Get rid of JWT as the default auth scheme.

Per #87 'jwt' was not a great choice of default value for the
authorization scheme since RFC6750 explicitly states that 'bearer'
is the proper scheme, at least in the context of OAuth 2.0.

Since this change breaks backwards compatibility I tried to be very
explicit.  extractors.fromAuthHeader() was removed and replaced with
the more explicit 'extractors.fromAuthHeaderAsBearerToken()'.

Anyone wanting to maintain passport-jwt 2.* behavior may use the
follinwg extractor instead of fromAuthHeader():

    extractors.fromAuthHeaderWithScheme('jwt')

The legacy (v 1.*) extractor, extractors.versionOneCompatibilit() still
iuses 'JWT' as the default auth scheme.

Fixes #87

Author: mikenicholson

README.md

@@ -52,13 +52,13 @@ Pass here an options object for any other option you can pass the jsonwebtoken v
   done(error, user, info)
 
 An example configuration which reads the JWT from the http
-Authorization header with the scheme 'JWT':
+Authorization header with the scheme 'bearer':
 
 ```js
 var JwtStrategy = require('passport-jwt').Strategy,
     ExtractJwt = require('passport-jwt').ExtractJwt;
 var opts = {}
-opts.jwtFromRequest = ExtractJwt.fromAuthHeader();
+opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
 opts.secretOrKey = 'secret';
 opts.issuer = 'accounts.examplesoft.com';
 opts.audience = 'yoursite.net';
@@ -97,8 +97,8 @@ functions return a new extractor configured with the given parameters.
   URL query parameter.
 * ```fromAuthHeaderWithScheme(auth_scheme)``` creates a new extractor that looks for the JWT in the
   authorization header, expecting the scheme to match auth_scheme.
-* ```fromAuthHeader()``` creates a new extractor that looks for the JWT in the authorization header
-  with the scheme 'JWT'
+* ```fromAuthHeaderAsBearerToken()``` creates a new extractor that looks for the JWT in the authorization header
+  with the scheme 'bearer'
 * ```fromExtractors([array of extractor functions])``` creates a new extractor using an array of
   extractors provided. Each extractor is attempted in order until one returns a token.
 

lib/extract_jwt.js

@@ -6,7 +6,8 @@ var url = require('url'),
 // Note: express http converts all headers
 // to lower case.
 var AUTH_HEADER = "authorization",
-    DEFAULT_AUTH_SCHEME = "JWT";
+    LEGACY_AUTH_SCHEME = "JWT", 
+    BEARER_AUTH_SCHEME = 'bearer';
 
 
 var extractors = {};
@@ -66,8 +67,8 @@ extractors.fromAuthHeaderWithScheme = function (auth_scheme) {
 
 
 
-extractors.fromAuthHeader = function () {
-    return extractors.fromAuthHeaderWithScheme(DEFAULT_AUTH_SCHEME);
+extractors.fromAuthHeaderAsBearerToken = function () {
+    return extractors.fromAuthHeaderWithScheme(BEARER_AUTH_SCHEME);
 };
 
 
@@ -103,7 +104,7 @@ extractors.fromExtractors = function(extractors) {
  *          tokenQueryParameterName: Query parameter name containing the token. Default is auth_token.
  */
 extractors.versionOneCompatibility = function (options) {
-    var authScheme = options.authScheme || DEFAULT_AUTH_SCHEME,
+    var authScheme = options.authScheme || LEGACY_AUTH_SCHEME,
         bodyField = options.tokenBodyField || 'auth_token',
         queryParam = options.tokenQueryParameterName || 'auth_token';
 

test/extrators-test.js

@@ -144,11 +144,11 @@ describe('Token extractor', function() {
 
     describe('fromAuthHeader', function() {
 
-        var extractor = extract_jwt.fromAuthHeader();
+        var extractor = extract_jwt.fromAuthHeaderAsBearerToken();
 
         it('should return the value from the authorization header with default JWT auth scheme', function() {
             var req = new Request()
-            req.headers['authorization'] = "JWT abcd123";
+            req.headers['authorization'] = "bearer abcd123";
 
             var token = extractor(req);
 
@@ -169,7 +169,7 @@ describe('Token extractor', function() {
         });
 
 
-        var extractor = extract_jwt.fromExtractors([extract_jwt.fromAuthHeader(), extract_jwt.fromHeader('authorization')]);
+        var extractor = extract_jwt.fromExtractors([extract_jwt.fromAuthHeaderAsBearerToken(), extract_jwt.fromHeader('authorization')]);
 
         it('should return null when no extractor extracts token', function() {
             var req = new Request();
@@ -192,7 +192,7 @@ describe('Token extractor', function() {
 
         it('should return token found by first extractor', function() {
             var req = new Request()
-            req.headers['authorization'] = "JWT abcd123";
+            req.headers['authorization'] = "bearer abcd123";
 
             var token = extractor(req);
 

test/strategy-validation-test.js

@@ -22,7 +22,7 @@ describe('Strategy', function() {
               clockTolerance: 10,
               maxAge: "1h",
             };
-            options.jwtFromRequest = extract_jwt.fromAuthHeader();
+            options.jwtFromRequest = extract_jwt.fromAuthHeaderAsBearerToken();
             strategy = new Strategy(options, verifyStub);
 
             Strategy.JwtVerifier = sinon.stub();
@@ -33,7 +33,7 @@ describe('Strategy', function() {
                     done();
                 })
                 .req(function(req) {
-                    req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
+                    req.headers['authorization'] = "bearer " + test_data.valid_jwt.token;
                 })
                 .authenticate();
         });
@@ -82,7 +82,7 @@ describe('Strategy', function() {
         var strategy, payload;
 
         before(function(done) {
-            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeader(), secretOrKey: 'secret'}, function(jwt_payload, next) {
+            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeaderAsBearerToken(), secretOrKey: 'secret'}, function(jwt_payload, next) {
                 payload = jwt_payload;
                 next(null, {}, {});
             });
@@ -96,7 +96,7 @@ describe('Strategy', function() {
