Passken-express.js is an open source password and JWT management library for Express.js.
It includes @dwtechs/passken and adds Express middlewares to be used in a node.js service.
- Very lightweight
- Thoroughly tested
- Imported as EcmaScrypt module
- Works in Javascript and Typescript
- Written in Typescript
- node: 22
This is the oldest targeted versions.
The library uses node:crypto.
$ npm i @dwtechs/passken-express
import * as pk from "@dwtechs/passken-express";
import express from "express";
const router = express.Router();
import user from "../controllers/user.js";
import mail from "../controllers/mail.js";
import consumer from "../controllers/consumer.js";
const passwordOptions = {
len: 14,
num: true,
ucase: false,
lcase: false,
sym: false,
strict: true,
similarChars: true,
// middleware sub-stacks
// add users
const addMany = [
// Login user
const login = [
const addConsumer = [
const refresh = [
// Routes
// log a user with his email & password"/", login);
// Add new users"/", addMany);
You do not need to initialise the library using pwd.init() if the default config is fine for you.
Passken will start with the following default password configuration :
Options = {
len: 12,
num: true,
ucase: true,
lcase: true,
sym: false,
strict: true,
similarChars: false,
You do not need to intialise the library using pwd.init() if you are using the following environment variables:
These environment variables will update the default values of the lib at start up. So you do not need to init the library in the code.
Note that PWD_SECRET and TOKEN_SECRET are mandatory.
type Options = {
len: number,
num: boolean,
ucase: boolean,
lcase: boolean,
sym: boolean,
strict: boolean,
similarChars: boolean,
// Initialise passwords options
function init(options: Options): void {}
// Compare a password with a hash
function compare(req: Request, res: MyResponse, next: NextFunction): void {}
// Create a password
function create(req: Request, res: Response, next: NextFunction): void {}
// Refresh the JWT tokens for a user.
function refresh(req: Request, res: MyResponse, next: NextFunction): void {}
// Decode and verify a JWT access token from the request body.
function decodeAccess(req: Request, _res: Response, next: NextFunction): void {}
// Decode and verify a refresh token from the request body
function decodeRefresh(req: Request, _res: Response, next: NextFunction): void {}
The function will look for a password value from the client request body :
const pwd = req.body?.password || req.body?.pwd.
It will then look for the hashed password stored in the database :
const hash = res.rows[0].password || res.rows[0].pwd || res.password || res.pwd;
It will throw an error if the password or the hash are missing. It will throw an error if the password does not match the hash.
The function will loop through an array in req.body.rows.
It will throw an error if req.body.rows is missing or empty.
New passwords will be added into req.body.rows[i].pwd. Encrypted passwords will be added into req.body.rows[i].encryptedPwd .
This function will look for an ISS in the client request body :
const iss = req.body.decodedAccessToken?.iss || req.body?.id?.toString();
It will then send both new refresh and access tokens in the res object.
res.rows = [{ accessToken, refreshToken }];
decodeAccess() functions will look for a token in the client request body.
const token = req.body.accessToken;
const ignoreExpiration = req.body.ignoreExpiration || false;
It will then send the decoded token in the res object.
req.body.decodedAccessToken = decodedToken;
decodeRefresh() functions will look for a token in the client request body.
const token = req.body.refreshToken;
It will then send the decoded token in the res object.
req.body.decodedRefreshToken = decodedToken;
Any of these can be passed into the options object for each function.
Name | type | Description | Default |
len | Integer | Minimal length of password. | 12 |
num* | Boolean | use numbers in password. | true |
sym* | Boolean | use symbols in password | true |
lcase* | Boolean | use lowercase in password | true |
ucase* | Boolean | use uppercase letters in password. | true |
strict | Boolean | password must include at least one character from each pool. | true |
similarChars | Boolean | allow close looking chars. | false |
*At least one of those options must be true.
Symbols used : !@#%*_-+=:;?><,./() Similar characters : l, I, 1, o, O, 0
Passken-express.js uses @dwtechs/Winstan library for logging. All logs are in debug mode. Meaning they should not appear in production mode.
Passken-express.js is still in development and we would be glad to get all the help you can provide. To contribute please read for detailed installation guide.
Purpose | Choice | Motivation |
repository | Github | hosting for software development version control using Git |
package manager | npm | default node.js package manager |
language | TypeScript | static type checking along with the latest ECMAScript features |
module bundler | Rollup | advanced module bundler for ES6 modules |
unit testing | Jest | delightful testing with a focus on simplicity |