ryanfitz · fdidron · Feb 23, 2016 · Feb 23, 2016 · Feb 23, 2016 · Feb 23, 2016
diff --git a/README.md b/README.md
@@ -22,6 +22,7 @@ JSON Web Token authentication requires verifying a signed token. The `'jwt'` sch
     - `issuer`: if you want to check issuer (`iss`), provide a value here
     - `ignoreExpiration`: if `true` do not validate the expiration of the token.
     - `maxAge`: optional sets an expiration based on the `iat` field. Eg `2h`
+    - `queryString`: optional if set to a string (e.g. `access_token`), allows passing the token via a query parameter
 
 See the example folder for an executable example.
 
@@ -97,4 +98,4 @@ server.register(require('hapi-auth-jwt'), function (error) {
 
 server.start();
 
-```
+```
diff --git a/lib/index.js b/lib/index.js
@@ -35,7 +35,12 @@ internals.implementation = function (server, options) {
       var req = request.raw.req;
       var authorization = req.headers.authorization;
       if (!authorization) {
-        return reply(Boom.unauthorized(null, 'Bearer'));
+        if(typeof settings.verifyOptions.queryString === 'string' && request.query[settings.verifyOptions.queryString]) {
+          authorization = 'Bearer ' + request.query[settings.verifyOptions.queryString];
+        }
+        else{
+          return reply(Boom.unauthorized(null, 'Bearer'));
+        }
       }
 
       var parts = authorization.split(/\s+/);

diff --git a/test/index.js b/test/index.js
@@ -18,6 +18,9 @@ var expect = Code.expect;
 describe('Token', function () {
   var privateKey = 'PajeH0mz4of85T9FB1oFzaB39lbNLbDbtCQ';
 
+  var server = new Hapi.Server({ debug: false });
+  server.connection();
+
   var tokenHeader = function (username, options) {
     options = options || {};
 
@@ -58,9 +61,6 @@ describe('Token', function () {
     });
   };
 
-  var server = new Hapi.Server({ debug: false });
-  server.connection();
-
   before(function (done) {
 
     server.register(require('../'), function (err) {
@@ -123,6 +123,33 @@ describe('Token', function () {
     });
   });
 
+  it('returns a reply on successful auth with queryString as option', function (done) {
+
+    var handler = function (request, reply) {
+      reply('ok');
+    };
+
+    var s = new Hapi.Server({ debug: false });
+    s.connection();
+    s.register(require('../'), function (err) {
+      expect(err).to.not.exist;
+
+      s.auth.strategy('default', 'jwt', 'required', { key: privateKey, verifyOptions: { queryString : 'access_token' } });
+
+      s.route([
+        { method: 'GET', path: '/token', handler: handler, config: { auth: 'default' } }
+      ]);
+    });
+
+    var request = { method: 'GET', url: '/token?access_token=' + tokenHeader('john', { queryString : 'access_token' }).split(/\s+/)[1] };
+
+    s.inject(request, function (res) {
+      expect(res.result).to.exist;
+      expect(res.result).to.equal('ok');
+      done();
+    });
+  });
+
   it('returns a 401 unauthorized error when algorithm do not match', function (done) {
 
     var handler = function (request, reply) {