By Syed Rizwan

3-how-to-create-a-secure-api-with-oauth-and-jwt-in-expressjs.html

How to Create a Secure API with OAuth and JWT in Express.js

In today's digital landscape, security is paramount, especially when it comes to APIs. With the increasing number of data breaches and security threats, developers must prioritize building secure applications. One effective way to secure your API is by using OAuth 2.0 for authorization and JSON Web Tokens (JWT) for authentication. In this article, we will walk through the process of creating a secure API using OAuth and JWT in Express.js, a popular Node.js web application framework.

Understanding OAuth and JWT

What is OAuth?

OAuth is an open standard for access delegation, commonly used as a way to grant websites or applications limited access to a user's information without exposing passwords. It allows third-party services to exchange tokens for user data, enabling secure access without directly sharing sensitive credentials.

What is JWT?

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure. In simpler terms, JWTs allow you to securely transmit information between parties as a JSON object.

Use Cases for OAuth and JWT

  • Single Sign-On (SSO): Users can authenticate once and gain access to multiple applications without needing to log in again.
  • Third-Party API Access: Users can grant third-party applications access to their data without sharing their passwords.
  • Mobile Applications: Securely manage user authentication and authorization in mobile apps.

Setting Up Your Express.js Environment

Before we dive into the coding part, ensure you have Node.js and npm installed on your machine. You can create a new Express.js project by following these steps:

  1. Create a New Directory: bash mkdir secure-api cd secure-api

  2. Initialize a New Node.js Project: bash npm init -y

  3. Install Required Packages: bash npm install express jsonwebtoken dotenv body-parser cors

  4. Create Your Project Structure: bash mkdir src touch src/index.js .env

Building the API

Step 1: Setting Up Express.js

In your src/index.js file, set up a basic Express server:

const express = require('express');
const bodyParser = require('body-parser');
const cors = require('cors');

const app = express();
const PORT = process.env.PORT || 3000;

app.use(cors());
app.use(bodyParser.json());

app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

Step 2: Implementing JWT Authentication

Next, let’s create functions for generating and verifying JWTs. We'll also set up a simple user login route.

Add the following code to src/index.js:

const jwt = require('jsonwebtoken');
const dotenv = require('dotenv');

dotenv.config();

const users = []; // In-memory user storage for demonstration

const generateToken = (user) => {
    return jwt.sign({ id: user.id, username: user.username }, process.env.JWT_SECRET, { expiresIn: '1h' });
};

// User Registration Endpoint
app.post('/register', (req, res) => {
    const { username, password } = req.body;
    const newUser = { id: users.length + 1, username, password }; // Simple in-memory user storage
    users.push(newUser);
    res.status(201).json({ message: 'User registered successfully!' });
});

// User Login Endpoint
app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username && u.password === password);

    if (!user) {
        return res.status(401).json({ message: 'Invalid credentials' });
    }

    const token = generateToken(user);
    res.json({ token });
});

Step 3: Protecting Routes with JWT Middleware

To protect certain routes in your API, create a middleware function that verifies the JWT:

const authenticateToken = (req, res, next) => {
    const token = req.headers['authorization']?.split(' ')[1];

    if (!token) return res.sendStatus(401);

    jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
        if (err) return res.sendStatus(403);
        req.user = user;
        next();
    });
};

// Protected Route Example
app.get('/protected', authenticateToken, (req, res) => {
    res.json({ message: 'This is a protected route!', user: req.user });
});

Step 4: Testing Your API

To test your API, you can use tools like Postman or cURL. Here’s how to do it:

  1. Register a User:
  2. POST http://localhost:3000/register

  3. Body: {"username": "testuser", "password": "testpass"}

  4. Login to Get a Token:

  5. POST http://localhost:3000/login
  6. Body: {"username": "testuser", "password": "testpass"}

  7. You will receive a JWT token in the response.

  8. Access Protected Route:

  9. GET http://localhost:3000/protected
  10. Set the Authorization header: Bearer YOUR_JWT_TOKEN

Conclusion

In this article, we covered how to create a secure API using OAuth and JWT in Express.js. By implementing these techniques, you can enhance the security of your applications and protect sensitive user data. Remember to store your JWT secret securely and consider using HTTPS for added security.

With these foundations in place, you're well on your way to building robust, secure applications that can withstand the challenges of modern web security. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.