Get {@link JwtUserSessionManager} instance.
Create user session.
After session creation, sets Access and Refresh tokens in the response
cookies and/or headers, according to UserSessionOptions.
Incoming HTTP request.
Outgoing HTTP response.
Payload of the JWT token.
Sign options. Needs to contain at least subject for whom session is created.
Delete user session.
Refresh Token will be extracted from request according to UserSessionOptions.
Incoming HTTP request.
Outgoing HTTP response.
Subject which has the session that needs to be deleted.
JWT Access Token payload.
This parameter is optional and can be omitted when deletion is made by admin who doesn't have access token of the user.
Whether to unset session cookies in the res
after session deletion.
This is valid only for requests made from browser devices.
More information about cookie invalidation can be found here.
Delete all user sessions.
Incoming HTTP request.
Outgoing HTTP response.
Subject, sessions of which needs to be deleted.
JWT Access Token payload.
This parameter is optional and can be omitted when deletion is made by admin who doesn't have access token of the user.
Whether to unset session cookies in the res
after session deletion.
This is valid only for requests made from browser devices.
More information about cookie invalidation can be found here.
Number of deleted sessions.
Refresh Access Token.
Refresh Token will be extracted from request according to UserSessionOptions.
Access Token will be included in response depending on client type and according to UserSessionOptions.
Incoming HTTP request.
Outgoing HTTP response.
Payload of the refreshed JWT.
Sign options. Needs to contain at least subject for whom session is created.
Unsets session cookies in the res
.
This is valid only for requests made from browser devices.
More information about cookie invalidation can be found here.
Incoming HTTP request.
Outgoing HTTP response.
Verify user session.
Access token will be extracted from request according to UserSessionOptions.
Incoming HTTP request.
Outgoing HTTP response.
Verify JWT access token options.
Whether to unset session cookies in the res
in case JWT is expired, malformed or invalidated.
This is valid only for requests made from browser devices.
More information about cookie invalidation can be found here.
JWT User Session middleware which uses lib.jwt-user-session for session management and HTTP protocol as transport of user session tokens.
Notice that all function members that operate on HTTP response, will set/unset only it's headers, while other parts, like status code, payload etc are left untouched. Also it doesn't send response back to clients, this is the caller job to call
send
on response.Implementation is based on the following articles:
- JWT split in two cookies
- JWT split in signature cookie and Authorization header
- JWT refresh and revoke with Refresh Token
- CSRF mitigation