By Syed Rizwan

4-setting-up-a-secure-expressjs-api-with-oauth-20-authentication.html

Setting Up a Secure Express.js API with OAuth 2.0 Authentication

In today’s digital landscape, ensuring your API is secure is paramount. With the rise of cyber threats, leveraging OAuth 2.0 for authentication has become a gold standard in securing Express.js applications. This article will guide you through the process of setting up a secure Express.js API with OAuth 2.0 authentication, covering essential definitions, use cases, and actionable insights. Let’s dive in!

What is OAuth 2.0?

OAuth 2.0 is an open standard for access delegation, commonly used as a way to grant websites or applications limited access to user information without exposing passwords. It allows applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, or Google.

Key Concepts of OAuth 2.0

  • Resource Owner: The user who authorizes an application to access their account.
  • Client: The application that wants to access the user’s account.
  • Authorization Server: The server that authenticates the user and issues access tokens.
  • Resource Server: The server that hosts the user data and accepts access tokens to grant access.

Use Cases for OAuth 2.0

  • Single Sign-On (SSO): Users can log in to multiple applications using one set of credentials.
  • Third-Party Application Access: Applications can access user data on behalf of the user without handling sensitive credentials.
  • Mobile Applications: Securely authenticate users without embedding sensitive information.

Setting Up Your Express.js API with OAuth 2.0

Now that we understand OAuth 2.0, let’s set up a secure Express.js API that uses this authentication method. For this tutorial, we’ll use the express, passport, and passport-google-oauth20 packages to handle Google OAuth 2.0 authentication.

Step 1: Initial Setup

First, create a new directory for your project and initialize it:

mkdir express-oauth2-api
cd express-oauth2-api
npm init -y

Next, install the necessary dependencies:

npm install express passport passport-google-oauth20 cookie-session

Step 2: Create the Express Application

Create a new file named server.js and set up a basic Express application.

const express = require('express');
const passport = require('passport');
const cookieSession = require('cookie-session');
require('./passport-setup'); // This will create the passport strategy

const app = express();

// Set up cookie session
app.use(cookieSession({
    maxAge: 24 * 60 * 60 * 1000, // 24 hours
    keys: ['your_cookie_secret']
}));

app.use(passport.initialize());
app.use(passport.session());

// Define routes
app.get('/', (req, res) => {
    res.send('<h1>Home</h1><a href="/auth/google">Login with Google</a>');
});

app.get('/auth/google', passport.authenticate('google', {
    scope: ['profile', 'email']
}));

app.get('/auth/google/callback', passport.authenticate('google'), (req, res) => {
    res.redirect('/profile');
});

app.get('/profile', (req, res) => {
    if (!req.user) {
        return res.redirect('/');
    }
    res.send(`<h1>Hello ${req.user.displayName}</h1><a href="/logout">Logout</a>`);
});

app.get('/logout', (req, res) => {
    req.logout();
    res.redirect('/');
});

// Start the server
const PORT = process.env.PORT || 5000;
app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});

Step 3: Configure the Google OAuth Strategy

Create a file named passport-setup.js to configure the Google OAuth strategy.

const passport = require('passport');
const GoogleStrategy = require('passport-google-oauth20').Strategy;

passport.serializeUser((user, done) => {
    done(null, user.id);
});

passport.deserializeUser((id, done) => {
    // Here you would typically fetch the user from your database
    done(null, { id }); // Mock user object
});

passport.use(new GoogleStrategy({
    clientID: 'YOUR_GOOGLE_CLIENT_ID',
    clientSecret: 'YOUR_GOOGLE_CLIENT_SECRET',
    callbackURL: '/auth/google/callback'
}, (accessToken, refreshToken, profile, done) => {
    // In a real application, you would save the user to your database
    done(null, profile);
}));

Step 4: Set Up Your Google API Credentials

  1. Go to the Google Developer Console.
  2. Create a new project.
  3. Navigate to "Credentials," then click "Create Credentials" and choose "OAuth client ID."
  4. Configure the consent screen.
  5. Set the application type to "Web application" and add http://localhost:5000/auth/google/callback in the authorized redirect URIs.
  6. Save your CLIENT_ID and CLIENT_SECRET and insert them into your passport-setup.js.

Step 5: Test Your API

Now that everything is set up, start the server:

node server.js

Open your browser and navigate to http://localhost:5000. Click the "Login with Google" link, and you should be redirected to Google for authentication. Once authenticated, you’ll be redirected back to your Express application, where you can see your profile information.

Troubleshooting Common Issues

  • Redirect URI mismatch: Ensure your redirect URI in the Google Developer Console matches exactly with what is defined in your application.
  • CORS issues: If you encounter Cross-Origin Resource Sharing (CORS) issues, consider using the cors package to handle requests from different origins.

Conclusion

With this guide, you have successfully set up a secure Express.js API using OAuth 2.0 authentication with Google. This robust authentication method not only enhances security but also improves user experience by allowing users to log in using their existing credentials. As you continue to build your application, consider implementing additional security measures, such as rate limiting and input validation, to further protect your API. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.