authjoy / CredentialBoundJWTStrategy
Class: CredentialBoundJWTStrategy<TUser, TPayload>
Defined in: src/auth/strategies/jwt/extensions/credential-bound-jwt-strategy.ts:19
Credential-bound JWT strategy that delegates authentication to a user adapter.
Why: This keeps the JWT layer minimal and generic. The strategy only signs whatever the adapter returns + optional runtime claims.
Extends
StatelessJWTStrategy<TPayload>
Type Parameters
TUser
TUser extends object
TPayload
TPayload extends JwtPayload = JwtPayload
Implements
Constructors
Constructor
new CredentialBoundJWTStrategy<
TUser,TPayload>(config,userAdapter):CredentialBoundJWTStrategy<TUser,TPayload>
Defined in: src/auth/strategies/jwt/extensions/credential-bound-jwt-strategy.ts:30
Parameters
config
unknown
userAdapter
UserAdapter<TUser>
Returns
CredentialBoundJWTStrategy<TUser, TPayload>
Overrides
StatelessJWTStrategy.constructor
Properties
config
protectedconfig:object
Defined in: src/auth/strategies/jwt/base/stateless-jwt-strategy.ts:54
The validated JWT configuration accessible to subclasses.
algorithm
algorithm:
"RS256"|"ES256"
audience?
optionalaudience:string
expiresIn
expiresIn:
string|number
issuer?
optionalissuer:string
secret
secret:
string
Remarks
Using protected instead of private allows derived strategies (such as refreshable or hybrid JWT strategies) to reuse core configuration values like
- JwtConfig fields: algorithm, secret, expiresIn, without exposing them publicly.
Why:
- Enables subclass extensions (e.g., refresh token support) to maintain consistency with the base configuration.
- Prevents code duplication and keeps configuration handling centralized.
- Keeps configuration hidden from external consumers while allowing controlled access within the inheritance hierarchy.
Inherited from
Methods
authenticate()
authenticate(
credentials):Promise<{token:string;user:TUser; }>
Defined in: src/auth/strategies/jwt/extensions/credential-bound-jwt-strategy.ts:43
Authenticate a user and generate a JWT.
Why: We trust the adapter to determine what belongs in the JWT payload. runtimeClaims are optional, per-request flags or temporary info.
Parameters
credentials
identifier
string
password
string
runtimeClaims?
Record<string, unknown>
Returns
Promise<{ token: string; user: TUser; }>
Implementation of
CredentialAuthenticator.authenticate
generateToken()
generateToken(
payload):string
Defined in: src/auth/strategies/jwt/base/stateless-jwt-strategy.ts:89
Generates a signed JWT access token.
Parameters
payload
TPayload
The claims object to embed in the token.
Returns
string
The signed JWT as a compact string.
Throws
If the signing operation fails due to key or algorithm issues.
Remarks
This method enforces explicit algorithms and registered claims to maintain consistent identity boundaries across tokens.
Inherited from
StatelessJWTStrategy.generateToken
validateToken()
validateToken(
token):Promise<TPayload>
Defined in: src/auth/strategies/jwt/base/stateless-jwt-strategy.ts:122
Validates a provided JWT and returns its decoded payload.
Parameters
token
string
The JWT string to validate.
Returns
Promise<TPayload>
The decoded payload if the token is valid.
Throws
If the token is expired.
Throws
If the token is malformed or fails signature verification.
Throws
For unexpected verification errors.
Remarks
Verification enforces algorithm, issuer, and audience consistency to mitigate downgrade or replay attacks. Tokens represented as strings are supported for legacy compatibility.