By Syed Rizwan

3-setting-up-a-secure-api-with-oauth-20-in-expressjs.html

Setting Up a Secure API with OAuth 2.0 in Express.js

In today's fast-paced digital world, securing your API is of utmost importance. With the rise of cloud services and mobile applications, using a robust authentication mechanism is essential. One of the most widely adopted methods is OAuth 2.0. This article will guide you through the process of setting up a secure API with OAuth 2.0 in Express.js, highlighting definitions, use cases, and step-by-step instructions to get you started.

What is OAuth 2.0?

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to an HTTP service. This access is granted on behalf of a resource owner through the use of access tokens. Unlike traditional authentication methods that require username and password, OAuth 2.0 provides a safer and more scalable approach.

Key Terminology

  • Resource Owner: Typically, the user who owns the data and can grant access.
  • Client: The application wanting to access the resource owner's data.
  • Authorization Server: The server that issues access tokens to the client after successfully authenticating the resource owner.
  • Resource Server: The server hosting the protected resources that the client wants to access.

Use Cases for OAuth 2.0

  • Single Sign-On (SSO): Allow users to log in once and gain access to multiple applications.
  • Mobile Applications: Secure access to APIs on mobile devices without storing sensitive information.
  • Third-Party Integrations: Grant limited access to a user’s data without sharing their credentials.

Setting Up an Express.js API with OAuth 2.0

Now that we understand the basics of OAuth 2.0, let’s dive into how to implement it in an Express.js application. We’ll use the express, jsonwebtoken, and dotenv packages for this setup.

Step 1: Install Required Packages

First, create a new folder for your project, navigate to it, and initialize a new Node.js application:

mkdir oauth2-express-api
cd oauth2-express-api
npm init -y

Next, install the necessary packages:

npm install express jsonwebtoken dotenv

Step 2: Create Your Environment Variables

Create a .env file in the root of your project directory to store your secret keys:

JWT_SECRET=your_jwt_secret_key

Step 3: Set Up Your Express Server

Create an index.js file and set up a basic Express server:

const express = require('express');
const jwt = require('jsonwebtoken');
require('dotenv').config();

const app = express();
app.use(express.json());

const PORT = process.env.PORT || 3000;

// Dummy user data for demonstration
const users = [
    { id: 1, username: 'user1', password: 'password1' },
    { id: 2, username: 'user2', password: 'password2' },
];

// Authentication endpoint
app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username && u.password === password);

    if (!user) return res.status(401).send('Authentication failed');

    const token = jwt.sign({ id: user.id }, process.env.JWT_SECRET, { expiresIn: '1h' });
    res.json({ token });
});

// Protected route
app.get('/protected', (req, res) => {
    const token = req.headers['authorization']?.split(' ')[1];

    if (!token) return res.status(403).send('Token is required');

    jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
        if (err) return res.status(403).send('Invalid token');
        res.json({ message: 'This is a protected route', user });
    });
});

app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

Step 4: Running the Server

To run your application, use the following command:

node index.js

Your server should now be running at http://localhost:3000.

Step 5: Testing the API

  1. Login to Get a Token

Use a tool like Postman or curl to test your login endpoint.

bash curl -X POST http://localhost:3000/login -H "Content-Type: application/json" -d '{"username": "user1", "password": "password1"}'

On success, you will receive a JWT token.

  1. Access the Protected Route

Use the token you received to access the protected route.

bash curl -X GET http://localhost:3000/protected -H "Authorization: Bearer YOUR_TOKEN_HERE"

If the token is valid, you will see a success message; otherwise, you will receive an “Invalid token” error.

Troubleshooting Common Issues

  • JWT Secret Key: Ensure that your JWT_SECRET is set correctly in your .env file.
  • Token Expiry: The token you receive expires in one hour. If you try to access the protected route after that, you will receive an error.
  • Authorization Header: Always check that your Authorization header is correctly formatted as Bearer YOUR_TOKEN.

Conclusion

Setting up a secure API using OAuth 2.0 in Express.js is a straightforward process that greatly enhances the security of your application. By following the steps outlined in this article, you can implement a secure authentication mechanism using JWT tokens, ensuring that your API is not only functional but also safe from unauthorized access.

As you continue to develop your application, consider expanding on this foundation by integrating features like token refresh, user role management, or even linking with third-party identity providers. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.