How do I access getToken in

express-jwt
Samuel Goldenbaum picture Samuel Goldenbaum · May 20, 2015 · Viewed 9.7k times · Source

In the express-jwt docs there is a reference to being able to use a getToken function to get the token from a request.

How do you use this call in a route?

app.use(jwt({
  secret: 'hello world !',
  credentialsRequired: false,
  getToken: function fromHeaderOrQuerystring (req) {
    if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
        return req.headers.authorization.split(' ')[1];
    } else if (req.query && req.query.token) {
      return req.query.token;
    }
    return null;
  }
}));

Answer

Signus picture Signus · May 30, 2015

A useful little trick is to add unless which makes every URL except those specified by unless require a token.

This means you don't need to create a app.get for every single path in your api that you want to protect (unless you want different secrets for each, which I don't know why you would).

var jwt = require('jsonwebtoken');
var expressJWT = require('express-jwt');

app.use(
  expressJWT({
    secret: 'hello world !',
    getToken: function fromHeaderOrQueryString (req) {
        if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer')
            return req.headers.authorization.split(' ')[1];
        else if (req.query && req.query.token)
            return req.query.token;

        return null;
    }
  }).unless({ path: ['/login'] }));

// Test paths
app.get('/login', function (req, res) {
   res.send("Attempting to login.");
});

app.get('/otherurl', function (req, res) {
    res.send('Cannot get here.');
});

Or you simply specify it for a single path:

app.get('/protected',
   expressJWT({
     secret: 'hello world !',
     getToken: function fromHeaderOrQueryString (req) {
        if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer')
            return req.headers.authorization.split(' ')[1];
        else if (req.query && req.query.token)
            return req.query.token;

        return null;
      }
 }));

Notice the change from get and use in the configuration.

For every path that you supply through express-jwt, the function getToken is run if specified in your configuration.

What's nice about adding unless is that now you have minimized the amount of work you need to do in order to get the token from the user for each and every path.

Refer to index.js of express-jwt which tells you more about how getToken works:

  • If you specify the option as a function, the token value is the returned value of the function
    • This means that you can supply custom logic for handling your tokens, and may be a useful place to call verify.
  • Otherwise it runs the standard logic for extracting the token from the Authorization header with the format of '[Authorization Bearer] [token]' (I denote the brackets to show where it splits the string).

Related questions

If you can decode JWT, how are they secure?

If I get a JWT and I can decode the payload, how is that secure? Couldn't I just grab the token out of the header, decode and change the user information in the payload, and send it back with the …

Read More
How to send a token with an AJAX request from jQuery

I use express-jwt and create my token via jQuery and save it in my localStorage with: $.ajax({ url: "http://localhost:8080/login", type: 'POST', data: formData, error : function(err) { console.log('Error!', err) }, success: function(data) { console.log('Success!') …

Read More
ERR_HTTP_HEADERS_SENT: Cannot set headers after they are sent to the client

I'm facing this weird issue in NodeJS when using with Passport.js, Express and Mongoose. Basically, I get an error saying "Cannot set headers after they are sent to the client" even though I don't send more than one header. …

Read More