jwt function
Middleware
jwt({
- required String secret,
- String alg = 'HS256',
- String? cookie,
- String headerName = 'authorization',
- VerifyOptions? verifyOptions,
JWT authentication middleware.
Extracts a Bearer token from headerName (default authorization) or from
a cookie named cookie when provided. On success, stores the verified
payload in c.get('jwtPayload').
Supported algorithms: HS256 (default), HS384, HS512.
// Header-based (default)
app.mount('/api/*', jwt(secret: env.secret));
// Cookie-based
app.mount('/api/*', jwt(secret: env.secret, cookie: 'access_token'));
// With full verify options
app.mount('/api/*', jwt(
secret: env.secret,
alg: 'HS512',
verifyOptions: VerifyOptions(iss: 'my-app'),
));
Implementation
Middleware jwt({
required String secret,
String alg = 'HS256',
String? cookie,
String headerName = 'authorization',
VerifyOptions? verifyOptions,
}) {
return (Context c, Next next) async {
String? token;
if (cookie != null) {
token = _parseCookie(c.req.header('cookie'), cookie);
} else {
final raw = c.req.header(headerName);
if (raw != null && raw.startsWith('Bearer ')) {
token = raw.substring(7).trim();
}
}
if (token == null || token.isEmpty) {
_unauthorizedJwt(c, 'Missing token');
return;
}
final payload = _verifyJwt(
token,
secret,
alg: alg,
options: verifyOptions,
);
if (payload == null) {
_unauthorizedJwt(c, 'Invalid token');
return;
}
c.set('jwtPayload', payload);
c.user = payload;
await next();
};
}