passport-jwt-v2 4.0.2

package/.github/workflows/ci.yml

@@ -0,0 +1,20 @@
+name: Node.js CI
+
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [10.x, 11.x, 12.x, 13.x, 14.x, 15.x, 16.x, 17.x]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install dependencies
+        run: npm ci
+      - run: npm run build --if-present
+      - run: npm test

package/.travis.yml

@@ -0,0 +1,11 @@
+ language: node_js
+ node_js:
+   - "14"
+   - "13"
+   - "12"
+   - "11"
+   - "10"
+   - "9"
+   - "8"
+   - "7"
+   - "6"

package/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 themikenicholson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -0,0 +1,169 @@
+# passport-jwt
+
+[![Build Status](https://travis-ci.org/mikenicholson/passport-jwt.svg?branch=master)](https://travis-ci.org/mikenicholson/passport-jwt)
+[![Code Climate](https://codeclimate.com/github/mikenicholson/passport-jwt/badges/gpa.svg)](https://codeclimate.com/github/mikenicholson/passport-jwt)
+
+A [Passport](http://passportjs.org/) strategy for authenticating with a
+[JSON Web Token](http://jwt.io).
+
+This module lets you authenticate endpoints using a JSON web token. It is
+intended to be used to secure RESTful endpoints without sessions.
+
+## Supported By
+
+If you want to quickly add secure token-based authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan at [auth0.com/developers](https://auth0.com/developers?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=passport-jwt&utm_content=auth) <img alt='Auth0 Logo' src='https://s3.amazonaws.com/passport-jwt-img/Auth0+logo.svg'/>
+
+## Install
+
+    npm install passport-jwt
+
+## Usage
+
+### Configure Strategy
+
+The JWT authentication strategy is constructed as follows:
+
+    new JwtStrategy(options, verify)
+
+`options` is an object literal containing options to control how the token is
+extracted from the request or verified.
+
+* `secretOrKey` is a string or buffer containing the secret
+  (symmetric) or PEM-encoded public key (asymmetric) for verifying the token's
+  signature. REQUIRED unless `secretOrKeyProvider` is provided.
+* `secretOrKeyProvider` is a callback in the format `function secretOrKeyProvider(request, rawJwtToken, done)`,
+  which should call `done` with a secret or PEM-encoded public key (asymmetric) for the given key and request combination.
+  `done` accepts arguments in the format `function done(err, secret)`. Note it is up to the implementer to decode rawJwtToken.
+  REQUIRED unless `secretOrKey` is provided.
+* `jwtFromRequest` (REQUIRED) Function that accepts a request as the only
+  parameter and returns either the JWT as a string or *null*. See
+  [Extracting the JWT from the request](#extracting-the-jwt-from-the-request) for
+  more details.
+* `issuer`: If defined the token issuer (iss) will be verified against this
+  value.
+* `audience`: If defined, the token audience (aud) will be verified against
+  this value.
+* `algorithms`: List of strings with the names of the allowed algorithms. For instance, ["HS256", "HS384"].
+* `ignoreExpiration`: if true do not validate the expiration of the token.
+* `passReqToCallback`: If true the request will be passed to the verify
+  callback. i.e. verify(request, jwt_payload, done_callback).
+* `jsonWebTokenOptions`: passport-jwt is verifying the token using [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken).
+Pass here an options object for any other option you can pass the jsonwebtoken verifier. (i.e maxAge)
+
+`verify` is a function with the parameters `verify(jwt_payload, done)`
+
+* `jwt_payload` is an object literal containing the decoded JWT payload.
+* `done` is a passport error first callback accepting arguments
+  done(error, user, info)
+
+An example configuration which reads the JWT from the http
+Authorization header with the scheme 'bearer':
+
+```js
+var JwtStrategy = require('passport-jwt').Strategy,
+    ExtractJwt = require('passport-jwt').ExtractJwt;
+var opts = {}
+opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
+opts.secretOrKey = 'secret';
+opts.issuer = 'accounts.examplesoft.com';
+opts.audience = 'yoursite.net';
+passport.use(new JwtStrategy(opts, function(jwt_payload, done) {
+    User.findOne({id: jwt_payload.sub}, function(err, user) {
+        if (err) {
+            return done(err, false);
+        }
+        if (user) {
+            return done(null, user);
+        } else {
+            return done(null, false);
+            // or you could create a new account
+        }
+    });
+}));
+```
+
+### Extracting the JWT from the request
+
+There are a number of ways the JWT may be included in a request.  In order to remain as flexible as
+possible the JWT is parsed from the request by a user-supplied callback passed in as the
+`jwtFromRequest` parameter.  This callback, from now on referred to as an extractor,
+accepts a request object as an argument and returns the encoded JWT string or *null*.
+
+#### Included extractors
+
+A number of extractor factory functions are provided in passport-jwt.ExtractJwt. These factory
+functions return a new extractor configured with the given parameters.
+
+* ```fromHeader(header_name)``` creates a new extractor that looks for the JWT in the given http
+  header
+* ```fromBodyField(field_name)``` creates a new extractor that looks for the JWT in the given body
+  field.  You must have a body parser configured in order to use this method.
+* ```fromUrlQueryParameter(param_name)``` creates a new extractor that looks for the JWT in the given
+  URL query parameter.
+* ```fromAuthHeaderWithScheme(auth_scheme)``` creates a new extractor that looks for the JWT in the
+  authorization header, expecting the scheme to match auth_scheme.
+* ```fromAuthHeaderAsBearerToken()``` creates a new extractor that looks for the JWT in the authorization header
+  with the scheme 'bearer'
+* ```fromExtractors([array of extractor functions])``` creates a new extractor using an array of
+  extractors provided. Each extractor is attempted in order until one returns a token.
+
+### Writing a custom extractor function
+
+If the supplied extractors don't meet your needs you can easily provide your own callback. For
+example, if you are using the cookie-parser middleware and want to extract the JWT in a cookie
+you could use the following function as the argument to the jwtFromRequest option:
+
+```js
+var cookieExtractor = function(req) {
+    var token = null;
+    if (req && req.cookies) {
+        token = req.cookies['jwt'];
+    }
+    return token;
+};
+// ...
+opts.jwtFromRequest = cookieExtractor;
+```
+
+### Authenticate requests
+
+Use `passport.authenticate()` specifying `'JWT'` as the strategy.
+
+```js
+app.post('/profile', passport.authenticate('jwt', { session: false }),
+    function(req, res) {
+        res.send(req.user.profile);
+    }
+);
+```
+
+### Include the JWT in requests
+
+The method of including a JWT in a request depends entirely on the extractor
+function you choose. For example, if you use the `fromAuthHeaderAsBearerToken`
+extractor, you would include an `Authorization` header in your request with the
+scheme set to `bearer`. e.g.
+
+    Authorization: bearer JSON_WEB_TOKEN_STRING.....
+
+## Migrating
+
+Read the [Migration Guide](docs/migrating.md) for help upgrading to the latest
+major version of passport-jwt.
+
+## Tests
+
+    npm install
+    npm test
+
+To generate test-coverage reports:
+
+    npm install -g istanbul
+    npm run-script testcov
+    istanbul report
+
+## License
+
+The [MIT License](http://opensource.org/licenses/MIT)
+
+Copyright (c) 2015 Mike Nicholson

