$k. JWT

Generate and verify JSON web tokens for REST requests

Constructor

new $k.JWT(useropt, expiryopt, claimsopt)

Creates a new token

Parameters:
NameTypeAttributesDescription
user$k.User<optional>
expirynumber | Date<optional>

Either a number (expiry in seconds since the current date), or a date. Default is 24 hours

claimsobject<optional>
Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0

Methods

(static) createKeys(overwriteopt)

Creates persistent keys for signing

Parameters:
NameTypeAttributesDefaultDescription
overwriteboolean<optional>
true

True (default) if existing keys should be overwritten, false if keys should only be generated if there are no keys yet.

Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0
Throws:

If generating keys is not allowed

Type
$k.exception.AccessDenied

(static) parse(encodedToken) → {$k.JWT}

Parses an encoded token. Does not check its validity.

Parameters:
NameTypeDescription
encodedTokenstring
Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0
Throws:

If the string is not a valid token

Type
$k.exception.InvalidValue
Returns:

Token

Type: 
$k.JWT

(static) verify(token, expectedClaimsopt, keyopt)

Verifies the token. Shortcut for $k.JWT.parse(token).verify(claims, key)

Parameters:
NameTypeAttributesDescription
tokenstring

Token to verify

expectedClaimsobject<optional>

Expected claims.

keystring<optional>

Encoded key. If not provided, a volume specific persistent key is used. Available since 5.2.2..

Expected formats:

  • Symmetric key (e.g. HS256): base64 encoded secret key
  • Public key: PEM-encoded certificate
  • Private key: PEM-encoded private key
Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0
Deprecated
  • Use $k.JWT.parse(token).verify(claims, key)
Throws:

If the token could not be verified

Type
$k.exception.AccessDenied

addClaims(claims)

Adds additional claims. Overwrites claims with the same name

Parameters:
NameTypeDescription
claimsobject
Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0

payload() → {object}

Returns the payload object

Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0
Throws:

If the payload is not valid JSON

Type
$k.exception.InvalidValue
Returns:
Type: 
object

setExpiry(expiry)

Set the expiry claim of the token

Parameters:
NameTypeDescription
expirynumber | Date

Either a number (expiry in seconds since the current date), or a date

Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0

setPayload()

Sets the payload object

Version
  • Experimental feature, might be removed at any time
Since
  • 5.2.2

setRenew(duration)

Set the renew claim of the token

Parameters:
NameTypeDescription
durationnumber

Duration in seconds

Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0
Deprecated
  • Do not use any more. This custom claim is not used.

setSubject(subject)

Set the subject claim of the token

Parameters:
NameTypeDescription
subjectstring

Subject

Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0

setUser(user)

Set the ID of the user as the subject of the token. Do not use if a REST service expects a different subject value (e.g. E-Mail).

Parameters:
NameTypeDescription
user$k.User
Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0

sign(keyopt, algorithmopt) → {string}

Signs the token.

This method does not check the authentication of the user. This allows custom authentication mechanisms. Use $k.User.getAuthenticatedUser() for built-in username/password checking.

Parameters:
NameTypeAttributesDefaultDescription
keystring<optional>

Encoded key. If not provided, a volume specific persistent key is used. Available since 5.2.2..

Expected formats:

  • Symmetric key (e.g. HS256): base64 encoded secret key
  • Public key: PEM-encoded certificate
  • Private key: PEM-encoded private key
algorithmstring<optional>
'HS256'

Algorithm to use. Default is HS256. Available since 5.2.2.

Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0
See
  • $k.User#getAuthenticatedUser
Returns:

Signed, encoded token (<header>.<payload>.<signature>)

Type: 
string

verify(expectedClaimsopt, keyopt, algorithmopt)

Verifies the token.

Parameters:
NameTypeAttributesDefaultDescription
expectedClaimsobject<optional>

Expected claims. If undefined then only expiry will be checked.

keystring<optional>

Encoded key. If not provided, a volume specific persistent key is used. Available since 5.2.2..

Expected formats:

  • Symmetric key (e.g. HS256): base64 encoded secret key
  • Public key: PEM-encoded certificate
  • Private key: PEM-encoded private key
algorithmstring<optional>
'HS256'

Algorithm to use. Default is HS256. Available since 5.2.2.

Version
  • Experimental feature, might be removed at any time
Since
  • 5.1.0
Throws:

If the token could not be verified (e.g. invalid token or unsupported algorithm)

Type
$k.exception.AccessDenied