.travis.yml

@@ -1,5 +1,6 @@
 language: "node_js"
 before_install: npm i -g npm@2
 node_js:
-  - "0.8"
-  - "0.10"
+  - 8
+  - 10
+  - 12

README.md

@@ -2,41 +2,43 @@
 
 [![Build](https://travis-ci.org/auth0/express-jwt.png)](http://travis-ci.org/auth0/express-jwt)
 
-Middleware that validates JsonWebTokens and sets `req.user`.
-
-This module lets you authenticate HTTP requests using JWT tokens in your Node.js
-applications.  JWTs are typically used to protect API endpoints, and are
-often issued using OpenID Connect.
+This module provides Express middleware for validating JWTs ([JSON Web Tokens](https://jwt.io)) through the [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken/) module. The decoded JWT payload is available on the request object.
 
 ## Install
 
-    $ npm install express-jwt
+```
+$ npm install express-jwt
+```
 
 ## Usage
 
-The JWT authentication middleware authenticates callers using a JWT.
-If the token is valid, `req.user` will be set with the JSON object decoded
-to be used by later middleware for authorization and access control.
-
-For example,
+Basic usage using an HS256 secret:
 
 ```javascript
 var jwt = require('express-jwt');
 
 app.get('/protected',
-  jwt({secret: 'shhhhhhared-secret'}),
+  jwt({ secret: 'shhhhhhared-secret' }),
   function(req, res) {
     if (!req.user.admin) return res.sendStatus(401);
     res.sendStatus(200);
   });
 ```
 
+The decoded JWT payload is available on the request via the `user` property. This can be configured using the `requestProperty` option ([see below](#retrieving-the-decoded-payload)).
+
+> The default behavior of the module is to extract the JWT from the `Authorization` header as an [OAuth2 Bearer token](https://oauth.net/2/bearer-tokens/).
+
+### Additional Options
+
 You can specify audience and/or issuer as well:
 
 ```javascript
-jwt({ secret: 'shhhhhhared-secret',
+jwt({
+  secret: 'shhhhhhared-secret',
   audience: 'http://myapi/protected',
-  issuer: 'http://issuer' })
+  issuer: 'http://issuer'
+})
 ```
 
 > If the JWT has an expiration (`exp`), it will be checked.
@@ -64,6 +66,8 @@ var publicKey = fs.readFileSync('/path/to/public.pub');
 jwt({ secret: publicKey });
 ```
 
+### Retrieving the Decoded Payload
+
 By default, the decoded token is attached to `req.user` but can be configured with the `requestProperty` option.
 
 
@@ -79,6 +83,8 @@ jwt({ secret: publicKey, resultProperty: 'locals.user' });
 
 Both `resultProperty` and `requestProperty` utilize [lodash.set](https://lodash.com/docs/4.17.2#set) and will accept nested property paths.
 
+### Customizing Token Location
+
 A custom function for extracting the token from a request can be specified with
 the `getToken` option. This is useful if you need to pass the token through a
 query parameter or a cookie. You can throw an error in this function and it will
@@ -100,6 +106,7 @@ app.use(jwt({
 ```
 
 ### Multi-tenancy
+
 If you are developing an application in which the secret used to sign tokens is not static, you can provide a callback function as the `secret` parameter. The function has the signature: `function(req, payload, done)`:
 * `req` (`Object`) - The express `request` object.
 * `payload` (`Object`) - An object with the JWT claims.
@@ -108,6 +115,7 @@ If you are developing an application in which the secret used to sign tokens is
   * `secret` (`String`) - The secret to use to verify the JWT.
 
 For example, if the secret varies based on the [JWT issuer](http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#issDef):
+
 ```javascript
 var jwt = require('express-jwt');
 var data = require('./data');
@@ -126,7 +134,7 @@ var secretCallback = function(req, payload, done){
 };
 
 app.get('/protected',
-  jwt({secret: secretCallback}),
+  jwt({ secret: secretCallback }),
   function(req, res) {
     if (!req.user.admin) return res.sendStatus(401);
     res.sendStatus(200);
@@ -158,19 +166,21 @@ var isRevokedCallback = function(req, payload, done){
 };
 
 app.get('/protected',
-  jwt({secret: 'shhhhhhared-secret',
-    isRevoked: isRevokedCallback}),
+  jwt({
+    secret: 'shhhhhhared-secret',
+    isRevoked: isRevokedCallback
+  }),
   function(req, res) {
     if (!req.user.admin) return res.sendStatus(401);
     res.sendStatus(200);
-  });
+  }
+);
 ```
 
 ### Error handling
 
 The default behavior is to throw an error when the token is invalid, so you can add your custom logic to manage unauthorized access as follows:
 
-
 ```javascript
 app.use(function (err, req, res, next) {
   if (err.name === 'UnauthorizedError') {
@@ -179,8 +189,7 @@ app.use(function (err, req, res, next) {
 });
 ```
 
-You might want to use this module to identify registered users while still providing access to unregistered users. You
-can do this by using the option _credentialsRequired_:
+You might want to use this module to identify registered users while still providing access to unregistered users. You can do this by using the option `credentialsRequired`:
 
 ```javascript
 app.use(jwt({
@@ -196,8 +205,10 @@ app.use(jwt({
 
 ## Tests
 
-    $ npm install
-    $ npm test
+```
+$ npm install
+$ npm test
+```
 
 ## Contributors
 Check them out [here](https://github.com/auth0/express-jwt/graphs/contributors)

lib/index.js

@@ -19,6 +19,9 @@ function wrapStaticSecretInCallback(secret){
 module.exports = function(options) {
   if (!options || !options.secret) throw new Error('secret should be set');
 
+  if (!options.algorithms) throw new Error('algorithms should be set');
+  if (!Array.isArray(options.algorithms)) throw new Error('algorithms must be an array');
+
   var secretCallback = options.secret;
 
   if (!isFunction(secretCallback)){