                     done();
                 })
                 .req(function(req) {
-                    req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
+                    req.headers['authorization'] = "bearer " + test_data.valid_jwt.token;
                 })
                 .authenticate();
         });
@@ -116,7 +116,7 @@ describe('Strategy', function() {
 
         before(function(done) {
 
-            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeader(), secretOrKey: 'secret'}, verify_spy);
+            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeaderAsBearerToken(), secretOrKey: 'secret'}, verify_spy);
 
             // Mock errored verification
             Strategy.JwtVerifier = sinon.stub();
@@ -128,7 +128,7 @@ describe('Strategy', function() {
                     done();
                 })
                 .req(function(req) {
-                    req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
+                    req.headers['authorization'] = "bearer " + test_data.valid_jwt.token;
                 })
                 .authenticate();
         });
@@ -153,7 +153,7 @@ describe('Strategy', function() {
 
         before(function(done) {
 
-            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeader(), secretOrKey: 'secret'}, verify_spy);
+            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeaderAsBearerToken(), secretOrKey: 'secret'}, verify_spy);
 
             chai.passport.use(strategy)
                 .fail(function(i) {

test/strategy-verify-test.js

@@ -17,7 +17,7 @@ describe('Strategy', function() {
         var strategy, user, info; 
 
         before(function(done) {
-            strategy = new Strategy({jwtFromRequest:extract_jwt.fromAuthHeader(), secretOrKey: 'secret'}, function(jwt_paylod, next) {
+            strategy = new Strategy({jwtFromRequest:extract_jwt.fromAuthHeaderAsBearerToken(), secretOrKey: 'secret'}, function(jwt_paylod, next) {
                 return next(null, {user_id: 1234567890}, {foo:'bar'});
             });
 
@@ -28,7 +28,7 @@ describe('Strategy', function() {
                     done();
                 })
                 .req(function(req) {
-                    req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
+                    req.headers['authorization'] = "bearer " + test_data.valid_jwt.token;
                 })
                 .authenticate();
         });
@@ -54,7 +54,7 @@ describe('Strategy', function() {
         var strategy, info;
 
         before(function(done) {
-            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeader(), secretOrKey: 'secret'}, function(jwt_payload, next) {
+            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeaderAsBearerToken(), secretOrKey: 'secret'}, function(jwt_payload, next) {
                 return next(null, false, {message: 'invalid user'});
             });
 
@@ -64,7 +64,7 @@ describe('Strategy', function() {
                     done();
                 })
                 .req(function(req) { 
-                    req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
+                    req.headers['authorization'] = "bearer " + test_data.valid_jwt.token;
                 })
                 .authenticate();
         });
@@ -84,7 +84,7 @@ describe('Strategy', function() {
         var strategy, err;
 
         before(function(done) {
-            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeader(), secretOrKey: 'secrety'}, function(jwt_payload, next) {
+            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeaderAsBearerToken(), secretOrKey: 'secrety'}, function(jwt_payload, next) {
                 return next(new Error("ERROR"), false, {message: 'invalid user'});
             });
 
@@ -94,7 +94,7 @@ describe('Strategy', function() {
                     done();
                 })
                 .req(function(req) { 
-                    req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
+                    req.headers['authorization'] = "bearer " + test_data.valid_jwt.token;
                 })
                 .authenticate();
         });
@@ -113,7 +113,7 @@ describe('Strategy', function() {
         var strategy, err;
 
         before(function(done) {
-            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeader(), secretOrKey: 'secret'}, function(jwt_payload, next) {
+            strategy = new Strategy({jwtFromRequest: extract_jwt.fromAuthHeaderAsBearerToken(), secretOrKey: 'secret'}, function(jwt_payload, next) {
                 throw new Error("EXCEPTION");
             });
 
@@ -123,7 +123,7 @@ describe('Strategy', function() {
                     done();
                 })
                 .req(function(req) { 
-                    req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
+                    req.headers['authorization'] = "bearer " + test_data.valid_jwt.token;
                 })
                 .authenticate();
         });
@@ -145,7 +145,7 @@ describe('Strategy', function() {
         before(function(done) {
             opts = { passReqToCallback: true };
             opts.secretOrKey = 'secret';
-            opts.jwtFromRequest = extract_jwt.fromAuthHeader();
+            opts.jwtFromRequest = extract_jwt.fromAuthHeaderAsBearerToken();
             strategy = new Strategy(opts, function(request, jwt_payload, next) {
                 // Capture the value passed in as the request argument
                 request_arg = request;
@@ -157,7 +157,7 @@ describe('Strategy', function() {
                     done();
                 })
                 .req(function(req) {
-                    req.headers['authorization'] = "JWT " + test_data.valid_jwt.token;
+                    req.headers['authorization'] = "bearer " + test_data.valid_jwt.token;
                     expected_request = req;
                 })
                 .authenticate();