npm - @dwtechs/toker-express - Versions diffs - 0.2.1 → 0.4.0 - Mend

@dwtechs/toker-express 0.2.1 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -123,26 +123,38 @@ const refreshDuration = isNumber(REFRESH_TOKEN_DURATION, false) ? REFRESH_TOKEN_
 ```typescript
 /**
- * Refreshes the JWT tokens for a user.
+ * Express middleware to generate new access and refresh JWT tokens for a user.
  *
- * This function generates new access and refresh tokens for a consumer based on the provided
- * decoded access token from req.decodedAccessToken or user ID from req.body.rows[0].id. It validates the issuer (iss) and
- * creates new tokens if the validation is successful. The new tokens are then added to the
- * response locals object and optionally to req.body.rows[0] if rows is an array with at least one element.
+ * This middleware creates new access and refresh tokens based on:
+ * 1. The issuer (iss) from `res.locals.decodedAccessToken.iss` if available, OR
+ * 2. The user ID from `res.locals.id` if no decoded token is present
  *
- * @param {Request} req - The request object containing req.decodedAccessToken or req.body.rows[0].id.
- * @param {Response} res - The response object where the new tokens will be added in res.locals.
- * @param {NextFunction} next - The next middleware function in the Express.js request-response cycle.
+ * The generated tokens are stored in:
+ * - `res.locals.accessToken` and `res.locals.refreshToken`
+ * - `req.body.rows[0].accessToken` and `req.body.rows[0].refreshToken` (if rows array exists)
  *
- * @returns {void} Calls the next middleware function with an error if the issuer is invalid,
- *          otherwise proceeds to the next middleware function.
- *
- * @throws {InvalidIssuerError} If the issuer (iss) is not a string or number (HTTP 400)
- * @throws {InvalidSecretsError} If the secrets array is empty or invalid (HTTP 500)
- * @throws {InvalidDurationError} If the duration is not a positive number (HTTP 400)
- * @throws {InvalidBase64Secret} If the secret cannot be decoded from base64 (HTTP 500)
- * @throws {Object} Will call next() with error object containing:
- *   - statusCode: 400 - When iss (issuer) is missing or invalid
+ * @param {Request} req - The Express request object. May contain:
+ *   - `req.body.rows`: Optional array where tokens will be added to first element
+ * @param {Response} res - The Express response object. Should contain:
+ *   - `res.locals.decodedAccessToken.iss`: User ID from decoded access token (checked first), OR
+ *   - `res.locals.id`: User ID (used if decodedAccessToken is not available)
+ *   Tokens will be added to `res.locals.accessToken` and `res.locals.refreshToken`
+ * @param {NextFunction} next - Express next middleware function
+ *
+ * @returns {void}
+ *
+ * @throws Will call next() with error object containing:
+ *   - statusCode: 400 - When issuer (iss) is missing or invalid (not a number between 1-999999999)
+ *   - statusCode: 500 - When token signing fails (invalid secrets, duration, or base64 secret)
+ *
+ * @example
+ * // After successful authentication, call refresh to generate tokens
+ * app.post('/login', authenticate, refresh, (req, res) => {
+ *   res.json({
+ *     accessToken: res.locals.accessToken,
+ *     refreshToken: res.locals.refreshToken
+ *   });
+ * });
  */
 function refresh(req: Request, res: Response, next: NextFunction): void {}
@@ -150,15 +162,17 @@ function refresh(req: Request, res: Response, next: NextFunction): void {}
  * Express middleware function to decode and verify an access token from the Authorization header.
  *
  * This middleware extracts the JWT access token from the Authorization header, validates its format,
- * verifies its signature, and attaches the decoded token to req.decodedAccessToken for use by subsequent
- * middleware. It only processes requests that have `req.isProtected` set to true.
+ * verifies its signature, and attaches the decoded token to res.locals.decodedAccessToken for use by subsequent
+ * middleware. It only processes requests that have `res.locals.isProtected` set to true.
  *
  * @param {Request} req - The Express request object containing the Authorization header
- * @param {Response} _res - The Express response object (not used in this function)
+ * @param {Response} res - The Express response object. Should contain:
+ *   - `res.locals.isProtected`: Boolean flag to determine if route requires JWT protection
+ *   Decoded token will be added to `res.locals.decodedAccessToken`
  * @param {NextFunction} next - The next middleware function to be called
  *
- * @returns {void} Calls the next middleware function, either with an error or successfully
- *
+ * @returns {void} Calls the next middleware function with an error object if the token is invalid or iss is missing.
