Token Extraction

The library needs to find the JWT token in the request. By default, it looks in the Authorization header:

Authorization: Bearer

That's fine for most APIs. But sometimes you need tokens from cookies, custom headers, or query parameters.

From cookies

import { CognitoAuthModule } from '@nestjs-cognito/auth';
import { CookieJwtExtractor } from '@nestjs-cognito/core';

@Module({
  imports: [
    CognitoAuthModule.register({
      jwtExtractor: new CookieJwtExtractor('access_token'), // cookie name
      jwtVerifier: {
        userPoolId: 'us-east-1_xxxxx',
        clientId: 'your-client-id',
        tokenUse: 'access',
      },
    }),
  ],
})
export class AppModule {}

Your frontend sets the cookie:

document.cookie = `access_token=${token}; path=/; secure; samesite=strict`;

fetch('/api/protected', {
  credentials: 'include'  // Include cookies in request
});

From custom headers

import { CognitoJwtExtractor } from '@nestjs-cognito/core';

export class CustomHeaderExtractor implements CognitoJwtExtractor {
  hasAuthenticationInfo(request: any): boolean {
    return Boolean(request.headers['x-api-key']);
  }

  getAuthorizationToken(request: any): string | null {
    return request.headers['x-api-key'] || null;
  }
}

import { CognitoAuthModule } from '@nestjs-cognito/auth';

@Module({
  imports: [
    CognitoAuthModule.register({
      jwtExtractor: new CustomHeaderExtractor(),
      jwtVerifier: {
        userPoolId: 'us-east-1_xxxxx',
        clientId: 'your-client-id',
        tokenUse: 'access',
      },
    }),
  ],
})
export class AppModule {}

Client side:

fetch('/api/protected', {
  headers: { 'X-API-Key': token }
});

From query parameters

Useful for WebSockets where you can't set headers easily:

export class QueryParamExtractor implements CognitoJwtExtractor {
  hasAuthenticationInfo(request: any): boolean {
    return Boolean(request.query?.token);
  }

  getAuthorizationToken(request: any): string | null {
    return request.query?.token || null;
  }
}

GET /api/stream?token=

Security warning: Query parameters show up in browser history and server logs. Only use this for WebSockets or similar cases where you can't use headers.

Try multiple sources

export class MultiSourceExtractor implements CognitoJwtExtractor {
  private extractors = [
    new BearerJwtExtractor(),
    new CookieJwtExtractor('access_token'),
  ];

  hasAuthenticationInfo(request: any): boolean {
    return this.extractors.some(extractor =>
      extractor.hasAuthenticationInfo(request)
    );
  }

  getAuthorizationToken(request: any): string | null {
    for (const extractor of this.extractors) {
      if (extractor.hasAuthenticationInfo(request)) {
        return extractor.getAuthorizationToken(request);
      }
    }
    return null;
  }
}

Checks Bearer header first, then cookies.