Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/stopsopa/secure-express
Can't reliably logout from basic auth, so I wrote my own simple to use library (cookie & jwt)
https://github.com/stopsopa/secure-express
Last synced: 22 days ago
JSON representation
Can't reliably logout from basic auth, so I wrote my own simple to use library (cookie & jwt)
- Host: GitHub
- URL: https://github.com/stopsopa/secure-express
- Owner: stopsopa
- License: mit
- Created: 2019-01-13T03:35:29.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2020-01-20T16:49:57.000Z (almost 5 years ago)
- Last Synced: 2024-10-05T00:08:46.346Z (about 1 month ago)
- Language: JavaScript
- Homepage:
- Size: 49.8 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: securityabstract.js
Awesome Lists containing this project
README
[](https://badge.fury.io/js/secure-express)
[](https://github.com/stopsopa/secure-express/blob/master/LICENSE)
# Simplest use
```javascript
const path = require('path');
const fs = require('fs');
const bodyParser = require('body-parser');
const express = require('express');
const app = express();
app.use(express.static(path.resolve(__dirname, 'public')));
app.use(require('nlab/express/console-logger'));
app.use(bodyParser.urlencoded({
extended: true, // WARNING: required for secure-express
// without this scripts on server wont be able to see values submitted from form
}));
const security = require('secure-express/securityjwt');
const middlewares = security({
// debug: true,
secret: "super_secret_salt_to_encrypt_jwt",
expire : 60 * 60 * 9, // 9 hours
userprovider: async (username, opt) => {
const users = [
{
username: 'admin',
password: 'pass',
// jwtpayload: {
// username: 'admin',
// role: 'admin'
// }
},
{
username: 'abc',
password: 'def',
// jwtpayload: {
// username: 'admin',
// role: 'user'
// }
},
];
return users.find(u => u.username === username);
},
authenticate: async (user = {}, password, opt) => {
return user.password === password;
},
extractpayloadfromuser: async (user, opt) => {
return user.jwtpayload || {};
},
});
/**
* Always place .signout endpoint before .secure if you want to avoid weird redirections
*/
app.all('/signout' , middlewares.signout);
app.use(middlewares.secure);
app.all('/refresh' , middlewares.refresh);
app.all('/diff' , middlewares.diff);
const content = fs.readFileSync(path.resolve(__dirname, 'public', 'secured.html')).toString();
app.use((req, res) => {
res.set('Content-type', 'text/html; charset=UTF-8');
res.end(content);
});
const port = process.env.NODE_BIND_PORT;
const host = process.env.NODE_BIND_HOST;
const server = app.listen(port, host, () => {
console.log(`\n 🌎 Server is running ` + ` ${host}:${port} ` + "\n")
});
```
# About architecture
The core script is [securityabstract.js](lib/securityabstract.js), (I'm encoriging to see how things are implemented - it's quite simple, EDIT: was simple before I've added "remember me" functionality ;) ) this script is responsible for creating authentication cookie after correct login, it doesn't impose any encryption method for cookie content.
Another script is [securityjwt.js](lib/securityjwt.js) which is extension of default configuration of securityabstract.js and it is focused on encrypting cookie using JWT.
If would like to create different method of encrypting session token just extend [securityabstract.js](lib/securityabstract.js) and use [securityjwt.js](lib/securityjwt.js) as an example how to do it.