@dwtechs/toker-express 0.6.2 → 0.7.0

package/README.md

@@ -218,14 +218,16 @@ function parseBearer(req: Request, res: Response, next: NextFunction): void {}
  * subsequent middleware. It only processes requests that have `res.locals.route.isProtected` 
  * set to true. For non-protected routes, it simply passes control to the next middleware.
  * 
- * Note: This middleware IGNORES token expiration (exp claim) by design, allowing 
- * expired access tokens to be decoded. This is useful for token refresh flows where 
- * you need to identify the user even after their access token has expired.
+ * Note: By default, this middleware checks token expiration (exp claim) and will reject
+ * expired tokens. For token refresh flows where you need to identify the user even after 
+ * their access token has expired, set `res.locals.tokens.ignoreExpiration` to true before 
+ * calling decodeAccess function.
  * 
  * @param {Request} _req - The Express request object (unused)
  * @param {Response} res - The Express response object. Should contain:
  *   - `res.locals.route.isProtected`: Boolean flag to determine if route requires JWT protection
  *   - `res.locals.tokens.access`: The JWT token to decode (from parseBearer middleware)
+ *   - `res.locals.tokens.ignoreExpiration`: Optional boolean to skip expiration checking (default: false)
  *   Decoded token will be added to `res.locals.tokens.decodedAccess`
  * @param {NextFunction} next - The next middleware function to be called
  * 
@@ -234,6 +236,7 @@ function parseBearer(req: Request, res: Response, next: NextFunction): void {}
  * @throws Will call next() with error when:
  *   - Token is not a valid JWT format (HTTP 401)
  *   - Token is malformed or has invalid structure (HTTP 401)
+ *   - Token has expired (exp claim) - unless ignoreExpiration is true (HTTP 401)
  *   - Token cannot be used yet (nbf claim) (HTTP 401)
  *   - Token signature is invalid (HTTP 401)
  *   - Issuer (iss) is missing or invalid - not a number between 1-999999999 (HTTP 400)
@@ -241,8 +244,15 @@ function parseBearer(req: Request, res: Response, next: NextFunction): void {}
  *   - Secret cannot be decoded from base64 (HTTP 500)
  * 
  * @example
- * // Use in protected route chain for token refresh
- * app.post('/refresh', parseBearer, decodeAccess, refreshTokens, ...);
+ * // Use in protected route chain (checks expiration by default)
+ * app.get('/protected', parseBearer, decodeAccess, ...);
+ * 
+ * @example
+ * // Use in token refresh flow (ignores expiration)
+ * app.post('/refresh', (req, res, next) => {
+ *   res.locals.tokens = { ignoreExpiration: true };
+ *   next();
+ * }, parseBearer, decodeAccess, refreshTokens, ...);
  */
 function decodeAccess(_req: Request, res: Response, next: NextFunction): void {}
 

package/dist/toker-express.js

@@ -91,16 +91,17 @@ function parseBearer(req, res, next) {
     next();
 }
 function decodeAccess(_req, res, next) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e, _f, _g;
     log.debug(`${LOGS_PREFIX}decode access token`);
     if (!((_b = (_a = res.locals) === null || _a === void 0 ? void 0 : _a.route) === null || _b === void 0 ? void 0 : _b.isProtected))
         return next();
     const t = (_d = (_c = res.locals) === null || _c === void 0 ? void 0 : _c.tokens) === null || _d === void 0 ? void 0 : _d.access;
+    const ignoreExpiration = (_g = (_f = (_e = res.locals) === null || _e === void 0 ? void 0 : _e.tokens) === null || _f === void 0 ? void 0 : _f.ignoreExpiration) !== null && _g !== void 0 ? _g : false;
     if (!isJWT(t))
         return next({ statusCode: 401, message: `${LOGS_PREFIX}Invalid access token` });
     let dt = null;
     try {
-        dt = verify(t, secrets, true);
+        dt = verify(t, secrets, ignoreExpiration);
     }
     catch (e) {
         return next(e);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dwtechs/toker-express",
-  "version": "0.6.2",
+  "version": "0.7.0",
   "description": "Open source JWT management library for Express.js to refresh and decode tokens safely.",
   "keywords": [
     "JWT",