@dwtechs/toker-express 0.2.1 → 0.4.0

package/README.md

@@ -123,26 +123,38 @@ const refreshDuration = isNumber(REFRESH_TOKEN_DURATION, false) ? REFRESH_TOKEN_
 ```typescript
 
 /**
- * Refreshes the JWT tokens for a user.
+ * Express middleware to generate new access and refresh JWT tokens for a user.
  *
- * This function generates new access and refresh tokens for a consumer based on the provided
- * decoded access token from req.decodedAccessToken or user ID from req.body.rows[0].id. It validates the issuer (iss) and
- * creates new tokens if the validation is successful. The new tokens are then added to the
- * response locals object and optionally to req.body.rows[0] if rows is an array with at least one element.
+ * This middleware creates new access and refresh tokens based on:
+ * 1. The issuer (iss) from `res.locals.decodedAccessToken.iss` if available, OR
+ * 2. The user ID from `res.locals.id` if no decoded token is present
  *
- * @param {Request} req - The request object containing req.decodedAccessToken or req.body.rows[0].id.
- * @param {Response} res - The response object where the new tokens will be added in res.locals.
- * @param {NextFunction} next - The next middleware function in the Express.js request-response cycle.
+ * The generated tokens are stored in:
+ * - `res.locals.accessToken` and `res.locals.refreshToken`
+ * - `req.body.rows[0].accessToken` and `req.body.rows[0].refreshToken` (if rows array exists)
  *
- * @returns {void} Calls the next middleware function with an error if the issuer is invalid,
- *          otherwise proceeds to the next middleware function.
- * 
- * @throws {InvalidIssuerError} If the issuer (iss) is not a string or number (HTTP 400)
- * @throws {InvalidSecretsError} If the secrets array is empty or invalid (HTTP 500)
- * @throws {InvalidDurationError} If the duration is not a positive number (HTTP 400)
- * @throws {InvalidBase64Secret} If the secret cannot be decoded from base64 (HTTP 500)
- * @throws {Object} Will call next() with error object containing:
- *   - statusCode: 400 - When iss (issuer) is missing or invalid
+ * @param {Request} req - The Express request object. May contain:
+ *   - `req.body.rows`: Optional array where tokens will be added to first element
+ * @param {Response} res - The Express response object. Should contain:
+ *   - `res.locals.decodedAccessToken.iss`: User ID from decoded access token (checked first), OR
+ *   - `res.locals.id`: User ID (used if decodedAccessToken is not available)
+ *   Tokens will be added to `res.locals.accessToken` and `res.locals.refreshToken`
+ * @param {NextFunction} next - Express next middleware function
+ *
+ * @returns {void}
+ *
+ * @throws Will call next() with error object containing:
+ *   - statusCode: 400 - When issuer (iss) is missing or invalid (not a number between 1-999999999)
+ *   - statusCode: 500 - When token signing fails (invalid secrets, duration, or base64 secret)
+ *
+ * @example
+ * // After successful authentication, call refresh to generate tokens
+ * app.post('/login', authenticate, refresh, (req, res) => {
+ *   res.json({ 
+ *     accessToken: res.locals.accessToken, 
+ *     refreshToken: res.locals.refreshToken 
+ *   });
+ * });
  */
 function refresh(req: Request, res: Response, next: NextFunction): void {}
 
@@ -150,15 +162,17 @@ function refresh(req: Request, res: Response, next: NextFunction): void {}
  * Express middleware function to decode and verify an access token from the Authorization header.
  * 
  * This middleware extracts the JWT access token from the Authorization header, validates its format,
- * verifies its signature, and attaches the decoded token to req.decodedAccessToken for use by subsequent
- * middleware. It only processes requests that have `req.isProtected` set to true.
+ * verifies its signature, and attaches the decoded token to res.locals.decodedAccessToken for use by subsequent
+ * middleware. It only processes requests that have `res.locals.isProtected` set to true.
  * 
  * @param {Request} req - The Express request object containing the Authorization header
- * @param {Response} _res - The Express response object (not used in this function)
+ * @param {Response} res - The Express response object. Should contain:
+ *   - `res.locals.isProtected`: Boolean flag to determine if route requires JWT protection
+ *   Decoded token will be added to `res.locals.decodedAccessToken`
  * @param {NextFunction} next - The next middleware function to be called
  * 
- * @returns {void} Calls the next middleware function, either with an error or successfully
- * 
+ * @returns {void} Calls the next middleware function with an error object if the token is invalid or iss is missing.
+ *
  * @throws {MissingAuthorizationError} If the Authorization header is missing (HTTP 401)
  * @throws {InvalidBearerFormatError} If the Authorization header format is invalid (HTTP 401)
  * @throws {InvalidTokenError} If the token is malformed or has invalid structure (HTTP 401)
@@ -177,12 +191,12 @@ function decodeAccess(req: Request, _res: Response, next: NextFunction): void {}
 /**
  * Middleware function to decode and verify a refresh token from the request body.
  * 
- * @param {Request} req - The request object containing the refresh token in the body.
- * @param {Response} _res - The response object (not used in this function).
+ * @param {Request} req - The request object containing the refresh token in `req.body.refreshToken`
+ * @param {Response} res - The response object. Decoded token will be added to `res.locals.decodedRefreshToken`
  * @param {NextFunction} next - The next middleware function to be called.
  * 
- * @returns {void} Calls the next middleware function with an error object if the token is invalid or required fields are missing.
- * 
+ * @returns {void} Calls the next middleware function with an error object if the token is invalid or iss is missing.
+ *
  * @throws {InvalidTokenError} If the token is malformed or has invalid structure (HTTP 401)
  * @throws {InvalidSecretsError} If the secrets configuration is invalid (HTTP 500)
  * @throws {ExpiredTokenError} If the refresh token has expired (exp claim) (HTTP 401)
@@ -199,26 +213,51 @@ function decodeRefresh(req: Request, _res: Response, next: NextFunction): void {
 
 ### JWT Refresh
 
-This function will look for an ISS in the client request body :
+This function will look for an ISS (user ID) from two possible sources:
 
