diff --git a/README.md b/README.md index e8c3972e..ccefcc44 100644 --- a/README.md +++ b/README.md @@ -2,29 +2,23 @@ [![Build](https://travis-ci.org/auth0/express-jwt.png)](http://travis-ci.org/auth0/express-jwt) -Middleware that validates JsonWebTokens and sets `req.user`. - -This module lets you authenticate HTTP requests using JWT tokens in your Node.js -applications. JWTs are typically used to protect API endpoints, and are -often issued using OpenID Connect. +This module provides Express middleware for validating and decoding JWTs ([JSON Web Tokens](https://jwt.io)) through the [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken/) module. The decoded information is provided on the Express request object. ## Install - $ npm install express-jwt +``` +$ npm install express-jwt +``` ## Usage -The JWT authentication middleware authenticates callers using a JWT. -If the token is valid, `req.user` will be set with the JSON object decoded -to be used by later middleware for authorization and access control. - -For example, +Basic usage using an HS256 secret: ```javascript var jwt = require('express-jwt'); app.get('/protected', - jwt({secret: 'shhhhhhared-secret'}), + jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { if (!req.user.admin) return res.sendStatus(401); res.sendStatus(200); @@ -34,9 +28,11 @@ app.get('/protected', You can specify audience and/or issuer as well: ```javascript -jwt({ secret: 'shhhhhhared-secret', +jwt({ + secret: 'shhhhhhared-secret', audience: 'http://myapi/protected', - issuer: 'http://issuer' }) + issuer: 'http://issuer' +}) ``` > If the JWT has an expiration (`exp`), it will be checked. @@ -100,6 +96,7 @@ app.use(jwt({ ``` ### Multi-tenancy + If you are developing an application in which the secret used to sign tokens is not static, you can provide a callback function as the `secret` parameter. The function has the signature: `function(req, payload, done)`: * `req` (`Object`) - The express `request` object. * `payload` (`Object`) - An object with the JWT claims. @@ -108,6 +105,7 @@ If you are developing an application in which the secret used to sign tokens is * `secret` (`String`) - The secret to use to verify the JWT. For example, if the secret varies based on the [JWT issuer](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#issDef): + ```javascript var jwt = require('express-jwt'); var data = require('./data'); @@ -126,7 +124,7 @@ var secretCallback = function(req, payload, done){ }; app.get('/protected', - jwt({secret: secretCallback}), + jwt({ secret: secretCallback }), function(req, res) { if (!req.user.admin) return res.sendStatus(401); res.sendStatus(200); @@ -158,19 +156,21 @@ var isRevokedCallback = function(req, payload, done){ }; app.get('/protected', - jwt({secret: 'shhhhhhared-secret', - isRevoked: isRevokedCallback}), + jwt({ + secret: 'shhhhhhared-secret', + isRevoked: isRevokedCallback + }), function(req, res) { if (!req.user.admin) return res.sendStatus(401); res.sendStatus(200); - }); + } +); ``` ### Error handling The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows: - ```javascript app.use(function (err, req, res, next) { if (err.name === 'UnauthorizedError') { @@ -179,8 +179,7 @@ app.use(function (err, req, res, next) { }); ``` -You might want to use this module to identify registered users while still providing access to unregistered users. You -can do this by using the option _credentialsRequired_: +You might want to use this module to identify registered users while still providing access to unregistered users. You can do this by using the option `credentialsRequired`: ```javascript app.use(jwt({ @@ -196,8 +195,10 @@ app.use(jwt({ ## Tests - $ npm install - $ npm test +``` +$ npm install +$ npm test +``` ## Contributors Check them out [here](https://github.com/auth0/express-jwt/graphs/contributors)