By Syed Rizwan

2-how-to-set-up-a-secure-api-with-oauth-and-jwt-in-expressjs.html

How to Set Up a Secure API with OAuth and JWT in Express.js

In the world of web development, securing your API is crucial. With the rise of cyber threats and data breaches, it's essential to implement robust authentication mechanisms. Two widely used technologies for securing APIs are OAuth and JSON Web Tokens (JWT). In this article, we'll guide you through setting up a secure API using OAuth and JWT in Express.js, one of the most popular frameworks for building Node.js applications.

Understanding OAuth and JWT

What is OAuth?

OAuth (Open Authorization) is an open standard for access delegation commonly used for token-based authentication and authorization. It allows third-party services to exchange information without sharing user credentials. For instance, when you log in to a website using your Google or Facebook account, OAuth is at work.

What is JWT?

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are used to verify the authenticity of a user and can carry information about the user and their permissions. A typical JWT consists of three parts: the header, payload, and signature.

Use Cases for OAuth and JWT

  • Third-Party Authentication: Allow users to log in using their social media accounts.
  • Single Sign-On (SSO): Users can access multiple services with one set of credentials.
  • Stateless Sessions: JWT allows you to maintain user sessions without storing session information on the server.

Setting Up Your Express.js Application

Step 1: Initializing Your Project

First, ensure you have Node.js and npm installed. Then, create a new directory for your project and initialize it:

mkdir secure-api
cd secure-api
npm init -y

Step 2: Installing Required Packages

You will need several packages for this setup:

  • Express: The web framework
  • jsonwebtoken: To create and verify JWTs
  • passport: For authentication strategies
  • passport-oauth2: For OAuth 2.0 support
  • dotenv: To manage environment variables

Run the following command to install these packages:

npm install express jsonwebtoken passport passport-oauth2 dotenv

Step 3: Setting Up Your Environment Variables

Create a .env file to store your secret keys and other sensitive information:

JWT_SECRET=your_jwt_secret
OAUTH_CLIENT_ID=your_oauth_client_id
OAUTH_CLIENT_SECRET=your_oauth_client_secret
OAUTH_CALLBACK_URL=http://localhost:3000/auth/callback

Step 4: Creating Your Express.js Server

Now, let’s create a basic Express server. Create a file named server.js:

const express = require('express');
const passport = require('passport');
const dotenv = require('dotenv');

dotenv.config();

const app = express();
const PORT = process.env.PORT || 3000;

// Middleware
app.use(express.json());
app.use(passport.initialize());

app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

Step 5: Setting Up Passport with OAuth 2.0

Create a new file named passport-setup.js to configure Passport with OAuth:

const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2');

passport.use(new OAuth2Strategy({
    authorizationURL: 'https://provider.com/oauth2/authorize',
    tokenURL: 'https://provider.com/oauth2/token',
    clientID: process.env.OAUTH_CLIENT_ID,
    clientSecret: process.env.OAUTH_CLIENT_SECRET,
    callbackURL: process.env.OAUTH_CALLBACK_URL
}, (accessToken, refreshToken, profile, done) => {
    // Here you can save the user's profile in your database
    return done(null, profile);
}));

Step 6: Creating Routes for Authentication

Add routes in your server.js file for authentication:

app.get('/auth/login', passport.authenticate('oauth2'));

app.get('/auth/callback', passport.authenticate('oauth2', { failureRedirect: '/' }),
    (req, res) => {
        // Generate JWT after successful login
        const token = jwt.sign({ id: req.user.id }, process.env.JWT_SECRET, { expiresIn: '1h' });
        res.json({ token });
    }
);

Step 7: Protecting Your API Endpoints

To safeguard your API routes, you can create a middleware function to verify the JWT:

const jwt = require('jsonwebtoken');

const authenticateJWT = (req, res, next) => {
    const token = req.headers['authorization'];

    if (token) {
        jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
            if (err) {
                return res.sendStatus(403);
            }
            req.user = user;
            next();
        });
    } else {
        res.sendStatus(401);
    }
};

// Protected Route Example
app.get('/api/protected', authenticateJWT, (req, res) => {
    res.json({ message: 'This is a protected route', user: req.user });
});

Step 8: Testing Your Setup

Now that you have set up your API, you can test it using a tool like Postman or Insomnia. Start your server:

node server.js
  1. Navigate to http://localhost:3000/auth/login to initiate OAuth login.
  2. After logging in, you should receive a JWT.
  3. Use this token in the Authorization header for requests to protected routes.

Troubleshooting Common Issues

  • Invalid Token Error: Ensure your JWT secret matches the one used to sign the token.
  • Callback URL Mismatch: Check that your OAuth provider has the correct callback URL configured.

Conclusion

Securing your API with OAuth and JWT in Express.js is a powerful way to protect your applications and user data. By following the steps outlined in this article, you can build a robust authentication system that leverages modern security practices. As you continue to develop your API, consider implementing additional security measures such as rate limiting, logging, and input validation to further enhance your application's resilience against threats. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.