Bearer token parser middleware for koa
Inspired by express-bearer-token
$ npm install koa-bearer-tokenPer RFC6750 this module will attempt to extract a bearer token from a request from these locations:
- The key
access_tokenin the request body. - The key
access_tokenin the request query params. - The value from the header
Authorization: Bearer <token>. - (Optional) Get a token from cookies header with key
access_token.
If a token is found, it will be stored on ctx.request.token. If one has been provided in more than one location, this will abort the request immediately by sending code 400 (per [RFC6750]).
const Koa = require('koa'); const bodyParser = require('koa-bodyparser'); const { bearerToken } = require('koa-bearer-token'); const app = new Koa(); app.use(bodyParser()); app.use(bearerToken()); app.use((ctx) => { // ctx.request.token }); app.listen(3000);For APIs which are not compliant with [RFC6750], the key for the token in each location is customizable, as is the key the token is bound to on the request (default configuration shown):
app.use( bearerToken({ bodyKey: 'access_token', queryKey: 'access_token', headerKey: 'Bearer', reqKey: 'token', }), );Get token from cookie key (it can be signed or not)
Warning: by NOT passing { signed: true } you are accepting a non signed cookie and an attacker might spoof the cookies. so keep in mind to use signed cookies
app.use( bearerToken({ cookie: { signed: true, // if passed true you must pass secret otherwise will throw error secret: 'YOUR_APP_SECRET', key: 'access_token', // default value }, }), );As of version 2.0.1 we've added initial support for TypeScript.
If you're using your custom reqKey, you must do module augmentation on your own:
declare module 'koa' { interface Request { myToken?: string; } } app.use( bearerToken({ reqKey: 'myToken', }), );| koa version | koa-bearer-token version |
|---|---|
<2 | 0.x.x |
2 | >=1.x.x |
MIT © C. T. Lin