JWT Authentication

GitHub stars
@feathersjs/authentication-jwt"">npm version
Changelog

  1. $ npm install @feathersjs/authentication-jwt --save

@feathersjs/authentication-jwt is a module for the authentication server that wraps the passport-jwt authentication strategy, which lets you authenticate with your Feathers application using a JSON Web Token access token.

This module contains 3 core pieces:

  1. The main initialization function
  2. The Verifier class
  3. The ExtractJwt object from passport-jwt.

Configuration

In most cases initializing the module is as simple as doing this:

  1. const feathers = require('@feathersjs/feathers');
  2. const authentication = require('@feathersjs/authentication');
  3. const jwt = require('@feathersjs/authentication-jwt');
  4. const app = feathers();
  6. // Setup authentication
  7. app.configure(authentication(settings));
  8. app.configure(jwt());
  10. // Setup a hook to only allow valid JWTs to authenticate
  11. // and get new JWT access tokens
  12. app.service('authentication').hooks({
  13.   before: {
  14.     create: [
  15.       authentication.hooks.authenticate(['jwt'])
  16.     ]
  17.   }
  18. });

This will pull from your global authentication object in your config file. It will also mix in the following defaults, which can be customized.

Options

  1. {
  2.     name: 'jwt', // the name to use when invoking the authentication Strategy
  3.     entity: 'user', // the entity that you pull from if an 'id' is present in the payload
  4.     service: 'users', // the service to look up the entity
  5.     passReqToCallback: true, // whether the request object should be passed to `verify`
  6.     jwtFromRequest: [ // a passport-jwt option determining where to parse the JWT
  7.       ExtractJwt.fromHeader, // From "Authorization" header
  8.       ExtractJwt.fromAuthHeaderWithScheme('Bearer'), // Allowing "Bearer" prefix
  9.       ExtractJwt.fromBodyField('body') // from request body
  10.     ],
  11.     secretOrKey: auth.secret, // Your main secret provided to passport-jwt
  12.     session: false // whether to use sessions,
  13.     Verifier: Verifier // A Verifier class. Defaults to the built-in one but can be a custom one. See below for details.
  14. }

Additional passport-jwt options can be provided.

Verifier

This is the verification class that receives the JWT payload (if verification is successful) and either returns the payload or, if an id is present in the payload, populates the entity (normally a user) and returns both the entity and the payload. It has the following methods that can all be overridden. The verify function has the exact same signature as passport-jwt.

  1. {
  2.     constructor(app, options) // the class constructor
  3.     verify(req, payload, done) // queries the configured service
  4. }

Customizing the Verifier

The Verifier class can be extended so that you customize it’s behavior without having to rewrite and test a totally custom local Passport implementation. Although that is always an option if you don’t want use this plugin.

An example of customizing the Verifier:

  1. import jwt, { Verifier } from '@feathersjs/authentication-jwt';
  3. class CustomVerifier extends Verifier {
  4.   // The verify function has the exact same inputs and 
  5.   // return values as a vanilla passport strategy
  6.   verify(req, payload, done) {
  7.     // do your custom stuff. You can call internal Verifier methods
  8.     // and reference this.app and this.options. This method must be implemented.
  10.     // the 'user' variable can be any truthy value
  11.     // the 'payload' is the payload for the JWT access token that is generated after successful authentication
  12.     done(null, user, payload);
  13.   }
  14. }
  16. app.configure(jwt({ Verifier: CustomVerifier }));

Client Usage

authentication-client

When this module is registered server side, using the default config values this is how you can authenticate using @feathersjs/authentication-client:

  1. app.authenticate({
  2.   strategy: 'jwt',
  3.   accessToken: 'your access token'
  4. }).then(response => {
  5.   // You are now authenticated
  6. });

HTTP

If you are not using @feathersjs/authentication-client and you have registered this module server side then you can include the access token in an Authorization header.

Here is what that looks like with curl:

  1. curl -H "Content-Type: application/json" -H "Authorization: <your access token>" -X POST http://localhost:3030/authentication

Sockets

Authenticating using an access token via sockets is done by emitting the following message:

  1. const io = require('socket.io-client');
  2. const socket = io('http://localhost:3030');
  4. socket.emit('authenticate', {
  5.   strategy: 'jwt',
  6.   accessToken: 'your token'
  7. }, function(message, data) {
  8.   console.log(message); // message will be null
  9.   console.log(data); // data will be {"accessToken": "your token"}
  10.   // You can now send authenticated messages to the server
  11. });