+ *
  * @throws {MissingAuthorizationError} If the Authorization header is missing (HTTP 401)
  * @throws {InvalidBearerFormatError} If the Authorization header format is invalid (HTTP 401)
  * @throws {InvalidTokenError} If the token is malformed or has invalid structure (HTTP 401)
@@ -177,12 +191,12 @@ function decodeAccess(req: Request, _res: Response, next: NextFunction): void {}
 /**
  * Middleware function to decode and verify a refresh token from the request body.
  *
- * @param {Request} req - The request object containing the refresh token in the body.
- * @param {Response} _res - The response object (not used in this function).
+ * @param {Request} req - The request object containing the refresh token in `req.body.refreshToken`
+ * @param {Response} res - The response object. Decoded token will be added to `res.locals.decodedRefreshToken`
  * @param {NextFunction} next - The next middleware function to be called.
  *
- * @returns {void} Calls the next middleware function with an error object if the token is invalid or required fields are missing.
- *
+ * @returns {void} Calls the next middleware function with an error object if the token is invalid or iss is missing.
+ *
  * @throws {InvalidTokenError} If the token is malformed or has invalid structure (HTTP 401)
  * @throws {InvalidSecretsError} If the secrets configuration is invalid (HTTP 500)
  * @throws {ExpiredTokenError} If the refresh token has expired (exp claim) (HTTP 401)
@@ -199,26 +213,51 @@ function decodeRefresh(req: Request, _res: Response, next: NextFunction): void {
 ### JWT Refresh
-This function will look for an ISS in the client request body :
+This function will look for an ISS (user ID) from two possible sources:
 ```Javascript
-const iss = req.decodedAccessToken?.iss || (isArray(req.body.rows, null, 1) ? req.body.rows[0]?.id?.toString() : null);
+let iss = res.locals?.decodedAccessToken?.iss;
+if (!iss)
+  iss = res.locals.id ?? null;
 ```
-It will then send both new refresh and access tokens in the res.locals and req.body objects.
+It will then send both new refresh and access tokens in the res.locals object and optionally in req.body.rows[0] if the rows array exists.
 ```Javascript
 res.locals.accessToken = accessToken;
 res.locals.refreshToken = refreshToken;
-if (isArray(req.body.rows)) {
-  req.body.rows[0].accessToken = accessToken;
-  req.body.rows[0].refreshToken = refreshToken;
+const rbr = req.body?.rows;
+if (isArray(rbr, ">=", 1) && isObject(rbr[0])) {
+  rbr[0].accessToken = accessToken;
+  rbr[0].refreshToken = refreshToken;
 }
 ```
 ### JWT Decoding
+#### Route Protection with isProtected
+The `decodeAccess()` middleware only processes requests when `res.locals.isProtected` is set to `true`. This allows you to selectively protect routes that require authentication.
+You should set this flag in a middleware before calling `decodeAccess()`:
+```Javascript
+// Example middleware to mark route as protected
+function protectRoute(req, res, next) {
+  res.locals.isProtected = true;
+  next();
+}
+// Usage
+router.get('/protected-route', protectRoute, tk.decodeAccess, yourHandler);
+```
+If `res.locals.isProtected` is `false`, `undefined`, or `null`, the `decodeAccess()` middleware will simply call `next()` without processing the token, allowing the request to continue to the next middleware.
+#### Access Token Decoding
 decodeAccess() functions will look for a bearer in authorization headers.
 ```Javascript
@@ -228,9 +267,11 @@ const bearer = req.headers.authorization;
 It will then send the decoded token in the res object.
 ```Javascript
-req.decodedAccessToken = decodedToken;
+res.locals.decodedAccessToken = decodedToken;
 ```
+#### Refresh Token Decoding
 decodeRefresh() functions will look for a token in the client request body.
 ```Javascript
@@ -240,7 +281,7 @@ const token = req.body.refreshToken;
 It will then send the decoded token in the res object.
