By Syed Rizwan

2-how-to-build-a-secure-rest-api-using-expressjs-and-jwt.html

How to Build a Secure REST API Using Express.js and JWT

In today’s digital landscape, building secure applications is more crucial than ever. One of the most popular ways to create a secure REST API is by using Express.js, a minimal and flexible Node.js web application framework, in combination with JSON Web Tokens (JWT). This guide will walk you through the process of building a secure REST API while highlighting best practices and actionable insights.

What is Express.js?

Express.js is a web application framework for Node.js that simplifies the process of building robust APIs. It provides a variety of features to develop web and mobile applications, such as routing, middleware support, and template engines. Express.js is lightweight and unopinionated, allowing developers to structure their applications as they see fit.

What is JWT?

JSON Web Tokens (JWT) are an open standard for securely transmitting information between parties as a JSON object. They are commonly used for authentication and information exchange because they are compact, URL-safe, and can be verified and trusted. JWTs consist of three parts: the header, payload, and signature.

Use Cases for a Secure REST API

Building a secure REST API is essential for:

  • User Authentication: Ensuring that only authenticated users can access certain endpoints.
  • Data Protection: Safeguarding sensitive data by encrypting it.
  • Interoperability: Allowing various clients (web, mobile, IoT) to access your API securely.

Prerequisites

Before diving into the code, ensure you have the following installed:

  • Node.js
  • npm (Node Package Manager)
  • A code editor (like VSCode)

Step-by-Step Guide to Building a Secure REST API

Step 1: Set Up Your Environment

Create a new directory for your project and initialize it.

mkdir secure-api
cd secure-api
npm init -y

Install the required packages:

npm install express jsonwebtoken bcryptjs body-parser dotenv

Step 2: Create a Basic Express Server

Create an index.js file and set up a basic Express server.

// index.js
const express = require('express');
const bodyParser = require('body-parser');
const dotenv = require('dotenv');

dotenv.config();

const app = express();
app.use(bodyParser.json());

// Sample route
app.get('/', (req, res) => {
    res.send('Welcome to the Secure API!');
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server is running on port ${PORT}`);
});

Step 3: User Registration and Password Hashing

To securely store user passwords, we use bcryptjs to hash passwords before saving them to the database.

const bcrypt = require('bcryptjs');

let users = []; // Simulating a database

app.post('/register', async (req, res) => {
    const { username, password } = req.body;

    // Check if user already exists
    const existingUser = users.find(user => user.username === username);
    if (existingUser) {
        return res.status(400).send('User already exists');
    }

    // Hash the password
    const hashedPassword = await bcrypt.hash(password, 10);
    users.push({ username, password: hashedPassword });

    res.status(201).send('User registered successfully');
});

Step 4: Implementing JWT Authentication

Next, we’ll create a login route that generates a JWT upon successful authentication.

const jwt = require('jsonwebtoken');

app.post('/login', async (req, res) => {
    const { username, password } = req.body;

    const user = users.find(user => user.username === username);
    if (!user || !(await bcrypt.compare(password, user.password))) {
        return res.status(401).send('Invalid credentials');
    }

    // Generate JWT
    const token = jwt.sign({ username }, process.env.JWT_SECRET, { expiresIn: '1h' });
    res.json({ token });
});

Step 5: Protecting Routes with Middleware

Now, let’s create middleware to protect our routes using the JWT.

const authenticateToken = (req, res, next) => {
    const token = req.headers['authorization']?.split(' ')[1]; // Bearer token

    if (!token) return res.sendStatus(401);

    jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
        if (err) return res.sendStatus(403);
        req.user = user;
        next();
    });
};

// Protected route
app.get('/protected', authenticateToken, (req, res) => {
    res.send(`Hello ${req.user.username}, this is a protected route!`);
});

Step 6: Testing Your API

To test your API, you can use tools like Postman or Insomnia. Here’s a quick outline of how to test the endpoints:

  1. Register a User:
  2. Method: POST
  3. URL: http://localhost:3000/register

  4. Body: json { "username": "testUser", "password": "testPassword" }

  5. Login:

  6. Method: POST
  7. URL: http://localhost:3000/login
  8. Body: json { "username": "testUser", "password": "testPassword" }

  9. Note the token received in the response.

  10. Access Protected Route:

  11. Method: GET
  12. URL: http://localhost:3000/protected
  13. Header: Authorization: Bearer YOUR_TOKEN_HERE

Conclusion

Building a secure REST API using Express.js and JWT is a powerful way to manage user authentication and protect sensitive data. By following the steps outlined in this guide, you can create a robust API that adheres to best practices in security. Remember to keep your JWT secret safe and consider implementing additional security measures such as HTTPS and rate limiting.

With the right tools and knowledge, you can develop APIs that not only serve your applications well but also stand the test of security challenges in today’s environment. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.