package/docs/migrating.md

@@ -0,0 +1,70 @@
+# Migration Guide
+
+The following instructions should help in migrating to a new major version of
+passport-jwt.
+
+## Migrating from 3.x.x to 4.x.x
+
+Version 4.0.0 was released to update [jsonwebtoken's](https://github.com/auth0/node-jsonwebtoken)
+major version from v7 to v8 in order to fix a security issue (see
+[#147](https://github.com/mikenicholson/passport-jwt/issues/147)).
+
+Users of `passport-jwt` are exposed to the API of `jsonwebtoken` through the `jsonWebTokenOptions`
+constructor option.  Therefore, a major version rev of `jsonwebtoken` triggered a major version rev
+of `passport-jwt`.
+
+See the
+[jsonwebtoken v7-v8 Migration Notes](https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v7-to-v8)
+for the full details. The change in units for the `maxAge` attribute of `jsonWebTokenOptions` is
+likely to impact the greatest number of `passport-jwt` users.
+
+## Migrating from 2.x.x to 3.x.x
+
+Version 3.0.0 removes the `ExtractJwt.fromAuthHeader()` extractor function that would extract
+JWT's from `Authorization` headers with the auth scheme 'jwt'. The default authorization scheme
+of 'jwt' as the was not RFC 6750 compliant.  The extractor was replaced with 
+`ExtractJwt.fromAuthHeaderAsBearerToken()`.  The removal of `ExtractJwt.fromAuthHeader()` was done
+to clearly change the API so any code relying on the old API would clearly break, hopefully saving
+people some debugging time.
+
+If you want to maintain the behavior of `ExtractJwt.fromAuthHeader()` when switching to v3.3.0, simply 
+replace it with `ExtractJwt.fromAuthHeaderWithScheme('jwt')` in your implementation.
+
+## Migrating from version 1.x.x to 2.x.x
+
+The v2 API is not backwards compatible with v1, specifically with regards to the introduction
+of the concept of JWT extractor functions.  If you require the legacy behavior in v1 you can use
+the extractor function ```versionOneCompatibility(options)```
+
+*options* is an object with any of the three custom JWT extraction options present in the v1
+constructor:
+* `tokenBodyField`: Field in a request body to search for the JWT.
+  Default is auth_token.
+* `tokenQueryParameterName`: Query parameter name containing the token.
+  Default is auth_token.
+* `authScheme`: Expected authorization scheme if token is submitted through
+  the HTTP Authorization header. Defaults to JWT 
+If in v1 you constructed the strategy like this:
+
+```js
+var JwtStrategy = require('passport-jwt').Strategy;
+var opts = {}
+opts.tokenBodyField = 'MY_CUSTOM_BODY_FIELD';
+opts.secretOrKey = 'secret';
+opts.issuer = 'accounts.examplesoft.com';
+opts.audience = 'yoursite.net';
+passport.use(new JwtStrategy(opts, verifyFunction));
+```
+
+Identical behavior can be achieved under v2 with the versionOneCompatibility extractor:
+
+```js
+var JwtStrategy = require('passport-jwt').Strategy,
+    ExtractJwt = require('passport-jwt').ExtractJwt;
+var opts = {}
+opts.jwtFromRequest = ExtractJwt.versionOneCompatibility({ tokenBodyField = 'MY_CUSTOM_BODY_FIELD' });
+opts.opts.secretOrKey = 'secret';
+opts.issuer = 'accounts.examplesoft.com';
+opts.audience = 'yoursite.net';
+passport.use(new JwtStrategy(opts, verifyFunction));
+```

