You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
JWT utils for Fastify, internally it uses [fast-jwt](https://github.com/nearform/fast-jwt).
9
9
10
10
**NOTE:** The plugin has been migrated from using `jsonwebtoken` to `fast-jwt`. Even though `fast-jwt` has 1:1 feature implementation with `jsonwebtoken`, some _exotic_ implementations might break. In that case please open an issue with details of your implementation. See [Upgrading notes](UPGRADING.md) for more details about what changes this migration introduced.
Register as a plugin. This will decorate your `fastify` instance with the following methods: `decode`, `sign`, and `verify`; refer to their documentation to find how to use the utilities. It will also register `request.jwtVerify` and `reply.jwtSign`. You must pass a `secret` when registering the plugin.
23
23
24
24
```js
25
25
constfastify=require('fastify')()
26
-
fastify.register(require('fastify-jwt'), {
26
+
fastify.register(require('@fastify/jwt'), {
27
27
secret:'supersecret'
28
28
})
29
29
@@ -42,7 +42,7 @@ For verifying & accessing the decoded token inside your services, you can use a
42
42
43
43
```js
44
44
constfastify=require('fastify')()
45
-
fastify.register(require('fastify-jwt'), {
45
+
fastify.register(require('@fastify/jwt'), {
46
46
secret:'supersecret'
47
47
})
48
48
@@ -71,7 +71,7 @@ However, most of the time we want to protect only some of the routes in our appl
Make sure that you also check [fastify-auth](https://github.com/fastify/fastify-auth) plugin for composing more complex strategies.
104
+
Make sure that you also check [@fastify/auth](https://github.com/fastify/fastify-auth) plugin for composing more complex strategies.
105
105
106
106
### Auth0 tokens verification
107
107
@@ -123,7 +123,7 @@ Function based `secret` is supported by the `request.jwtVerify()` and `reply.jwt
123
123
const { readFileSync } =require('fs')
124
124
constpath=require('path')
125
125
constfastify=require('fastify')()
126
-
constjwt=require('fastify-jwt')
126
+
constjwt=require('@fastify/jwt')
127
127
// secret as a string
128
128
fastify.register(jwt, { secret:'supersecret' })
129
129
// secret as a function with callback
@@ -167,7 +167,7 @@ fastify.register(jwt, {
167
167
sign: { algorithm:'ES256' }
168
168
})
169
169
```
170
-
Optionally you can define global default options that will be used by `fastify-jwt` API if you do not override them.
170
+
Optionally you can define global default options that will be used by `@fastify/jwt` API if you do not override them.
171
171
172
172
Additionally, it is also possible to reject tokens selectively (i.e. blacklisting) by providing the option `trusted` with the following signature: `(request, decodedToken) => boolean|Promise<boolean>|SignPayloadType|Promise<SignPayloadType>` where `request` is a `FastifyRequest` and `decodedToken` is the parsed (and verified) token information. Its result should be `false` or `Promise<false>` if the token should be rejected or, otherwise, be `true` or `Promise<true>` if the token should be accepted and, considering that `request.user` will be used after that, the return should be `decodedToken` itself.
173
173
@@ -176,7 +176,7 @@ Additionally, it is also possible to reject tokens selectively (i.e. blacklistin
In some situations you may want to store a token in a cookie. This allows you to drastically reduce the attack surface of XSS on your web app with the [`httpOnly`](https://wiki.owasp.org/index.php/HttpOnly) and `secure` flags. Cookies can be susceptible to CSRF. You can mitigate this by either setting the [`sameSite`](https://www.owasp.org/index.php/SameSite) flag to `strict`, or by using a CSRF library such as [`fastify-csrf`](https://www.npmjs.com/package/fastify-csrf).
247
+
In some situations you may want to store a token in a cookie. This allows you to drastically reduce the attack surface of XSS on your web app with the [`httpOnly`](https://wiki.owasp.org/index.php/HttpOnly) and `secure` flags. Cookies can be susceptible to CSRF. You can mitigate this by either setting the [`sameSite`](https://www.owasp.org/index.php/SameSite) flag to `strict`, or by using a CSRF library such as [`@fastify/csrf`](https://www.npmjs.com/package/@fastify/csrf).
248
248
249
-
**Note:** This plugin will look for a decorated request with the `cookies` property. [`fastify-cookie`](https://www.npmjs.com/package/fastify-cookie) supports this feature, and therefore you should use it when using the cookie feature. The plugin will fallback to looking for the token in the authorization header if either of the following happens (even if the cookie option is enabled):
249
+
**Note:** This plugin will look for a decorated request with the `cookies` property. [`@fastify/cookie`](https://www.npmjs.com/package/@fastify/cookie) supports this feature, and therefore you should use it when using the cookie feature. The plugin will fallback to looking for the token in the authorization header if either of the following happens (even if the cookie option is enabled):
250
250
251
251
- The request has both the authorization and cookie header
252
252
- Cookie is empty, authorization header is present
@@ -255,7 +255,7 @@ If you are signing your cookie, you can set the `signed` boolean to `true` which
0 commit comments