Options
All
  • Public
  • Public/Protected
  • All
Menu

Class JwtUserSessionManager<Device, Location>

Stateless implementation of the user sessions using JWT as exchange mechanism.

Type parameters

  • Device: DeviceBase

    Type of the device.

  • Location

    Type of the location.

Hierarchy

  • EventEmitter
    • JwtUserSessionManager

Constructors

Methods

Constructors

constructor

  • Type parameters

    • Device: DeviceBase

    • Location

    Parameters

    • options: JwtUserSessionManagerOptions<Device, Location>

      Options object.
      It should not be modified after, as it will be used without being cloned.

    Returns JwtUserSessionManager<Device, Location>

Methods

create

  • create(payload: JwtPayload, signOptions: RequireAtLeastOne<Readonly<Omit<SignOptions, "mutatePayload" | "noTimestamp" | "header" | "encoding">>, "subject">, context: UserSessionOperationContext<Device, Location>, refreshTokenTtl?: number): Promise<SessionTokens>

  • Create user session.

    Parameters

    • payload: JwtPayload

      JWT payload.
      The object will be modified in-place.

    • signOptions: RequireAtLeastOne<Readonly<Omit<SignOptions, "mutatePayload" | "noTimestamp" | "header" | "encoding">>, "subject">

      Sign options.
      Provided properties will override the default ones.

    • context: UserSessionOperationContext<Device, Location>

      User session creation context.
      Context won't be cloned, therefore you should not update it after operation finishes.

    • Optional refreshTokenTtl: number

      Refresh token ttl. When given, will have priority over the default one.

    Returns Promise<SessionTokens>

    Session access and refresh tokens.

deleteAll

  • Deletes all of the user sessions.

    emits

    JwtUserSessionManagerEvent.ALL_SESSIONS_INVALIDATED No matter whether 0 or multiple sessions are invalidated. If you use multiple JwtUserSessionManager instances, you are strongly advised to call JwtUserSessionManager.restrictAll on other instances when this event is emitted.

    Parameters

    • subject: string

      Subject (i.e. user/account id).

    • Optional jwtPayload: IssuedJwtPayload

      Payload of the access token.
      Access token belongs to session from where invalidation occurs.
      Parameter is optional, so that an admin can invalidate all user sessions without having his access token.
      Notice that in case jwtPayload is not provided, access token ttl will be taken from default {@link JwtUserSessionManagerOptions.signOptions.expiresIn}, in order to invalidate all issued before access tokens.

    Returns Promise<number>

    Number of the deleted sessions.

deleteOne

  • deleteOne(subject: string, refreshToken: string, jwtPayload?: IssuedJwtPayload): Promise<void>

  • Delete one user session associated with refresh token.

    emits

    JwtUserSessionManagerEvent.SESSION_INVALIDATED When jwtPayload parameter is given. If you use multiple JwtUserSessionManager instances, you are strongly advised to call JwtUserSessionManager.restrictOne on other instances when this event is emitted.

    Parameters

    • subject: string

      Subject (i.e. user/account).

    • refreshToken: string

      Refresh token.

    • Optional jwtPayload: IssuedJwtPayload

      Payload of the access token.
      When provided will also invalidate this access token.
      Parameter is optional, so that admins that may not have access token can invalidate user session.

    Returns Promise<void>

on

read

  • read(jwtAccessToken: string, verifyOptions?: Readonly<Omit<RequireSome<VerifyOptions, "audience" | "issuer" | "algorithms">, "clockTimestamp" | "complete" | "ignoreExpiration" | "ignoreNotBefore">>): Promise<IssuedJwtPayload>

  • Read JWT payload from access token.
    Token will be validated before being decoded and it's payload extracted.

    throws

    {TokenExpiredError} When token is expired.

    throws

    {JsonWebTokenError} When token is invalid.

    throws

    {NotBeforeError} When token is used before its activation timestamp.

    throws

    {Exception} When token was invalided with error code ErrorCodes.ACCESS_TOKEN_WAS_FORCIBLY_INVALIDATED.

    Parameters

    • jwtAccessToken: string

      Access token.

    • Optional verifyOptions: Readonly<Omit<RequireSome<VerifyOptions, "audience" | "issuer" | "algorithms">, "clockTimestamp" | "complete" | "ignoreExpiration" | "ignoreNotBefore">>

      Verify options.
      Provided properties will override the default ones.

    Returns Promise<IssuedJwtPayload>

    JWT access token payload.

readAll

  • readAll(subject: string): Promise<ReadonlyMap<string, UserSessionMetaData<Device, Location>>>

  • Read all the active sessions of the subject.
    Note! Session objects are returned directly from storage, without being cloned, therefore you are not advised to modify them after this operation.

    Parameters

    • subject: string

      Subject from the JWT (i.e. user/account id).

    Returns Promise<ReadonlyMap<string, UserSessionMetaData<Device, Location>>>

    Refresh tokens mapped to session metadata.

restrictAll

  • restrictAll(subject: string, accessTokenTtl: number): void

  • Restricts access to all user sessions from all the access tokens issued before.
    Notice that user sessions won't be deleted, they can be accessed with access tokens that can be obtained later with the refresh tokens of these sessions.

    example

    This method is useful if your NodeJS app operates in cluster mode. One of the nodes receives delete all sessions request, deletes sessions from shared DB, invalidates all access tokens from all sessions on his local cache, and then notifies other nodes via some sort of EventBus. Other notes upon receiving notification, will restrict access to deleted user sessions (i.e. they will update their local caches with invalidated access tokens).

    Parameters

    • subject: string

      Subject.

    • accessTokenTtl: number

      Ttl of the access token.

    Returns void

restrictOne

  • Restricts access to user session from the access token having jwtPayload.
    Notice that user session won't be deleted, it can be accessed with other access tokens.

    example

    This method is useful if your NodeJS app operates in cluster mode. One of the nodes receives delete session request, deletes session from shared DB, invalidates access tokens for that session on his local cache, and then notifies other nodes via some sort of EventBus. Other notes upon receiving notification, will restrict access to deleted user session (i.e. they will update their local caches with invalidated access tokens).

    Parameters

    Returns void

update

  • update(refreshToken: string, payload: JwtPayload, signOptions: RequireAtLeastOne<Readonly<Omit<SignOptions, "mutatePayload" | "noTimestamp" | "header" | "encoding">>, "subject">, context: UserSessionOperationContext<Device, Location>): Promise<string>

  • Update user access token session.

    throws

    {Exception} When: - refresh token is not valid. - update is performed from a device different than the one from where session was created (in case default InvalidationStrategyOptions.refreshAccessTokenHook is used).

    Parameters

    • refreshToken: string

      Refresh token.

    • payload: JwtPayload

      Payload for the newly access token.
      The object will be modified in-place.

    • signOptions: RequireAtLeastOne<Readonly<Omit<SignOptions, "mutatePayload" | "noTimestamp" | "header" | "encoding">>, "subject">

      Sign options. Provided properties will override the default ones.

    • context: UserSessionOperationContext<Device, Location>

      Update access token context.

    Returns Promise<string>

    JWT access token.