package/lib/auth_header.js

@@ -0,0 +1,19 @@
+'use strict';
+
+var re = /(\S+)\s+(\S+)/;
+
+
+
+function parseAuthHeader(hdrValue) {
+    if (typeof hdrValue !== 'string') {
+        return null;
+    }
+    var matches = hdrValue.match(re);
+    return matches && { scheme: matches[1], value: matches[2] };
+}
+
+
+
+module.exports = {
+    parse: parseAuthHeader
+};

package/lib/extract_jwt.js

@@ -0,0 +1,134 @@
+"use strict";
+
+var url = require('url'),
+    auth_hdr = require('./auth_header');
+
+// Note: express http converts all headers
+// to lower case.
+var AUTH_HEADER = "authorization",
+    LEGACY_AUTH_SCHEME = "JWT", 
+    BEARER_AUTH_SCHEME = 'bearer';
+
+
+var extractors = {};
+
+
+extractors.fromHeader = function (header_name) {
+    return function (request) {
+        var token = null;
+        if (request.headers[header_name]) {
+            token = request.headers[header_name];
+        }
+        return token;
+    };
+};
+
+
+
+extractors.fromBodyField = function (field_name) {
+    return function (request) {
+        var token = null;
+        if (request.body && Object.prototype.hasOwnProperty.call(request.body, field_name)) {
+            token = request.body[field_name];
+        }
+        return token;
+    };
+};
+
+
+
+extractors.fromUrlQueryParameter = function (param_name) {
+    return function (request) {
+        var token = null,
+            parsed_url = url.parse(request.url, true);
+        if (parsed_url.query && Object.prototype.hasOwnProperty.call(parsed_url.query, param_name)) {
+            token = parsed_url.query[param_name];
+        }
+        return token;
+    };
+};
+
+
+
+extractors.fromAuthHeaderWithScheme = function (auth_scheme) {
+    var auth_scheme_lower = auth_scheme.toLowerCase();
+    return function (request) {
+
+        var token = null;
+        if (request.headers[AUTH_HEADER]) {
+            var auth_params = auth_hdr.parse(request.headers[AUTH_HEADER]);
+            if (auth_params && auth_scheme_lower === auth_params.scheme.toLowerCase()) {
+                token = auth_params.value;
+            }
+        }
+        return token;
+    };
+};
+
+
+
+extractors.fromAuthHeaderAsBearerToken = function () {
+    return extractors.fromAuthHeaderWithScheme(BEARER_AUTH_SCHEME);
+};
+
+
+extractors.fromExtractors = function(extractors) {
+    if (!Array.isArray(extractors)) {
+        throw new TypeError('extractors.fromExtractors expects an array')
+    }
+    
+    return function (request) {
+        var token = null;
+        var index = 0;
+        while(!token && index < extractors.length) {
+            token = extractors[index].call(this, request);
+            index ++;
+        }
+        return token;
+    }
+};
+
+
+/**
+ * This extractor mimics the behavior of the v1.*.* extraction logic.
+ *
+ * This extractor exists only to provide an easy transition from the v1.*.* API to the v2.0.0
+ * API.
+ *
+ * This extractor first checks the auth header, if it doesn't find a token there then it checks the 
+ * specified body field and finally the url query parameters.
+ * 
+ * @param options
+ *          authScheme: Expected scheme when JWT can be found in HTTP Authorize header. Default is JWT. 
+ *          tokenBodyField: Field in request body containing token. Default is auth_token.
+ *          tokenQueryParameterName: Query parameter name containing the token. Default is auth_token.
+ */
+extractors.versionOneCompatibility = function (options) {
+    var authScheme = options.authScheme || LEGACY_AUTH_SCHEME,
+        bodyField = options.tokenBodyField || 'auth_token',
+        queryParam = options.tokenQueryParameterName || 'auth_token';
+
+    return function (request) {
+        var authHeaderExtractor = extractors.fromAuthHeaderWithScheme(authScheme);
+        var token =  authHeaderExtractor(request);
+        
+        if (!token) {
+            var bodyExtractor = extractors.fromBodyField(bodyField);
+            token = bodyExtractor(request);
+        }
+
+        if (!token) {
+            var queryExtractor = extractors.fromUrlQueryParameter(queryParam);
+            token = queryExtractor(request);
+        }
+
+        return token;
+    };
+}
+
+
+
+/**
+ * Export the Jwt extraction functions
+ */
+module.exports = extractors;

