{"id":17127,"library":"express-bearer-token","title":"Express Bearer Token Middleware","description":"express-bearer-token is an Express middleware for extracting RFC6750-compliant OAuth 2.0 bearer tokens from incoming HTTP requests. It attempts to locate a token in the 'Authorization: Bearer ' header, the 'access_token' field in the request body, or 'access_token' in query parameters. Optionally, it can also extract tokens from cookies. If found, the token is made available on `req.token`. Crucially, if multiple token sources are present, the middleware strictly adheres to RFC6750 by immediately aborting the request with an HTTP 400 status code. The package is currently at version 3.0.0 and ships with TypeScript types. Its release cadence appears to be slow, with the last major release two years ago, suggesting a mature, maintenance-focused project rather than active feature development.","status":"maintenance","version":"3.0.0","language":"javascript","source_language":"en","source_url":"git://github.com/tkellen/node-express-bearer-token","tags":["javascript","bearer token","bearer token middleware","express token","authorization bearer","typescript"],"install":[{"cmd":"npm install express-bearer-token","lang":"bash","label":"npm"},{"cmd":"yarn add express-bearer-token","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-bearer-token","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Runtime dependency as a middleware for Express applications.","package":"express","optional":false}],"imports":[{"note":"The primary export is a default function for ESM. For CommonJS, use `const bearerToken = require('express-bearer-token');`","wrong":"import { bearerToken } from 'express-bearer-token'","symbol":"bearerToken","correct":"import bearerToken from 'express-bearer-token'"},{"note":"Type import for configuring middleware options. Use the `type` keyword for clarity and bundle optimization in TypeScript.","wrong":"import { BearerTokenOptions } from 'express-bearer-token'","symbol":"BearerTokenOptions","correct":"import { type BearerTokenOptions } from 'express-bearer-token'"},{"note":"The package augments the Express `Request` interface, adding `req.token`. Simply installing the package and importing the middleware (even implicitly) typically makes this type available in TypeScript projects; sometimes an explicit import is needed in a global declaration file.","symbol":"Request (augmented)","correct":"import 'express-bearer-token'"}],"quickstart":{"code":"import express from 'express';\nimport bearerToken from 'express-bearer-token';\n\nconst app = express();\n\napp.use(bearerToken());\n\napp.get('/', (req, res) => {\n if (req.token) {\n res.send('Token found: ' + req.token);\n } else {\n res.status(401).send('No token provided');\n }\n});\n\napp.listen(8000, () => {\n console.log('Server listening on port 8000.\\nTest with: `curl -H \"Authorization: Bearer mytoken\" localhost:8000`');\n console.log('Or: `curl -X POST -d \"access_token=bodytoken\" localhost:8000`');\n});","lang":"typescript","description":"Demonstrates basic usage of the `express-bearer-token` middleware to extract a bearer token from various sources and make it available on `req.token` for subsequent route handlers."},"warnings":[{"fix":"If configuring cookie token extraction, update your `cookie` configuration to use `key` for the cookie's name, e.g., `{ cookie: { key: 'access_token', signed: true, secret: '...' } }`.","message":"The `cookie` option configuration changed in v3.0.0. Specifically, the `key` property within the `cookie` object was removed, and the `name` property was renamed to `key`.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Migrate all references from `req.bearerToken` to `req.token` in your application code.","message":"In v2.0.0, the extracted token was stored on `req.bearerToken`. This was changed to `req.token` for brevity and consistency.","severity":"breaking","affected_versions":">=2.0.0 <3.0.0"},{"fix":"Ensure client applications send the bearer token in only one location per request (typically the `Authorization: Bearer` header).","message":"By default, `express-bearer-token` strictly adheres to RFC6750. If a bearer token is provided in more than one location (e.g., in the Authorization header and also in the request body), the request will be aborted with an HTTP 400 error.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always use signed cookies by setting `cookie.signed: true` and providing a strong `secret` to prevent token tampering. Example: `bearerToken({ cookie: { signed: true, secret: 'YOUR_APP_SECRET', key: 'access_token' } })`.","message":"Using unsigned cookies with the `cookie` option (i.e., `cookie.signed: false`) can make your application vulnerable to cookie spoofing, allowing attackers to modify tokens without detection.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Provide a secret string in the `cookie` configuration object: `bearerToken({ cookie: { signed: true, secret: 'your-super-secret-key' } })`.","cause":"The `cookie.signed` option was set to `true`, but the required `secret` option, used for signing and verifying cookies, was omitted from the configuration.","error":"Error: secret must be provided when signed is true"},{"fix":"Ensure `express-bearer-token` is installed and that your `tsconfig.json` properly includes `node_modules/@types` or `express-bearer-token` types in its `typeRoots` or `types` configuration. Sometimes, adding `import 'express-bearer-token';` in a global type definition file (e.g., `src/types.d.ts`) can help resolve type merging issues.","cause":"This TypeScript compiler error indicates that `req.token` is not recognized on the Express `Request` interface, often because the package's type augmentations are not being picked up correctly.","error":"Property 'token' does not exist on type 'Request'."}],"ecosystem":"npm","meta_description":null}