Bearer token parser middleware for koa

Inspired by express-bearer-token

$ npm install koa-bearer-token

Per RFC6750 this module will attempt to extract a bearer token from a request from these locations:

• The key access_token in the request body.
• The key access_token in the request query params.
• The value from the header Authorization: Bearer <token>.
• (Optional) Get a token from cookies header with key access_token.

If a token is found, it will be stored on ctx.request.token. If one has been provided in more than one location, this will abort the request immediately by sending code 400 (per [RFC6750]).

const Koa = require('koa');
const bodyParser = require('koa-bodyparser');
const { bearerToken } = require('koa-bearer-token');
const app = new Koa();
app.use(bodyParser());
app.use(bearerToken());
app.use((ctx) => {
  // ctx.request.token
});
app.listen(3000);

For APIs which are not compliant with [RFC6750], the key for the token in each location is customizable, as is the key the token is bound to on the request (default configuration shown):

app.use(
  bearerToken({
    bodyKey: 'access_token',
    queryKey: 'access_token',
    headerKey: 'Bearer',
    reqKey: 'token',
  }),
);

Get token from cookie key (it can be signed or not)

Warning: by NOT passing { signed: true } you are accepting a non signed cookie and an attacker might spoof the cookies. so keep in mind to use signed cookies

app.use(
  bearerToken({
    cookie: {
      signed: true, // if passed true you must pass secret otherwise will throw error
      secret: 'YOUR_APP_SECRET',
      key: 'access_token', // default value
    },
  }),
);

As of version 2.0.1 we've added initial support for TypeScript.

If you're using your custom reqKey, you must do module augmentation on your own:

declare module 'koa' {
  interface Request {
    myToken?: string;
  }
}
app.use(
  bearerToken({
    reqKey: 'myToken',
  }),
);

MIT © C. T. Lin