auth0/express-jwt — reverse-engineered prompt

Build me a small TypeScript library for Express that works as middleware to protect routes with JSON Web Tokens. I want to be able to plug it into an Express app, pass a secret or a function that finds the right secret, and have it verify the token before the request reaches the route.

By default it should read a Bearer token from the Authorization header, but let me customize where the token comes from, like a query string or cookie. After a valid token is checked, put the decoded payload on req.auth, with an option to use a different request property name.

Please include options for required algorithms, issuer, audience, optional credentials, revoked token checks, and custom handling for expired tokens. Invalid or missing tokens should produce a clear unauthorized error that Express error handlers can catch. Also support protecting only certain routes and leaving others public.

Add tests and a clear README with install and usage examples for common cases.