├── .gitignore ├── .travis.yml ├── LICENSE ├── README.md ├── fastify-jwt-authz.js ├── package.json └── test.js /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .nyc_output -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: node_js 2 | 3 | node_js: 4 | - "8" 5 | - "7" 6 | - "6" 7 | - "5" 8 | - "4" 9 | 10 | notifications: 11 | email: 12 | on_success: never 13 | on_failure: always -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Ethan Arrowood 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Fastify JWT Authz 2 | ### Created by Ethan Arrowood 3 | 4 | [![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](http://standardjs.com/) [![Build Status](https://travis-ci.org/Ethan-Arrowood/fastify-jwt-authz.svg?branch=master)](https://travis-ci.org/Ethan-Arrowood/fastify-jwt-authz) 5 | 6 | `fastifyJWTAuthz` is a fastify plugin for verifying an authenticated `request.user` scope. Registering the plugin binds the `jwtAuthz` method to the fastify `request` instance. See the demo below on how to use the plugin. 7 | 8 | ```js 9 | const fastify = require('fastify')() 10 | const jwt = require('fastify-jwt') 11 | const jwtAuthz = require('fastify-jwt-authz') 12 | 13 | fastify.register(jwt, { 14 | secret: 'superSecretCode' 15 | }) 16 | fastify.register(jwtAuthz) 17 | 18 | fastify.get('/api', { 19 | beforeHandler: [ 20 | function(request, reply, done) { 21 | request.jwtVerify(done) 22 | /* The user's JWT auth token is 23 | * connected to the request object 24 | * under `headers.authentication`. 25 | * 26 | * The jwtVerify method will verify 27 | * the JWT token with the secret. 28 | * 29 | * If it verifies, the user object is 30 | * populated onto the request object 31 | * which is passed to the next function. 32 | * */ 33 | }, 34 | function(request, reply, done) { 35 | request.jwtAuthz(['read:data', 'write:data'], done) 36 | /* jwtAuthz will read the verified user's 37 | * scope off of the request object. It will 38 | * then compare the scopes defined above to 39 | * the user's scopes aquired by the JWT verification 40 | * method. 41 | * */ 42 | }, 43 | ], 44 | }, (request, reply) => { 45 | fastify.log.info('reached API endpoint') 46 | reply.send({ userVerified: true }) 47 | }) 48 | ``` 49 | 50 | `jwtAuthz` takes a list of scopes for verification. Additionally, it takes an optional callback parameter. It returns a promise otherwise. -------------------------------------------------------------------------------- /fastify-jwt-authz.js: -------------------------------------------------------------------------------- 1 | 'use strict' 2 | 3 | var fp = require('fastify-plugin') 4 | 5 | function fastifyJwtAuthz (fastify, opts, next) { 6 | fastify.decorateRequest('jwtAuthz', checkScopes) 7 | 8 | next() 9 | 10 | function checkScopes (scopes, callback) { 11 | var request = this 12 | if (callback === undefined) { 13 | return new Promise(function (resolve, reject) { 14 | request.jwtAuthz(scopes, function (err) { 15 | return err ? reject(err) : resolve(null) 16 | }) 17 | }) 18 | } 19 | 20 | if (scopes.length === 0) { return callback(new Error('Scopes cannot be empty')) } 21 | if (!this.user) { return callback(new Error('request.user does not exist')) } 22 | if (typeof this.user.scope !== 'string') { return callback(new Error('request.user.scope must be a string')) } 23 | 24 | var userScopes = this.user.scope.split(' ') 25 | var allowed = scopes.some(function (scope) { 26 | return userScopes.indexOf(scope) !== -1 27 | }) 28 | 29 | return callback(allowed ? null : new Error('Insufficient scope')) 30 | } 31 | } 32 | 33 | module.exports = fp(fastifyJwtAuthz, { 34 | fastify: '>=1.0.0-rc.1', 35 | name: 'fastify-jwt-authz' 36 | }) 37 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "fastify-jwt-authz", 3 | "version": "0.1.2", 4 | "description": "Validate the JWT scope to authorize access to an endpoint for fastify", 5 | "main": "fastify-jwt-authz.js", 6 | "scripts": { 7 | "test": "standard && tap test.js" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "git+ssh://git@github.com/Ethan-Arrowood/fastify-jwt-authz.git" 12 | }, 13 | "keywords": [ 14 | "fastify", 15 | "jwt", 16 | "authentication", 17 | "auth0", 18 | "nodejs" 19 | ], 20 | "author": "Ethan Arrowood", 21 | "license": "MIT", 22 | "bugs": { 23 | "url": "https://github.com/Ethan-Arrowood/fastify-jwt-authz/issues" 24 | }, 25 | "homepage": "https://github.com/Ethan-Arrowood/fastify-jwt-authz#readme", 26 | "dependencies": { 27 | "fastify-plugin": "^0.2.1" 28 | }, 29 | "devDependencies": { 30 | "fastify": "^1.1.1", 31 | "request": "^2.83.0", 32 | "standard": "^10.0.3", 33 | "tap": "^11.0.1" 