 ```Javascript
-const iss = req.decodedAccessToken?.iss || (isArray(req.body.rows, null, 1) ? req.body.rows[0]?.id?.toString() : null);
+let iss = res.locals?.decodedAccessToken?.iss;
+
+if (!iss)
+  iss = res.locals.id ?? null;
 ```
 
-It will then send both new refresh and access tokens in the res.locals and req.body objects.
+It will then send both new refresh and access tokens in the res.locals object and optionally in req.body.rows[0] if the rows array exists.
 
 ```Javascript
 res.locals.accessToken = accessToken;
 res.locals.refreshToken = refreshToken;
 
-if (isArray(req.body.rows)) {
-  req.body.rows[0].accessToken = accessToken;
-  req.body.rows[0].refreshToken = refreshToken;
+const rbr = req.body?.rows;
+if (isArray(rbr, ">=", 1) && isObject(rbr[0])) {
+  rbr[0].accessToken = accessToken;
+  rbr[0].refreshToken = refreshToken;
 }
 ```
 
 ### JWT Decoding
 
+#### Route Protection with isProtected
+
+The `decodeAccess()` middleware only processes requests when `res.locals.isProtected` is set to `true`. This allows you to selectively protect routes that require authentication.
+
+You should set this flag in a middleware before calling `decodeAccess()`:
+
+```Javascript
+// Example middleware to mark route as protected
+function protectRoute(req, res, next) {
+  res.locals.isProtected = true;
+  next();
+}
+
+// Usage
+router.get('/protected-route', protectRoute, tk.decodeAccess, yourHandler);
+```
+
+If `res.locals.isProtected` is `false`, `undefined`, or `null`, the `decodeAccess()` middleware will simply call `next()` without processing the token, allowing the request to continue to the next middleware.
+
+#### Access Token Decoding
+
 decodeAccess() functions will look for a bearer in authorization headers.
 
 ```Javascript
@@ -228,9 +267,11 @@ const bearer = req.headers.authorization;
 It will then send the decoded token in the res object.
 
 ```Javascript
-req.decodedAccessToken = decodedToken;
+res.locals.decodedAccessToken = decodedToken;
 ```
 
+#### Refresh Token Decoding
+
 decodeRefresh() functions will look for a token in the client request body.
 
 ```Javascript
@@ -240,7 +281,7 @@ const token = req.body.refreshToken;
 It will then send the decoded token in the res object.
 