package/lib/helpers/assign.js

@@ -0,0 +1,24 @@
+// note: This is a polyfill to Object.assign to support old nodejs versions (0.10 / 0.12) where
+// Object.assign doesn't exist.
+// Source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign
+module.exports = function(target, varArgs) {
+  if (target == null) { // TypeError if undefined or null
+    throw new TypeError('Cannot convert undefined or null to object');
+  }
+
+  var to = Object(target);
+
+  for (var index = 1; index < arguments.length; index++) {
+    var nextSource = arguments[index];
+
+    if (nextSource != null) { // Skip over if undefined or null
+      for (var nextKey in nextSource) {
+        // Avoid bugs when hasOwnProperty is shadowed
+        if (Object.prototype.hasOwnProperty.call(nextSource, nextKey)) {
+          to[nextKey] = nextSource[nextKey];
+        }
+      }
+    }
+  }
+  return to;
+};

package/lib/index.js

@@ -0,0 +1,10 @@
+'use strict';
+
+var Strategy = require('./strategy'),
+    ExtractJwt = require('./extract_jwt.js');
+
+
+module.exports = {
+    Strategy: Strategy,
+    ExtractJwt : ExtractJwt
+};

package/lib/strategy.js

@@ -0,0 +1,139 @@
+var passport = require('passport-strategy')
+    , auth_hdr = require('./auth_header')
+    , util = require('util')
+    , url = require('url')
+    , assign = require('./helpers/assign.js');
+
+
+
+/**
+ * Strategy constructor
+ *
+ * @param options
+ *          secretOrKey: String or buffer containing the secret or PEM-encoded public key. Required unless secretOrKeyProvider is provided.
+ *          secretOrKeyProvider: callback in the format secretOrKeyProvider(request, rawJwtToken, done)`,
+ *                               which should call done with a secret or PEM-encoded public key
+ *                               (asymmetric) for the given undecoded jwt token string and  request
+ *                               combination. done has the signature function done(err, secret).
+ *                               REQUIRED unless `secretOrKey` is provided.
+ *          jwtFromRequest: (REQUIRED) Function that accepts a request as the only parameter and returns the either JWT as a string or null
+ *          issuer: If defined issuer will be verified against this value
+ *          audience: If defined audience will be verified against this value
+ *          algorithms: List of strings with the names of the allowed algorithms. For instance, ["HS256", "HS384"].
+ *          ignoreExpiration: if true do not validate the expiration of the token.
+ *          passReqToCallback: If true the verify callback will be called with args (request, jwt_payload, done_callback).
+ * @param verify - Verify callback with args (jwt_payload, done_callback) if passReqToCallback is false,
+ *                 (request, jwt_payload, done_callback) if true.
+ */
+function JwtStrategy(options, verify) {
+
+    passport.Strategy.call(this);
+    this.name = 'jwt';
+
+    this._secretOrKeyProvider = options.secretOrKeyProvider;
+
+    if (options.secretOrKey) {
+        if (this._secretOrKeyProvider) {
+          	throw new TypeError('JwtStrategy has been given both a secretOrKey and a secretOrKeyProvider');
+        }
+        this._secretOrKeyProvider = function (request, rawJwtToken, done) {
+            done(null, options.secretOrKey)
+        };
+    }
+
+    if (!this._secretOrKeyProvider) {
+        throw new TypeError('JwtStrategy requires a secret or key');
+    }
+
+    this._verify = verify;
+    if (!this._verify) {
+        throw new TypeError('JwtStrategy requires a verify callback');
+    }
+
+    this._jwtFromRequest = options.jwtFromRequest;
+    if (!this._jwtFromRequest) {
+        throw new TypeError('JwtStrategy requires a function to retrieve jwt from requests (see option jwtFromRequest)');
+    }
+