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /test.js: -------------------------------------------------------------------------------- 1 | 'use strict' 2 | 3 | var test = require('tap').test 4 | var Fastify = require('fastify') 5 | var request = require('request') 6 | var jwtAuthz = require('./fastify-jwt-authz') 7 | 8 | test('should decorate request instance with jwtAuthz method', function (t) { 9 | t.plan(4) 10 | var fastify = Fastify() 11 | fastify.register(jwtAuthz) 12 | 13 | fastify.get('/test', function (request, reply) { 14 | t.ok(request.jwtAuthz) 15 | reply.send({ foo: 'bar' }) 16 | }) 17 | fastify.listen(0, function (err) { 18 | fastify.server.unref() 19 | t.error(err) 20 | request({ 21 | method: 'GET', 22 | uri: 'http://localhost:' + fastify.server.address().port + '/test', 23 | json: true 24 | }, function (err, response) { 25 | t.error(err) 26 | t.ok(response) 27 | }) 28 | }) 29 | }) 30 | 31 | test('should throw an error "Scopes cannot be empty" with an empty scopes parameter', function (t) { 32 | t.plan(4) 33 | var fastify = Fastify() 34 | fastify.register(jwtAuthz) 35 | 36 | fastify.get('/test2', function (request, reply) { 37 | request.jwtAuthz([]) 38 | .catch(err => t.match(err.message, 'Scopes cannot be empty')) 39 | reply.send({ foo: 'bar' }) 40 | }) 41 | fastify.listen(0, function (err) { 42 | fastify.server.unref() 43 | t.error(err) 44 | request({ 45 | method: 'GET', 46 | uri: 'http://localhost:' + fastify.server.address().port + '/test2', 47 | json: true 48 | }, function (err, response) { 49 | t.error(err) 50 | t.ok(response) 51 | }) 52 | }) 53 | }) 54 | 55 | test('should throw an error "request.user does not exist" non existing request.user', function (t) { 56 | t.plan(4) 57 | var fastify = Fastify() 58 | fastify.register(jwtAuthz) 59 | 60 | fastify.get('/test3', function (request, reply) { 61 | request.jwtAuthz('baz') 62 | .catch(err => t.match(err.message, 'request.user does not exist')) 63 | reply.send({ foo: 'bar' }) 64 | }) 65 | fastify.listen(0, function (err) { 66 | fastify.server.unref() 67 | t.error(err) 68 | request({ 69 | method: 'GET', 70 | uri: 'http://localhost:' + fastify.server.address().port + '/test3', 71 | json: true 72 | }, function (err, response) { 73 | t.error(err) 74 | t.ok(response) 75 | }) 76 | }) 77 | }) 78 | 79 | test('should throw an error "request.user.scope must be a string"', function (t) { 80 | t.plan(4) 81 | var fastify = Fastify() 82 | fastify.register(jwtAuthz) 83 | 84 | fastify.get('/test4', function (request, reply) { 85 | request.user = { 86 | name: 'sample', 87 | scope: 123 88 | } 89 | 90 | request.jwtAuthz('baz') 91 | .catch(err => t.match(err.message, 'request.user.scope must be a string')) 92 | reply.send({ foo: 'bar' }) 93 | }) 94 | fastify.listen(0, function (err) { 95 | fastify.server.unref() 96 | t.error(err) 97 | request({ 98 | method: 'GET', 99 | uri: 'http://localhost:' + fastify.server.address().port + '/test4', 100 | json: true 101 | }, function (err, response) { 102 | t.error(err) 103 | t.ok(response) 104 | }) 105 | }) 106 | }) 107 | 108 | test('should throw an error "Insufficient scope"', function (t) { 109 | t.plan(4) 110 | var fastify = Fastify() 111 | fastify.register(jwtAuthz) 112 | 113 | fastify.get('/test5', function (request, reply) { 114 | request.user = { 115 | name: 'sample', 116 | scope: 'baz' 117 | } 118 | 119 | request.jwtAuthz(['foo']) 120 | .catch(err => t.match(err.message, 'Insufficient scope')) 121 | 122 | reply.send({ foo: 'bar' }) 123 | }) 124 | fastify.listen(0, function (err) { 125 | fastify.server.unref() 126 | t.error(err) 127 | request({ 128 | method: 'GET', 129 | uri: 'http://localhost:' + fastify.server.address().port + '/test5', 130 | json: true 131 | }, function (err, response) { 132 | t.error(err) 133 | t.ok(response) 134 | }) 135 | }) 136 | }) 137 | 138 | test('should verify user scope', function (t) { 139 | t.plan(3) 140 | var fastify = Fastify() 141 | fastify.register(jwtAuthz) 142 | 143 | fastify.get('/test5', function (request, reply) { 144 | request.user = { 145 | name: 'sample', 146 | scope: 'user manager' 147 | } 148 | 149 | request.jwtAuthz(['user']) 150 | 151 | reply.send({ foo: 'bar' }) 152 | }) 153 | fastify.listen(0, function (err) { 154 | fastify.server.unref() 155 | t.error(err) 156 | request({ 157 | method: 'GET', 158 | uri: 'http://localhost:' + fastify.server.address().port + '/test5', 159 | json: true 160 | }, function (err, response) { 161 | t.error(err) 162 | t.ok(response) 163 | }) 164 | }) 165 | }) 166 | --------------------------------------------------------------------------------