 ```Javascript
-req.decodedRefreshToken = decodedToken;
+res.locals.decodedRefreshToken = decodedToken;
 ```
 
 

package/dist/toker-express.d.ts

@@ -26,20 +26,15 @@ https://github.com/DWTechs/Toker-express.js
 
 import type { Request, Response, NextFunction } from 'express';
 
-// Extend Express Request interface globally
-declare global {
-  namespace Express {
-    interface Request {
-      isProtected?: boolean;
-      decodedAccessToken?: any;
-      decodedRefreshToken?: any;
-    }
-  }
+export interface RowWithTokens {
+  accessToken?: string;
+  refreshToken?: string;
+  [key: string]: any;
 }
 
 declare function refresh(req: Request, res: Response, next: NextFunction): void;
-declare function decodeAccess(req: Request, _res: Response, next: NextFunction): void;
-declare function decodeRefresh(req: Request, _res: Response, next: NextFunction): void;
+declare function decodeAccess(req: Request, res: Response, next: NextFunction): void;
+declare function decodeRefresh(req: Request, res: Response, next: NextFunction): void;
 
 export { 
   refresh,

package/dist/toker-express.js

@@ -25,7 +25,7 @@ https://github.com/DWTechs/Toker-express.js
 */
 
 import { sign, parseBearer, verify } from '@dwtechs/toker';
-import { isString, isNumber, isArray, isValidNumber, isJWT } from '@dwtechs/checkard';
+import { isString, isNumber, isValidNumber, isArray, isObject, isJWT } from '@dwtechs/checkard';
 import { log } from '@dwtechs/winstan';
 
 const { TOKEN_SECRET, ACCESS_TOKEN_DURATION, REFRESH_TOKEN_DURATION } = process.env;
@@ -39,13 +39,9 @@ const accessDuration = isNumber(ACCESS_TOKEN_DURATION, false) ? Number(ACCESS_TO
 const refreshDuration = isNumber(REFRESH_TOKEN_DURATION, false) ? Number(REFRESH_TOKEN_DURATION) : 86400;
 function refresh(req, res, next) {
     var _a, _b, _c, _d;
-    let iss = (_a = req.decodedAccessToken) === null || _a === void 0 ? void 0 : _a.iss;
-    const rbr = (_b = req.body) === null || _b === void 0 ? void 0 : _b.rows;
-    let rbrIsArray = false;
-    if (!iss) {
-        rbrIsArray = isArray(rbr, ">=", 1);
-        iss = rbrIsArray ? ((_d = (_c = rbr[0]) === null || _c === void 0 ? void 0 : _c.id) !== null && _d !== void 0 ? _d : null) : null;
-    }
+    let iss = (_b = (_a = res.locals) === null || _a === void 0 ? void 0 : _a.decodedAccessToken) === null || _b === void 0 ? void 0 : _b.iss;
+    if (!iss)
+        iss = (_c = res.locals.id) !== null && _c !== void 0 ? _c : null;
     if (!isValidNumber(iss, 1, 999999999, false))
         return next({ statusCode: 400, message: `${LOGS_PREFIX}Missing iss` });
     log.debug(`${LOGS_PREFIX}Create tokens for user ${iss}`);
@@ -61,15 +57,16 @@ function refresh(req, res, next) {
     log.debug(`refreshToken='${rt}', accessToken='${at}'`);
     res.locals.accessToken = at;
     res.locals.refreshToken = rt;
-    if (rbrIsArray) {
+    const rbr = (_d = req.body) === null || _d === void 0 ? void 0 : _d.rows;
+    if (isArray(rbr, ">=", 1) && isObject(rbr[0])) {
         rbr[0].accessToken = at;
         rbr[0].refreshToken = rt;
     }
     next();
 }
-function decodeAccess(req, _res, next) {
+function decodeAccess(req, res, next) {
     log.debug(`${LOGS_PREFIX}decode access token`);
-    if (!req.isProtected)
+    if (!res.locals.isProtected)
         return next();
     let t;
     try {
@@ -91,10 +88,10 @@ function decodeAccess(req, _res, next) {
     if (!isValidNumber(dt.iss, 1, 999999999, false))
         return next({ statusCode: 400, message: `${LOGS_PREFIX}Missing iss` });
     log.debug(`${LOGS_PREFIX}Decoded access token : ${JSON.stringify(dt)}`);
-    req.decodedAccessToken = dt;
+    res.locals.decodedAccessToken = dt;
     next();
 }
-function decodeRefresh(req, _res, next) {
+function decodeRefresh(req, res, next) {
     var _a;
     const token = (_a = req.body) === null || _a === void 0 ? void 0 : _a.refreshToken;
     log.debug(`${LOGS_PREFIX}decodeRefresh(token=${token})`);
@@ -110,7 +107,7 @@ function decodeRefresh(req, _res, next) {
     if (!isValidNumber(dt.iss, 1, 999999999, false))
         return next({ statusCode: 400, message: `${LOGS_PREFIX}Missing iss` });
     log.debug(`${LOGS_PREFIX}Decoded refresh token : ${JSON.stringify(dt)}`);
-    req.decodedRefreshToken = dt;
+    res.locals.decodedRefreshToken = dt;
     next();
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dwtechs/toker-express",
-  "version": "0.2.1",
+  "version": "0.4.0",
   "description": "Open source JWT management library for Express.js to refresh and decode tokens safely.",
   "keywords": [
     "JWT",