53 lines
1.4 KiB
JavaScript
53 lines
1.4 KiB
JavaScript
const jwt = require('jsonwebtoken');
|
|
|
|
const SECRET = process.env.JWT_SECRET;
|
|
const EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d';
|
|
|
|
/**
|
|
* Firma un JWT per l'utente e la sessione.
|
|
* Payload: { sub: userId, username, session_id }
|
|
*/
|
|
function sign(user, sessionId) {
|
|
return jwt.sign(
|
|
{ sub: user.id, username: user.username, session_id: sessionId },
|
|
SECRET,
|
|
{ algorithm: 'HS256', expiresIn: EXPIRES_IN }
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Verifica e decodifica un token.
|
|
* @returns {{ valid: boolean, payload?: Object, reason?: string }}
|
|
*/
|
|
function verify(token) {
|
|
try {
|
|
const p = jwt.verify(token, SECRET, { algorithms: ['HS256'] });
|
|
return {
|
|
valid: true,
|
|
payload: {
|
|
user_id: p.sub,
|
|
username: p.username,
|
|
session_id: p.session_id,
|
|
iat: p.iat,
|
|
exp: p.exp
|
|
}
|
|
};
|
|
} catch (err) {
|
|
return {
|
|
valid: false,
|
|
reason: err.name === 'TokenExpiredError' ? 'expired' : 'invalid'
|
|
};
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Estrae il token da un header Authorization: Bearer <token>.
|
|
*/
|
|
function bearer(header) {
|
|
if (!header || typeof header !== 'string') return null;
|
|
const [scheme, token] = header.split(' ');
|
|
return scheme && scheme.toLowerCase() === 'bearer' && token ? token : null;
|
|
}
|
|
|
|
module.exports = { sign, verify, bearer };
|