By Syed Rizwan

10-creating-a-secure-api-with-jwt-authentication-in-expressjs.html

Creating a Secure API with JWT Authentication in Express.js

In the ever-evolving landscape of web development, securing your APIs is paramount. One of the most effective methods for achieving this is through JSON Web Tokens (JWT) authentication. In this article, we will delve into the process of creating a secure API using JWT authentication with Express.js. Whether you're a seasoned developer or just starting, this guide will provide you with practical insights, clear code examples, and step-by-step instructions to get you up and running.

Understanding JWT Authentication

What is JWT?

JSON Web Tokens (JWT) are an open standard (RFC 7519) that defines a compact way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Why Use JWT?

JWTs are widely used for several reasons:

  • Stateless Authentication: The server does not need to keep a session state, making it easier to scale.
  • Cross-Domain Support: JWTs can be used across different domains, which is useful for microservices.
  • Compact and URL-safe: JWTs can be sent via URL, POST parameters, or in HTTP headers.

Use Cases for JWT

  • Single Sign-On (SSO): Allowing users to log in once and access multiple applications.
  • API Authentication: Securing APIs by ensuring only authenticated users can access them.
  • Mobile Applications: Providing a secure way for mobile apps to authenticate users.

Setting Up Your Environment

Before we start coding, make sure you have Node.js and npm installed. You can check your installations by running:

node -v
npm -v

Project Initialization

  1. Create a new directory for your project:

bash mkdir jwt-auth-example cd jwt-auth-example

  1. Initialize a new Node.js project:

bash npm init -y

  1. Install required packages:

bash npm install express jsonwebtoken bcryptjs body-parser dotenv

  • express: A minimal and flexible Node.js web application framework.
  • jsonwebtoken: A library to create and verify JWTs.
  • bcryptjs: A library to hash passwords.
  • body-parser: Middleware to parse incoming request bodies.
  • dotenv: A module to load environment variables from a .env file.

Creating the Express Server

Create a file named server.js and set up a basic Express server:

const express = require('express');
const bodyParser = require('body-parser');
const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');
require('dotenv').config();

const app = express();
app.use(bodyParser.json());

const PORT = process.env.PORT || 3000;

app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});

User Registration and Login

Step 1: User Registration

Let's create a route for user registration. This route will hash the user's password and store it along with their username.

const users = []; // In-memory user storage for demonstration

app.post('/register', (req, res) => {
    const { username, password } = req.body;
    const hashedPassword = bcrypt.hashSync(password, 8);

    users.push({ username, password: hashedPassword });
    res.status(201).send({ message: 'User registered successfully!' });
});

Step 2: User Login

Now, let’s create a login route that verifies user credentials and generates a JWT.

app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username);

    if (!user || !bcrypt.compareSync(password, user.password)) {
        return res.status(401).send({ auth: false, token: null });
    }

    const token = jwt.sign({ id: user.username }, process.env.JWT_SECRET, { expiresIn: 86400 });
    res.status(200).send({ auth: true, token });
});

Protecting Routes with JWT

To protect routes in your API, you can create a middleware function that verifies the JWT.

Step 3: Middleware Function

function verifyToken(req, res, next) {
    const token = req.headers['x-access-token'];
    if (!token) return res.status(403).send({ auth: false, message: 'No token provided.' });

    jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
        if (err) return res.status(500).send({ auth: false, message: 'Failed to authenticate token.' });

        req.userId = decoded.id;
        next();
    });
}

Step 4: Protected Route Example

Now, let's create a protected route that can only be accessed with a valid JWT.

app.get('/me', verifyToken, (req, res) => {
    const user = users.find(u => u.username === req.userId);
    if (!user) return res.status(404).send('No user found.');

    res.status(200).send(user);
});

Testing Your API

You can test your API using tools like Postman or cURL.

  1. Register a User:

  2. POST to http://localhost:3000/register with JSON body: json { "username": "testuser", "password": "testpassword" }

  3. Login:

  4. POST to http://localhost:3000/login with JSON body: json { "username": "testuser", "password": "testpassword" }

  5. Access Protected Route:

  6. Use the token received from the login response to access http://localhost:3000/me by sending it in the headers as x-access-token.

Conclusion

Creating a secure API with JWT authentication in Express.js is straightforward and efficient. By following the steps outlined in this article, you can implement robust authentication for your applications, enhancing security and user experience. As you continue developing, consider integrating additional features such as token expiration handling, refresh tokens, and user roles for a more comprehensive authentication system. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.