How do I access getToken in

Samuel Goldenbaum picture Samuel Goldenbaum · May 20, 2015 · Viewed 9.7k times · Source

In the express-jwt docs there is a reference to being able to use a getToken function to get the token from a request.

How do you use this call in a route?

app.use(jwt({
  secret: 'hello world !',
  credentialsRequired: false,
  getToken: function fromHeaderOrQuerystring (req) {
    if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
        return req.headers.authorization.split(' ')[1];
    } else if (req.query && req.query.token) {
      return req.query.token;
    }
    return null;
  }
}));

Answer

Signus picture Signus · May 30, 2015

A useful little trick is to add unless which makes every URL except those specified by unless require a token.

This means you don't need to create a app.get for every single path in your api that you want to protect (unless you want different secrets for each, which I don't know why you would).

var jwt = require('jsonwebtoken');
var expressJWT = require('express-jwt');

app.use(
  expressJWT({
    secret: 'hello world !',
    getToken: function fromHeaderOrQueryString (req) {
        if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer')
            return req.headers.authorization.split(' ')[1];
        else if (req.query && req.query.token)
            return req.query.token;

        return null;
    }
  }).unless({ path: ['/login'] }));

// Test paths
app.get('/login', function (req, res) {
   res.send("Attempting to login.");
});

app.get('/otherurl', function (req, res) {
    res.send('Cannot get here.');
});

Or you simply specify it for a single path:

app.get('/protected',
   expressJWT({
     secret: 'hello world !',
     getToken: function fromHeaderOrQueryString (req) {
        if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer')
            return req.headers.authorization.split(' ')[1];
        else if (req.query && req.query.token)
            return req.query.token;

        return null;
      }
 }));

Notice the change from get and use in the configuration.

For every path that you supply through express-jwt, the function getToken is run if specified in your configuration.

What's nice about adding unless is that now you have minimized the amount of work you need to do in order to get the token from the user for each and every path.

Refer to index.js of express-jwt which tells you more about how getToken works:

  • If you specify the option as a function, the token value is the returned value of the function
    • This means that you can supply custom logic for handling your tokens, and may be a useful place to call verify.
  • Otherwise it runs the standard logic for extracting the token from the Authorization header with the format of '[Authorization Bearer] [token]' (I denote the brackets to show where it splits the string).