In the express-jwt docs there is a reference to being able to use a getToken function to get the token from a request.
How do you use this call in a route?
app.use(jwt({
secret: 'hello world !',
credentialsRequired: false,
getToken: function fromHeaderOrQuerystring (req) {
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
return req.headers.authorization.split(' ')[1];
} else if (req.query && req.query.token) {
return req.query.token;
}
return null;
}
}));
A useful little trick is to add unless
which makes every URL except those specified by unless require a token.
This means you don't need to create a app.get
for every single path in your api that you want to protect (unless you want different secrets for each, which I don't know why you would).
var jwt = require('jsonwebtoken');
var expressJWT = require('express-jwt');
app.use(
expressJWT({
secret: 'hello world !',
getToken: function fromHeaderOrQueryString (req) {
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer')
return req.headers.authorization.split(' ')[1];
else if (req.query && req.query.token)
return req.query.token;
return null;
}
}).unless({ path: ['/login'] }));
// Test paths
app.get('/login', function (req, res) {
res.send("Attempting to login.");
});
app.get('/otherurl', function (req, res) {
res.send('Cannot get here.');
});
Or you simply specify it for a single path:
app.get('/protected',
expressJWT({
secret: 'hello world !',
getToken: function fromHeaderOrQueryString (req) {
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer')
return req.headers.authorization.split(' ')[1];
else if (req.query && req.query.token)
return req.query.token;
return null;
}
}));
Notice the change from get
and use
in the configuration.
For every path that you supply through express-jwt
, the function getToken
is run if specified in your configuration.
What's nice about adding unless
is that now you have minimized the amount of work you need to do in order to get the token from the user for each and every path.
Refer to index.js of express-jwt
which tells you more about how getToken
works:
verify
.