jot

hapi JSON Web Token (JWT) authentication plugin

Usage no npm install needed!

<script type="module">
  import jot from 'https://cdn.skypack.dev/jot';
</script>

README

jot

hapi JSON Web Token (JWT) authentication plugin

Build Status Coverage Status

The 'jwt' scheme takes the following options:

Option Type Required Description
secret string Yes Secret key used to compute the signature
algorithms array Algorithm(s) allowed to verify tokens. Defaults to ['HS256']. Valid algorithms: ['HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'none']
audience string Verify aud claim against this value
cookie string Cookie name. Defaults to sid. Works in tandem with hapi-auth-cookie. Must set JWT when the cookie is set. See examples below
issuer string Verify iss claim against this value
token string Name of the token set in the cookie. Defaults to token
validateFunc function Function to validate the decoded token on every request

Note: Storing the token in a cookie is optional, but recommended. You can always send the token in an Authorization header.

Example:

Or check out the sample app: massive-hapi

/* server.js */


// Register hapi-auth-cookie

server.register(require('hapi-auth-cookie'), (err) => {

    server.auth.strategy('session', 'cookie', {
        cookie: 'cookie-name',
        password: 'TheMinimumLengthOfPasswordsIs32!'
    });
});


// Register jot

server.register(require('jot'), (err) => {

    server.auth.strategy('jwt', 'jwt', {
        secret: 'ADifferentPasswordAlsoAtLeast32!',
        cookie: 'cookie-name'
    });

    server.auth.default({
        strategy: 'jwt',
        scope: ['admin']
    });
});


/* routes.js */


// Login route

server.route({
    method: 'POST',
    path: '/login',
    config: {
        auth: false,
        handler: (request, reply) => {

            // ... validate user credentials, yada yada yada ...

            // Set the token inside of the cookie

            request.cookieAuth.set(Jwt.sign({
                scope: ['admin']
            }, 'ADifferentPasswordAlsoAtLeast32!', {
                expiresIn: 60 * 60 * 2 // 2 hrs, but can be anything
            }));

            reply('ok!');
        }
    }
});


// Resource

server.route({
    method: 'GET',
    path: '/trade-secrets',
    config: {
        handler: (request, reply) => {

            // User is already authorized, time to check out those trade secrets

            reply('secrets!');
        }
    }
});

For more examples, check out the tests.