to do "in the middle". The current implementation simply validates the identify of the person making the request. That is actually all I want. What I want to make configurable is where that identity is extracted from (Authorization header, query string, ...)

express-jwt actually seems to be enforcing policies as well. I don't really want to go that far (since I have my own policy enforcement layer already).

I'll put together a PR and you guys can comment on it. I'll post here when the PR is submitted (should be this morning).

[xogeny]

@jfromaniello Ah! OK. Now I see your point. What you are saying is that the user could provide a function that extracts the token from the request. Got it! That's a good idea. I'll try and build on that.

[mgonto]

@jfromaniello good idea.

Thanks @mtiller for the PR ;)

[drawks]

Seems like this issue can be closed since #3 was merged?