By Syed Rizwan

2-how-to-create-a-secure-api-with-expressjs-and-jwt-authentication.html

How to Create a Secure API with Express.js and JWT Authentication

In the world of web development, creating secure APIs is a crucial task for developers, especially when sensitive user data is involved. One of the most effective methods to secure your API is by using JSON Web Tokens (JWT) for authentication. In this article, we'll explore how to create a secure API using Express.js and JWT, providing you with clear code examples and actionable insights.

What is Express.js?

Express.js is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications. It is often used to build RESTful APIs due to its simplicity and performance.

Understanding JWT Authentication

JSON Web Tokens (JWT) are an open standard (RFC 7519) that defines a compact way for securely transmitting information between parties as a JSON object. The information can be verified and trusted because it is digitally signed. JWTs are commonly used for authentication and information exchange.

Benefits of Using JWT

  • Stateless: JWTs are self-contained, meaning all the information about the user is stored in the token itself.
  • Compact: The token can be sent via URL, POST parameters, or inside an HTTP header.
  • Secure: JWTs can be signed using a secret or public/private key pair.

Prerequisites

Before we dive into coding, ensure you have the following installed:

  • Node.js: Download and install Node.js from nodejs.org.
  • npm: Comes bundled with Node.js.
  • Basic knowledge of JavaScript and RESTful API concepts.

Setting Up Your Express.js Project

Let’s start by setting up a new Express.js project.

Step 1: Initialize a New Node.js Project

Open your terminal and run the following commands:

mkdir secure-api
cd secure-api
npm init -y

Step 2: Install Required Packages

Next, install the necessary packages: express, jsonwebtoken, and body-parser.

npm install express jsonwebtoken body-parser

Step 3: Create the Basic Structure

Create a file named server.js in your project directory. This file will contain the main application logic.

const express = require('express');
const bodyParser = require('body-parser');
const jwt = require('jsonwebtoken');

const app = express();
const PORT = process.env.PORT || 3000;

app.use(bodyParser.json());

Creating a Simple Authentication System

Step 4: Define a User Model

For demonstration purposes, we’ll use a simple in-memory user model.

const users = [
    { id: 1, username: 'user1', password: 'password1' },
    { id: 2, username: 'user2', password: 'password2' },
];

Step 5: Implement Login Route

Create a login route that authenticates users and generates a JWT.

app.post('/login', (req, res) => {
    const { username, password } = req.body;

    // Find user
    const user = users.find(u => u.username === username && u.password === password);
    if (!user) {
        return res.status(401).send('Invalid credentials');
    }

    // Generate JWT
    const token = jwt.sign({ id: user.id }, 'your_jwt_secret', { expiresIn: '1h' });
    res.json({ token });
});

Step 6: Protecting Routes

To protect your routes, create a middleware function that verifies the JWT.

function authenticateToken(req, res, next) {
    const token = req.headers['authorization']?.split(' ')[1];
    if (!token) return res.sendStatus(401);

    jwt.verify(token, 'your_jwt_secret', (err, user) => {
        if (err) return res.sendStatus(403);
        req.user = user;
        next();
    });
}

Step 7: Creating a Protected Route

Now, let’s create a protected route that can only be accessed with a valid JWT.

app.get('/protected', authenticateToken, (req, res) => {
    res.send(`Hello, your user ID is ${req.user.id}`);
});

Step 8: Starting the Server

Finally, start your Express server.

app.listen(PORT, () => {
    console.log(`Server running on http://localhost:${PORT}`);
});

Testing Your API

You can test your API using tools like Postman or cURL.

  1. Login: Send a POST request to http://localhost:3000/login with the following JSON body: json { "username": "user1", "password": "password1" } You should receive a JWT token in response.

  2. Access Protected Route: Use the token received from the login response to access the protected route. Set the Authorization header in your request: Authorization: Bearer <your_jwt_token>

Conclusion

By following this guide, you have successfully created a secure API using Express.js and JWT authentication. This setup provides a solid foundation for building more complex applications while ensuring secure user authentication.

As you continue to develop your API, consider implementing additional security measures such as HTTPS, rate limiting, and input validation to further enhance your application's security. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.