Options
All
  • Public
  • Public/Protected
  • All
Menu

Class JwtUserSessionMiddleware

JWT User Session middleware which uses lib.jwt-user-session for session management and HTTP protocol as transport of user session tokens.
Notice that all function members that operate on HTTP response, will set/unset only it's headers, while other parts, like status code, payload etc are left untouched. Also it doesn't send response back to clients, this is the caller job to call send on response.
Implementation is based on the following articles:
- JWT split in two cookies
- JWT split in signature cookie and Authorization header
- JWT refresh and revoke with Refresh Token
- CSRF mitigation

Hierarchy

  • JwtUserSessionMiddleware

Constructors

constructor

Accessors

sessionManager

  • get sessionManager(): JwtUserSessionManager<UserSessionDevice, HTTPRequestLocation>
  • Get {@link JwtUserSessionManager} instance.

    Returns JwtUserSessionManager<UserSessionDevice, HTTPRequestLocation>

Methods

create

  • create(req: HttpRequest<unknown>, res: HttpResponse<unknown>, jwtPayload: JwtPayload, signOptions: RequireAtLeastOne<Readonly<Omit<SignOptions, "mutatePayload" | "noTimestamp" | "header" | "encoding">>, "subject">): Promise<void>
  • Create user session.
    After session creation, sets Access and Refresh tokens in the response cookies and/or headers, according to UserSessionOptions.

    Parameters

    • req: HttpRequest<unknown>

      Incoming HTTP request.

    • res: HttpResponse<unknown>

      Outgoing HTTP response.

    • jwtPayload: JwtPayload

      Payload of the JWT token.

    • signOptions: RequireAtLeastOne<Readonly<Omit<SignOptions, "mutatePayload" | "noTimestamp" | "header" | "encoding">>, "subject">

      Sign options. Needs to contain at least subject for whom session is created.

    Returns Promise<void>

delete

  • delete(req: HttpRequest<unknown>, res: HttpResponse<unknown>, subject: string, payload?: IssuedJwtPayload, unsetSessionCookies?: boolean): Promise<void>
  • Delete user session.
    Refresh Token will be extracted from request according to UserSessionOptions.

    Parameters

    • req: HttpRequest<unknown>

      Incoming HTTP request.

    • res: HttpResponse<unknown>

      Outgoing HTTP response.

    • subject: string

      Subject which has the session that needs to be deleted.

    • Optional payload: IssuedJwtPayload

      JWT Access Token payload.
      This parameter is optional and can be omitted when deletion is made by admin who doesn't have access token of the user.

    • unsetSessionCookies: boolean = true

      Whether to unset session cookies in the res after session deletion.
      This is valid only for requests made from browser devices.
      More information about cookie invalidation can be found here.

    Returns Promise<void>

deleteAll

  • deleteAll(req: HttpRequest<unknown>, res: HttpResponse<unknown>, subject: string, payload?: IssuedJwtPayload, unsetSessionCookies?: boolean): Promise<number>
  • Delete all user sessions.

    Parameters

    • req: HttpRequest<unknown>

      Incoming HTTP request.

    • res: HttpResponse<unknown>

      Outgoing HTTP response.

    • subject: string

      Subject, sessions of which needs to be deleted.

    • Optional payload: IssuedJwtPayload

      JWT Access Token payload.
      This parameter is optional and can be omitted when deletion is made by admin who doesn't have access token of the user.

    • unsetSessionCookies: boolean = true

      Whether to unset session cookies in the res after session deletion.
      This is valid only for requests made from browser devices.
      More information about cookie invalidation can be found here.

    Returns Promise<number>

    Number of deleted sessions.

refresh

  • refresh(req: HttpRequest<unknown>, res: HttpResponse<unknown>, jwtPayload: JwtPayload, signOptions: RequireAtLeastOne<Readonly<Omit<SignOptions, "mutatePayload" | "noTimestamp" | "header" | "encoding">>, "subject">): Promise<void>
  • Refresh Access Token.
    Refresh Token will be extracted from request according to UserSessionOptions.
    Access Token will be included in response depending on client type and according to UserSessionOptions.

    Parameters

    • req: HttpRequest<unknown>

      Incoming HTTP request.

    • res: HttpResponse<unknown>

      Outgoing HTTP response.

    • jwtPayload: JwtPayload

      Payload of the refreshed JWT.

    • signOptions: RequireAtLeastOne<Readonly<Omit<SignOptions, "mutatePayload" | "noTimestamp" | "header" | "encoding">>, "subject">

      Sign options. Needs to contain at least subject for whom session is created.

    Returns Promise<void>

unsetSessionCookies

  • unsetSessionCookies(req: HttpRequest<unknown>, res: HttpResponse<unknown>): void
  • Unsets session cookies in the res.
    This is valid only for requests made from browser devices.
    More information about cookie invalidation can be found here.

    Parameters

    • req: HttpRequest<unknown>

      Incoming HTTP request.

    • res: HttpResponse<unknown>

      Outgoing HTTP response.

    Returns void

verify

  • verify(req: HttpRequest<unknown>, res: HttpResponse<unknown>, verifyOptions?: Readonly<Omit<RequireSome<VerifyOptions, "audience" | "issuer" | "algorithms">, "clockTimestamp" | "complete" | "ignoreExpiration" | "ignoreNotBefore">>, unsetSessionCookies?: boolean): Promise<IssuedJwtPayload>
  • Verify user session.
    Access token will be extracted from request according to UserSessionOptions.

    Parameters

    • req: HttpRequest<unknown>

      Incoming HTTP request.

    • res: HttpResponse<unknown>

      Outgoing HTTP response.

    • Optional verifyOptions: Readonly<Omit<RequireSome<VerifyOptions, "audience" | "issuer" | "algorithms">, "clockTimestamp" | "complete" | "ignoreExpiration" | "ignoreNotBefore">>

      Verify JWT access token options.

    • unsetSessionCookies: boolean = true

      Whether to unset session cookies in the res in case JWT is expired, malformed or invalidated.
      This is valid only for requests made from browser devices.
      More information about cookie invalidation can be found here.

    Returns Promise<IssuedJwtPayload>