By Syed Rizwan

6-setting-up-a-secure-expressjs-api-with-jwt-authentication.html

Setting Up a Secure Express.js API with JWT Authentication

In today’s digital landscape, building secure web applications is paramount. One of the most effective ways to secure your API is through JSON Web Tokens (JWT). In this article, we’ll explore how to set up a secure Express.js API using JWT authentication. You’ll learn the foundational concepts, practical use cases, and step-by-step instructions to get your API up and running securely.

What is Express.js?

Express.js is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications. It simplifies the process of building web servers and APIs, allowing developers to create efficient and scalable applications.

What is JWT Authentication?

JSON Web Tokens (JWT) are an open standard for securely transmitting information between parties as a JSON object. They are compact, URL-safe tokens that can be used for authentication and information exchange. JWT consists of three parts:

  • Header: Contains metadata about the token, including the type of token and the signing algorithm.
  • Payload: Contains the claims or statements about an entity (typically the user) and additional data.
  • Signature: Used to verify the authenticity of the token.

Why Use JWT?

  • Stateless: No server-side session storage is needed, making your API scalable.
  • Compact: Ideal for passing in URLs, POST parameters, or HTTP headers.
  • Secure: Can be signed (using HMAC or RSA) to ensure the integrity of the data.

Use Cases for JWT Authentication

  • Single Page Applications (SPAs): JWT can provide secure user sessions for SPAs that need to interact with a backend API.
  • Microservices: In a microservices architecture, JWT can be used to securely transmit user identity across services.
  • Mobile Applications: Mobile apps can use JWT to authenticate users without needing to maintain session state on the server.

Setting Up Your Express.js API with JWT Authentication

Step 1: Environment Setup

First, ensure you have Node.js installed on your machine. Create a new directory for your project and initialize it:

mkdir express-jwt-api
cd express-jwt-api
npm init -y

Next, install the necessary packages:

npm install express jsonwebtoken bcryptjs dotenv

Step 2: Create Your Express Server

Create a new file named server.js in the root of your project and set up a basic Express server:

const express = require('express');
const bodyParser = require('body-parser');
const dotenv = require('dotenv');

dotenv.config();

const app = express();
const PORT = process.env.PORT || 3000;

app.use(bodyParser.json());

app.listen(PORT, () => {
  console.log(`Server is running on http://localhost:${PORT}`);
});

Step 3: User Registration and Password Hashing

Let’s create an endpoint for user registration. You’ll want to hash passwords before storing them to enhance security.

Add the following code to your server.js:

const bcrypt = require('bcryptjs');
const users = []; // This will act as our in-memory database for this example

app.post('/register', async (req, res) => {
  const { username, password } = req.body;

  const hashedPassword = await bcrypt.hash(password, 10);
  users.push({ username, password: hashedPassword });

  res.status(201).json({ message: 'User registered successfully!' });
});

Step 4: Creating JWT Tokens

Now, let’s create a login endpoint that will validate user credentials and generate a JWT token upon successful authentication.

Add this code below the registration endpoint:

const jwt = require('jsonwebtoken');

app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  const user = users.find(u => u.username === username);

  if (user && await bcrypt.compare(password, user.password)) {
    const token = jwt.sign({ username: user.username }, process.env.JWT_SECRET, { expiresIn: '1h' });
    return res.json({ token });
  }

  res.status(401).json({ message: 'Invalid credentials' });
});

Step 5: Protecting Routes with JWT Middleware

To secure specific routes, you need to create middleware that verifies the JWT token. Add the following code to your server.js:

const authenticateToken = (req, res, next) => {
  const token = req.headers['authorization']?.split(' ')[1];

  if (!token) return res.sendStatus(401);

  jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
    if (err) return res.sendStatus(403);
    req.user = user;
    next();
  });
};

Step 6: Creating Protected Routes

Now, let’s create a protected route that requires authentication. Add this after your existing routes:

app.get('/protected', authenticateToken, (req, res) => {
  res.json({ message: 'This is a protected route', user: req.user });
});

Step 7: Testing Your API

You can use tools like Postman to test your API. Here’s how to do it:

  1. Register a User: Send a POST request to http://localhost:3000/register with a JSON body containing username and password.
  2. Login: Send a POST request to http://localhost:3000/login with the same credentials. You’ll receive a token.
  3. Access Protected Route: Send a GET request to http://localhost:3000/protected with the Authorization header set to Bearer YOUR_TOKEN.

Conclusion

In this article, you’ve learned how to set up a secure Express.js API with JWT authentication. By leveraging JWT, you create a stateless and secure method for handling user sessions in your applications. Remember to keep your JWT secret safe and consider additional security measures, such as token expiration and refresh tokens, for production applications. Now, you have the tools to build secure APIs that can scale with your application's needs!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.