By Syed Rizwan

2-how-to-build-a-secure-api-with-oauth-and-jwt-in-expressjs.html

How to Build a Secure API with OAuth and JWT in Express.js

Creating a secure API is crucial in today’s digital landscape where data breaches and unauthorized access are rampant. One effective way to safeguard your API is by implementing OAuth 2.0 and JSON Web Tokens (JWT). In this article, we will explore how to build a secure API with these technologies in Express.js, a popular web application framework for Node.js.

Understanding OAuth 2.0 and JWT

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to a web service on behalf of a user. It enables secure and delegated access without sharing the user's credentials.

What is JWT?

JSON Web Tokens (JWT) are compact, URL-safe tokens that are used to represent claims about a user. They can be signed and verified, making them a great choice for authentication. JWTs consist of three parts: header, payload, and signature.

Why Use OAuth and JWT?

Using OAuth 2.0 and JWT together provides several advantages:

  • Security: OAuth allows for secure access and JWT ensures that the information is tamper-proof.
  • Scalability: JWTs are stateless; they do not require session storage, making them suitable for distributed systems.
  • Flexibility: You can easily manage user roles and permissions.

Setting Up Your Express.js Project

Step 1: Initialize Your Project

First, create a new directory for your project and navigate into it:

mkdir secure-api
cd secure-api

Next, initialize a new Node.js project:

npm init -y

Step 2: Install Required Packages

Install the necessary packages:

npm install express jsonwebtoken dotenv express-oauth-server body-parser
  • express: Web framework for Node.js.
  • jsonwebtoken: Library for creating and verifying JWTs.
  • dotenv: For managing environment variables.
  • express-oauth-server: Middleware for OAuth 2.0.

Step 3: Create Project Structure

Create the following structure:

secure-api/
├── .env
├── app.js
└── routes/
    └── auth.js

Implementing OAuth and JWT

Step 4: Configure Environment Variables

In the .env file, add your environment variables:

JWT_SECRET=your_jwt_secret

Step 5: Set Up Express Server

In app.js, set up your Express server and configure body parser:

const express = require('express');
const bodyParser = require('body-parser');
const authRoutes = require('./routes/auth');

const app = express();
app.use(bodyParser.json());
app.use('/auth', authRoutes);

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});

Step 6: Create Authentication Routes

In routes/auth.js, create the routes for user authentication and token generation:

const express = require('express');
const jwt = require('jsonwebtoken');
const router = express.Router();

// Dummy user data
const users = [{ id: 1, username: 'user', password: 'password' }];

// Login route
router.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username && u.password === password);

    if (!user) {
        return res.status(401).json({ message: 'Invalid credentials' });
    }

    const token = jwt.sign({ id: user.id }, process.env.JWT_SECRET, { expiresIn: '1h' });
    res.json({ token });
});

// Middleware to verify token
const verifyToken = (req, res, next) => {
    const token = req.headers['authorization'];

    if (!token) {
        return res.sendStatus(403);
    }

    jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
        if (err) {
            return res.sendStatus(403);
        }
        req.userId = decoded.id;
        next();
    });
};

// Protected route
router.get('/protected', verifyToken, (req, res) => {
    res.json({ message: 'This is a protected route', userId: req.userId });
});

module.exports = router;

Step 7: Testing Your API

Now that your API is set up, you can test it using a tool like Postman or curl.

  1. Login: Send a POST request to http://localhost:3000/auth/login with the body:

json { "username": "user", "password": "password" }

If successful, you will receive a JWT token.

  1. Access Protected Route: Use the received token in the Authorization header to access the protected route:

GET /auth/protected Authorization: your_jwt_token

Troubleshooting Common Issues

  • Invalid Token: Ensure that the token is not expired and that you are using the correct secret.
  • Unauthorized Access: Confirm that you are passing the token in the Authorization header.
  • Server Errors: Check your Express server logs for any runtime errors.

Conclusion

Building a secure API with OAuth and JWT in Express.js enhances the security of your applications while providing flexibility and scalability. By following the steps outlined in this article, you can create a robust API that protects user data and manages authentication effectively.

Remember that security is an ongoing process. Regularly update your dependencies, monitor your API for vulnerabilities, and stay informed about best practices in API security. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.