From 0000a44ed58aac97798007af19b0324f28acc436 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20F=2E=20Romaniello?= Date: Thu, 22 Dec 2022 10:50:24 -0300 Subject: [PATCH] add secret rotation example in readme. close #310 --- README.md | 13 +++++++++++++ test/jwt.test.ts | 15 ++++++++------- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 1a58ef47..05cb0088 100644 --- a/README.md +++ b/README.md @@ -178,6 +178,19 @@ app.get( ); ``` +### Secret rotation + +The getSecret callback could also be used in cases where the same issuer might issue tokens with different keys at certain point: + +```js +var getSecret = async function (req, token) { + const { iss } = token.payload; + const { kid } = token.header; + // get the verification key by a given key-id and issuer. + return verificationKey; +}; +``` + ### Revoked tokens It is possible that some tokens will need to be revoked so they cannot be used any longer. You can provide a function as the `isRevoked` option. The signature of the function is `function(req, payload, done)`: diff --git a/test/jwt.test.ts b/test/jwt.test.ts index 59c6464a..c2166812 100644 --- a/test/jwt.test.ts +++ b/test/jwt.test.ts @@ -1,7 +1,7 @@ /* eslint-disable @typescript-eslint/ban-ts-comment */ import * as jwt from 'jsonwebtoken'; import * as express from 'express'; -import { expressjwt, UnauthorizedError, ExpressJwtRequest, GetVerificationKey } from '../src'; +import { expressjwt, UnauthorizedError, Request, GetVerificationKey } from '../src'; import * as assert from 'assert'; @@ -279,7 +279,7 @@ describe('work tests', function () { it('should work if authorization header is valid jwt', function (done) { const secret = 'shhhhhh'; const token = jwt.sign({ foo: 'bar' }, secret); - const req = {} as ExpressJwtRequest; + const req = {} as Request; const res = {} as express.Response; req.headers = {}; req.headers.authorization = 'Bearer ' + token; @@ -292,7 +292,7 @@ describe('work tests', function () { it('should work if authorization header is valid with a buffer secret', function (done) { const secret = Buffer.from('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 'base64'); const token = jwt.sign({ foo: 'bar' }, secret); - const req = {} as ExpressJwtRequest; + const req = {} as Request; const res = {} as express.Response; req.headers = {}; @@ -306,7 +306,7 @@ describe('work tests', function () { it('should work if Authorization header is capitalized (lambda environment)', function (done) { const secret = Buffer.from('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 'base64'); const token = jwt.sign({ foo: 'bar' }, secret); - const req = {} as ExpressJwtRequest; + const req = {} as Request; const res = {} as express.Response; req.headers = {}; @@ -349,7 +349,7 @@ describe('work tests', function () { }); it('should work with a custom getToken function', function (done) { - const req = {} as ExpressJwtRequest; + const req = {} as Request; const res = {} as express.Response; const secret = 'shhhhhh'; const token = jwt.sign({ foo: 'bar' }, secret); @@ -373,7 +373,7 @@ describe('work tests', function () { }); it('should work with an async getToken function', function (done) { - const req = {} as ExpressJwtRequest; + const req = {} as Request; const res = {} as express.Response; const secret = 'shhhhhh'; const token = jwt.sign({ foo: 'bar' }, secret); @@ -397,10 +397,11 @@ describe('work tests', function () { }); it('should work with a secretCallback function that accepts header argument', function (done) { - const req = {} as ExpressJwtRequest; + const req = {} as Request; const res = {} as express.Response; const secret = 'shhhhhh'; const getSecret: GetVerificationKey = async (req, token) => { + // @ts-ignore assert.equal(token.header.alg, 'HS256'); // @ts-ignore assert.equal(token.payload.foo, 'bar');