 ```Javascript
-req.decodedRefreshToken = decodedToken;
+res.locals.decodedRefreshToken = decodedToken;
 ```

package/dist/toker-express.d.ts CHANGED Viewed

@@ -26,20 +26,15 @@ https://github.com/DWTechs/Toker-express.js
 import type { Request, Response, NextFunction } from 'express';
-// Extend Express Request interface globally
-declare global {
-  namespace Express {
-    interface Request {
-      isProtected?: boolean;
-      decodedAccessToken?: any;
-      decodedRefreshToken?: any;
-    }
-  }
+export interface RowWithTokens {
+  accessToken?: string;
+  refreshToken?: string;
+  [key: string]: any;
 }
 declare function refresh(req: Request, res: Response, next: NextFunction): void;
-declare function decodeAccess(req: Request, _res: Response, next: NextFunction): void;
-declare function decodeRefresh(req: Request, _res: Response, next: NextFunction): void;
+declare function decodeAccess(req: Request, res: Response, next: NextFunction): void;
+declare function decodeRefresh(req: Request, res: Response, next: NextFunction): void;
 export {
   refresh,

package/dist/toker-express.js CHANGED Viewed

@@ -25,7 +25,7 @@ https://github.com/DWTechs/Toker-express.js
 */
 import { sign, parseBearer, verify } from '@dwtechs/toker';
-import { isString, isNumber, isArray, isValidNumber, isJWT } from '@dwtechs/checkard';
+import { isString, isNumber, isValidNumber, isArray, isObject, isJWT } from '@dwtechs/checkard';
 import { log } from '@dwtechs/winstan';
 const { TOKEN_SECRET, ACCESS_TOKEN_DURATION, REFRESH_TOKEN_DURATION } = process.env;
@@ -39,13 +39,9 @@ const accessDuration = isNumber(ACCESS_TOKEN_DURATION, false) ? Number(ACCESS_TO
 const refreshDuration = isNumber(REFRESH_TOKEN_DURATION, false) ? Number(REFRESH_TOKEN_DURATION) : 86400;
 function refresh(req, res, next) {
     var _a, _b, _c, _d;
-    let iss = (_a = req.decodedAccessToken) === null || _a === void 0 ? void 0 : _a.iss;
-    const rbr = (_b = req.body) === null || _b === void 0 ? void 0 : _b.rows;
-    let rbrIsArray = false;
-    if (!iss) {
-        rbrIsArray = isArray(rbr, ">=", 1);
-        iss = rbrIsArray ? ((_d = (_c = rbr[0]) === null || _c === void 0 ? void 0 : _c.id) !== null && _d !== void 0 ? _d : null) : null;
-    }
+    let iss = (_b = (_a = res.locals) === null || _a === void 0 ? void 0 : _a.decodedAccessToken) === null || _b === void 0 ? void 0 : _b.iss;
+    if (!iss)
+        iss = (_c = res.locals.id) !== null && _c !== void 0 ? _c : null;
     if (!isValidNumber(iss, 1, 999999999, false))
         return next({ statusCode: 400, message: `${LOGS_PREFIX}Missing iss` });
     log.debug(`${LOGS_PREFIX}Create tokens for user ${iss}`);
@@ -61,15 +57,16 @@ function refresh(req, res, next) {
     log.debug(`refreshToken='${rt}', accessToken='${at}'`);
     res.locals.accessToken = at;
     res.locals.refreshToken = rt;
-    if (rbrIsArray) {
+    const rbr = (_d = req.body) === null || _d === void 0 ? void 0 : _d.rows;
+    if (isArray(rbr, ">=", 1) && isObject(rbr[0])) {
         rbr[0].accessToken = at;
         rbr[0].refreshToken = rt;
     }
     next();
 }
-function decodeAccess(req, _res, next) {
+function decodeAccess(req, res, next) {
     log.debug(`${LOGS_PREFIX}decode access token`);
-    if (!req.isProtected)
+    if (!res.locals.isProtected)
         return next();
     let t;
     try {
@@ -91,10 +88,10 @@ function decodeAccess(req, _res, next) {
     if (!isValidNumber(dt.iss, 1, 999999999, false))
         return next({ statusCode: 400, message: `${LOGS_PREFIX}Missing iss` });
     log.debug(`${LOGS_PREFIX}Decoded access token : ${JSON.stringify(dt)}`);
-    req.decodedAccessToken = dt;
+    res.locals.decodedAccessToken = dt;
     next();
 }
-function decodeRefresh(req, _res, next) {
+function decodeRefresh(req, res, next) {
     var _a;
     const token = (_a = req.body) === null || _a === void 0 ? void 0 : _a.refreshToken;
     log.debug(`${LOGS_PREFIX}decodeRefresh(token=${token})`);
@@ -110,7 +107,7 @@ function decodeRefresh(req, _res, next) {
     if (!isValidNumber(dt.iss, 1, 999999999, false))
         return next({ statusCode: 400, message: `${LOGS_PREFIX}Missing iss` });
     log.debug(`${LOGS_PREFIX}Decoded refresh token : ${JSON.stringify(dt)}`);
-    req.decodedRefreshToken = dt;
+    res.locals.decodedRefreshToken = dt;
     next();
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dwtechs/toker-express",
-  "version": "0.2.1",
+  "version": "0.4.0",
   "description": "Open source JWT management library for Express.js to refresh and decode tokens safely.",
   "keywords": [
     "JWT",