generateJWT.js

//
// JWT (JSON Web Token) authentication ensures that users can only see content that they have access to
// in the weinor Content API. It works as follows:
//   1. A server authenticates the user (weinor Cockpit server)
//   2. On this server, a JWT is generated and signed with a secret (see example code below). The payload includes:
//      - "sub": weinor Fachpartner Benutzername
//      - "exp": time (epoch, seconds) expiry date/time
//   3. This JWT is sent on every request to the Content API
//      - The Content API Server validates the JWT, which ensures that this exact JWT payload (username and
//        expiry time) was signed with the secret
//      - The user access rights and groups are inferred from the username ("sub" in payload) and the appropriate
//        content is returned.
//

const jwt = require("jsonwebtoken"); // https://www.npmjs.com/package/jsonwebtoken

// This is the secret the JWT is signed with.
// This secret must not be accessible to the user/ client.
// (This is not the production token.)
const secret = 'WVHgJyr+C6FKCaL1FCUCXP4GPFNMFd6jxjgw4r4gLgHcSLxK04WXcqM2og69mmR6';
const expiryTimeSeconds = 3600; // 1 hour (can be changed to suit application)

const payload = {
    sub: "100074", // weinor Fachpartner Benutzername, used to infer document access groups
    exp: Math.floor(Date.now() / 1000) + expiryTimeSeconds,
};

var token = jwt.sign(
    payload,
    secret,
    {
        algorithm: 'HS256', // HMAC using SHA-256 hash algorithm (default)
    }
);

console.log(token);
// Example token:
// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMDAwNzQiLCJpYXQiOjE2NDk2ODg2OTYsImV4cCI6MTY0OTY5MjI5Nn0.V-khWv6w8WaPOr9Xp2yYYoTKduoKToMlGrX2ioQsHnE