By Syed Rizwan

1-configuring-a-secure-api-with-oauth-20-and-jwt-in-expressjs.html

Configuring a Secure API with OAuth 2.0 and JWT in Express.js

In today's digital landscape, building secure APIs is crucial for protecting sensitive data and user privacy. One of the most effective methods for securing APIs is by using OAuth 2.0 in combination with JSON Web Tokens (JWT). This article will guide you step-by-step on how to configure a secure API using these technologies in an Express.js environment.

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service. It enables applications to interact with APIs on behalf of users without exposing their credentials.

Key Components of OAuth 2.0:

  • Resource Owner: The user who owns the data.
  • Client: The application requesting access to the user's data.
  • Authorization Server: The server that issues access tokens to the client after successfully authenticating the resource owner.
  • Resource Server: The server hosting the protected resources.

What is JWT?

JSON Web Tokens (JWT) are compact, URL-safe tokens that represent claims to be transferred between two parties. They contain a set of claims encoded in a JSON object, which can be verified and trusted because they are digitally signed.

Benefits of Using JWT:

  • Stateless Authentication: No need to store session data on the server.
  • Cross-Domain Authentication: Can be used across different domains.
  • Compact Size: Suitable for URL and header transmission.

Use Cases for OAuth 2.0 and JWT

  • Single Sign-On (SSO): Allow users to log in once and gain access to multiple applications.
  • Mobile Applications: Securely call APIs without exposing user credentials.
  • Third-Party Integrations: Enable apps to access user data without compromising security.

Setting Up Your Express.js API

Now, let’s configure a secure API using OAuth 2.0 and JWT in an Express.js application.

Step 1: Initialize Your Project

First, create a new directory for your project and initialize a new Node.js application:

mkdir express-oauth-jwt
cd express-oauth-jwt
npm init -y

Step 2: Install Required Packages

Next, install the necessary packages:

npm install express jsonwebtoken dotenv passport passport-oauth2
  • express: The web framework for building the API.
  • jsonwebtoken: To generate and verify JWTs.
  • dotenv: To manage environment variables.
  • passport: Authentication middleware for Node.js.
  • passport-oauth2: OAuth 2.0 strategy for Passport.

Step 3: Create the Basic Structure

Create the following files in your project:

touch server.js .env

In the .env file, add your secret keys and configuration:

JWT_SECRET=yoursecretkey
OAUTH_CLIENT_ID=yourclientid
OAUTH_CLIENT_SECRET=yourclientsecret

Step 4: Implement the Server

Open server.js and set up the basic Express server:

const express = require('express');
const jwt = require('jsonwebtoken');
const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2');
require('dotenv').config();

const app = express();
app.use(express.json());
app.use(passport.initialize());

// Configure OAuth2 Strategy
passport.use(new OAuth2Strategy({
    authorizationURL: 'https://example.com/oauth/authorize',
    tokenURL: 'https://example.com/oauth/token',
    clientID: process.env.OAUTH_CLIENT_ID,
    clientSecret: process.env.OAUTH_CLIENT_SECRET,
    callbackURL: 'http://localhost:3000/auth/callback'
}, (accessToken, refreshToken, profile, done) => {
    // In a real app, you would find or create a user in your database
    return done(null, profile);
}));

// Route to authenticate user and issue JWT
app.post('/auth/login', (req, res) => {
    const { username, password } = req.body;
    // Authenticate user (mock authentication)
    if (username === 'user' && password === 'pass') {
        const token = jwt.sign({ username }, process.env.JWT_SECRET, { expiresIn: '1h' });
        return res.json({ token });
    } else {
        return res.status(401).json({ message: 'Invalid credentials' });
    }
});

// Middleware to protect routes
const authenticateJWT = (req, res, next) => {
    const token = req.header('Authorization')?.split(' ')[1];
    if (token) {
        jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
            if (err) {
                return res.sendStatus(403);
            }
            req.user = user;
            next();
        });
    } else {
        res.sendStatus(401);
    }
};

// Protected route
app.get('/api/protected', authenticateJWT, (req, res) => {
    res.json({ message: `Hello ${req.user.username}, this is a protected route!` });
});

// Start the server
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

Step 5: Testing the API

To test your API, you can use tools like Postman or cURL.

  1. Log in to obtain a JWT:
curl -X POST http://localhost:3000/auth/login -H "Content-Type: application/json" -d '{"username": "user", "password": "pass"}'
  1. Access the protected route:
curl -X GET http://localhost:3000/api/protected -H "Authorization: Bearer <your_token_here>"

Troubleshooting Common Issues

  • Invalid Token: Ensure the token is correct and not expired.
  • Unauthorized Errors: Check if the Authorization header is present.
  • Environment Variables: Make sure your .env file is correctly set up.

Conclusion

Configuring a secure API using OAuth 2.0 and JWT in Express.js provides a robust solution for managing user authentication and authorization. By following the steps outlined in this article, you can create a secure API that protects user data while enabling smooth interactions with your application.

Implement these practices to enhance the security of your applications and safeguard sensitive information effectively. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.