README

Passport.js framework that uses JWT for sessions

This is an alternative framework for Passport.js that is designed to use JWT tokens for sessions. So that, instead of storing user's ID and metadata in a database (e.g. Redis), it encodes that data into a JSON Web Token and writes that token to a session cookie.

How to Install

$ npm install jwt-passport

Note: It requires Node.js 6.11 or higher

How to Use

const uuid = require('uuid');
const express = require('express');
const passport = require('passport');
const jwt = require('jwt-passport');

// We're using Knex.js database client in this examle,
// but it could be any other database driver.
const db = require('./db');

passport.framework(
  jwt({
    name: '__session',
    secret: '<secret>',
    audience: '<audience>',
    issuer: '<issuer>',
    expiresIn: '1 hour',

    // Prepare payload for an ID token
    createToken: req => ({
      sub: req.user.id,
      jti: uuid.v4(),
    }),

    // Save user's token in a database
    saveToken: token =>
      db
        .table('user_tokens')
        .insert({
          user_id: token.sub,
          token_id: token.jti,
        }),

    // Revoke user's token
    deleteToken: token =>
      db
        .table('user_tokens')
        .where({ token_id: token.jti })
        .del(),

    // Check if the token was not revoked and find the corresponding user
    findUser: token =>
      db
        .table('user_tokens')
        .leftJoin('users', 'users.id', 'user_tokens.user_id')
        .where({ 'user_tokens.token_id': token.jti })
        .select('users.*')
        .first(),
  });
);

passport.use(new FacebookStrategy(/* config */));
passport.use(new TwitterStrategy(/* config */));

const app = express();

// Extend the HTTP request object with
// req.logIn() and req.logOut() helper methods
app.use(passport.initialize());

// Attemp to parse session cookie, validate the token
// and put the authenticated user object onto the contxt (req.user)
app.use(passport.session());

app.get('/', (req, res) => {
  res.send(`Welcome, ${req.user ? req.user.displayName : 'guest'}!`);
});

app.get('/login/:provider', (req, res, next) => {
  passport.authenticate(req.params.provider, /* options */)(req, res, next);
});

app.get('/login/:provider/return', (req, res, next) => {
  passport.authenticate(req.params.provider, /* options */)(req, res, next);
});

[Stop using JWT for sessions][http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/] (part 2) by @joepie91 + comments on HN
Where to Store your JWTs – Cookies vs HTML5 Web Storage

Related Projects

Passport.js — Simple, unobtrusive authentication for Node.js.
Node.js API Starter — Boilerplate for authoring GraphQL APIs with Node.js and PostgreSQL.
React Starter Kit — Boilerpalte for authoring isomorphic web apps with React.js and GraphQL.
React Starter Kit for Firebase — React.js web app boilerplate for serveless architecture.

jwt-passport

Usage no npm install needed!

README

Passport.js framework that uses JWT for sessions

How to Install

How to Use

Related Articles

Related Projects

License