+    this._passReqToCallback = options.passReqToCallback;
+    var jsonWebTokenOptions = options.jsonWebTokenOptions || {};
+    //for backwards compatibility, still allowing you to pass
+    //audience / issuer / algorithms / ignoreExpiration
+    //on the options.
+    this._verifOpts = assign({}, jsonWebTokenOptions, {
+      audience: options.audience,
+      issuer: options.issuer,
+      algorithms: options.algorithms,
+      ignoreExpiration: !!options.ignoreExpiration
+    });
+
+}
+util.inherits(JwtStrategy, passport.Strategy);
+
+
+
+/**
+ * Allow for injection of JWT Verifier.
+ *
+ * This improves testability by allowing tests to cleanly isolate failures in the JWT Verification
+ * process from failures in the passport related mechanics of authentication.
+ *
+ * Note that this should only be replaced in tests.
+ */
+JwtStrategy.JwtVerifier = require('./verify_jwt');
+
+
+
+/**
+ * Authenticate request based on JWT obtained from header or post body
+ */
+JwtStrategy.prototype.authenticate = function(req, options) {
+    var self = this;
+
+    var token = self._jwtFromRequest(req);
+
+    if (!token) {
+        return self.fail(new Error("No auth token"));
+    }
+
+    this._secretOrKeyProvider(req, token, function(secretOrKeyError, secretOrKey) {
+        if (secretOrKeyError) {
+            self.fail(secretOrKeyError)
+        } else {
+            // Verify the JWT
+            JwtStrategy.JwtVerifier(token, secretOrKey, self._verifOpts, function(jwt_err, payload) {
+                if (jwt_err) {
+                    return self.fail(jwt_err);
+                } else {
+                    // Pass the parsed token to the user
+                    var verified = function(err, user, info) {
+                        if(err) {
+                            return self.error(err);
+                        } else if (!user) {
+                            return self.fail(info);
+                        } else {
+                            return self.success(user, info);
+                        }
+                    };
+
+                    try {
+                        if (self._passReqToCallback) {
+                            self._verify(req, payload, verified);
+                        } else {
+                            self._verify(payload, verified);
+                        }
+                    } catch(ex) {
+                        self.error(ex);
+                    }
+                }
+            });
+        }
+    });
+};
+
+
+
+/**
+ * Export the Jwt Strategy
+ */
+ module.exports = JwtStrategy;

package/lib/verify_jwt.js

@@ -0,0 +1,5 @@
+var jwt = require('jsonwebtoken');
+
+module.exports  = function(token, secretOrKey, options, callback) {
+    return jwt.verify(token, secretOrKey, options, callback);
+};

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "passport-jwt-v2",
+  "version": "4.0.2",
+  "description": "Passport authentication strategy using JSON Web Tokens",
+  "main": "./lib",
+  "scripts": {
+    "test": "mocha --reporter spec --require test/bootstrap test/*test.js",
+    "testcov": "nyc npm run test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/JonaMX/passport-jwt-v2.git"
+  },
+  "keywords": [
+    "Passport",
+    "Strategy",
+    "JSON",
+    "Web",
+    "Token",
+    "JWT"
+  ],
+  "author": "Jonatan Juarez",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/JonaMX/passport-jwt-v2/issues"
+  },
+  "homepage": "https://github.com/JonaMX/passport-jwt-v2",
+  "devDependencies": {
+    "chai": "^3.0.0",
+    "chai-passport-strategy": "^1.0.0",
+    "mocha": "^9.2.1",
+    "nyc": "^15.1.0",
+    "sinon": "^1.0.0"
+  },
+  "dependencies": {
+    "jsonwebtoken": "^9.0.3",
+    "passport-strategy": "^1.0.0"
+  },
+  "directories": {
+    "doc": "docs",
+    "lib": "lib",
+    "test": "test"
+  }
+}