By Syed Rizwan

6-building-a-secure-graphql-api-with-expressjs-and-jwt-authentication.html

Building a Secure GraphQL API with Express.js and JWT Authentication

In the modern landscape of web development, APIs are the backbone of many applications. GraphQL, with its flexibility and efficiency, has emerged as a popular choice for building APIs. When you pair GraphQL with Express.js, a minimal and flexible Node.js web application framework, you can create robust server-side applications. Adding JSON Web Token (JWT) authentication to the mix enables you to secure your API, ensuring only authorized users access certain data or functionalities. In this article, we will guide you through building a secure GraphQL API using Express.js and JWT authentication, complete with code snippets and actionable insights.

What is GraphQL?

GraphQL is a query language for APIs and a runtime for executing those queries by using a type system. It allows clients to request only the data they need, making it more efficient than traditional REST APIs. With GraphQL, you can easily aggregate data from multiple sources and provide a single endpoint for client requests.

Use Cases of GraphQL

  • Dynamic Data Retrieval: Fetch only the required data, reducing payload size.
  • Real-time Applications: Use subscriptions for real-time data updates.
  • Microservices Architecture: Aggregate data from multiple microservices in one query.

Why Use Express.js?

Express.js is a lightweight framework for building web applications in Node.js. Its simplicity and versatility make it an excellent choice for creating RESTful and GraphQL APIs. With middleware support and a robust routing system, Express.js allows developers to build applications quickly and efficiently.

Understanding JWT Authentication

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. The tokens are encoded JSON objects that contain claims about the user and are used for securely transmitting information. JWT is widely used for authentication and information exchange in web applications.

Benefits of JWT Authentication

  • Stateless: The server does not need to store session information.
  • Cross-Domain Support: JWT can be used across different domains.
  • Multiple Formats: Supports various formats of claims (e.g., user roles).

Setting Up Your Project

Step 1: Initialize Your Project

First, create a new directory for your project and initialize Node.js:

mkdir graphql-api
cd graphql-api
npm init -y

Step 2: Install Required Packages

Next, install the necessary packages:

npm install express express-graphql graphql jsonwebtoken bcryptjs mongoose dotenv
  • express: Web framework for Node.js.
  • express-graphql: Middleware for integrating GraphQL with Express.
  • graphql: The core library for handling GraphQL queries.
  • jsonwebtoken: Library to work with JWT.
  • bcryptjs: Library for hashing passwords.
  • mongoose: MongoDB object modeling tool.
  • dotenv: For environment variable management.

Step 3: Create Basic Project Structure

Set up the following project structure:

graphql-api/
│
├── .env
├── server.js
├── models/
│   └── User.js
└── schemas/
    └── schema.js

Implementing JWT Authentication

Step 4: Create a User Model

In models/User.js, define the User schema:

const mongoose = require('mongoose');

const UserSchema = new mongoose.Schema({
  username: { type: String, required: true, unique: true },
  password: { type: String, required: true },
});

module.exports = mongoose.model('User', UserSchema);

Step 5: Create GraphQL Schemas

In schemas/schema.js, define the GraphQL types and resolvers:

const { GraphQLObjectType, GraphQLString, GraphQLSchema } = require('graphql');
const User = require('../models/User');
const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');

const UserType = new GraphQLObjectType({
  name: 'User',
  fields: () => ({
    id: { type: GraphQLString },
    username: { type: GraphQLString },
  }),
});

const RootQuery = new GraphQLObjectType({
  name: 'RootQueryType',
  fields: {
    user: {
      type: UserType,
      args: { id: { type: GraphQLString } },
      resolve(parent, args) {
        return User.findById(args.id);
      },
    },
  },
});

const Mutation = new GraphQLObjectType({
  name: 'Mutation',
  fields: {
    register: {
      type: UserType,
      args: {
        username: { type: GraphQLString },
        password: { type: GraphQLString },
      },
      async resolve(parent, args) {
        const hashedPassword = await bcrypt.hash(args.password, 10);
        const user = new User({ username: args.username, password: hashedPassword });
        return user.save();
      },
    },
    login: {
      type: UserType,
      args: {
        username: { type: GraphQLString },
        password: { type: GraphQLString },
      },
      async resolve(parent, args) {
        const user = await User.findOne({ username: args.username });
        if (!user) throw new Error('User not found');

        const isMatch = await bcrypt.compare(args.password, user.password);
        if (!isMatch) throw new Error('Invalid credentials');

        const token = jwt.sign({ id: user.id }, process.env.JWT_SECRET, { expiresIn: '1h' });
        return { ...user._doc, token };
      },
    },
  },
});

module.exports = new GraphQLSchema({
  query: RootQuery,
  mutation: Mutation,
});

Step 6: Create the Server

In server.js, set up the Express server and integrate GraphQL:

const express = require('express');
const { graphqlHTTP } = require('express-graphql');
const mongoose = require('mongoose');
const schema = require('./schemas/schema');
require('dotenv').config();

const app = express();

// Connect to MongoDB
mongoose.connect(process.env.MONGODB_URI, { useNewUrlParser: true, useUnifiedTopology: true });

// Middleware for GraphQL
app.use('/graphql', graphqlHTTP({
  schema,
  graphiql: true,
}));

const PORT = process.env.PORT || 4000;
app.listen(PORT, () => {
  console.log(`Server running on http://localhost:${PORT}/graphql`);
});

Testing Your API

To test your API, you can use GraphiQL, which is available at http://localhost:4000/graphql. Here are some example queries and mutations you can try:

Register a User

mutation {
  register(username: "testuser", password: "testpass") {
    id
    username
  }
}

Log in a User

mutation {
  login(username: "testuser", password: "testpass") {
    id
    username
    token
  }
}

Conclusion

Building a secure GraphQL API with Express.js and JWT authentication is a powerful way to manage user access and protect sensitive data in your application. By following the steps outlined in this article, you can create a robust server that leverages the strengths of GraphQL and Express while ensuring that user authentication is handled securely. As you continue developing, remember to optimize your code, use environment variables for sensitive information, and explore additional features such as error handling and performance improvements. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.