By Syed Rizwan

7-securing-a-nodejs-api-with-jwt-authentication-and-expressjs.html

Securing a Node.js API with JWT Authentication and Express.js

In today’s digital landscape, securing APIs is paramount to safeguarding sensitive information and ensuring that only authorized users can interact with your application. One effective way to achieve this is through JSON Web Tokens (JWT) authentication, particularly when using Node.js and Express.js. In this article, we’ll explore how to secure a Node.js API with JWT, including step-by-step instructions, code examples, and best practices.

What is JWT?

JSON Web Tokens (JWT) are an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Key Components of JWT: - Header: Contains metadata about the token, including the type and signing algorithm. - Payload: Contains the claims, which are the statements about an entity (usually the user) and additional data. - Signature: The encoded header and payload are combined and signed to create the token.

Why Use JWT for Authentication?

Using JWT for authentication provides several advantages, including:

  • Statelessness: JWT is self-contained, meaning no session information is stored on the server. This reduces server load and enhances performance.
  • Cross-Domain Support: JWTs can be used across different domains, making them ideal for microservices.
  • Ease of Use: They can be easily integrated with mobile applications and web services.

Setting Up Your Node.js Environment

Before we dive into the code, let’s set up our Node.js environment. You’ll need to have Node.js and npm installed. If you don’t have them installed, download and install them from Node.js official website.

  1. Create a new directory for your project: bash mkdir jwt-auth-example cd jwt-auth-example

  2. Initialize a new Node.js project: bash npm init -y

  3. Install required packages: bash npm install express jsonwebtoken bcryptjs body-parser

Building the API

Step 1: Set Up Express.js

Let’s create a basic Express.js server. Create a file named server.js and add the following code:

const express = require('express');
const bodyParser = require('body-parser');
const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');

const app = express();
const PORT = process.env.PORT || 3000;

app.use(bodyParser.json());

app.listen(PORT, () => {
    console.log(`Server is running on port ${PORT}`);
});

Step 2: User Registration

Next, we’ll create a user registration endpoint that will allow users to sign up. The password will be hashed for security.

let users = []; // This will act as our in-memory database

app.post('/register', (req, res) => {
    const { username, password } = req.body;
    const hashedPassword = bcrypt.hashSync(password, 8);
    users.push({ username, password: hashedPassword });
    res.status(201).send({ message: 'User registered successfully!' });
});

Step 3: User Login and Token Generation

Now, let’s create a login endpoint that will authenticate users and generate a JWT.

app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username);

    if (!user || !bcrypt.compareSync(password, user.password)) {
        return res.status(401).send({ auth: false, token: null });
    }

    const token = jwt.sign({ id: user.username }, 'your_secret_key', { expiresIn: 86400 });
    res.status(200).send({ auth: true, token });
});

Step 4: Protecting Routes

To secure your routes, you need to create middleware that verifies the JWT. This middleware will be used to protect any routes that require authentication.

function verifyToken(req, res, next) {
    const token = req.headers['authorization'];

    if (!token) return res.status(403).send({ auth: false, message: 'No token provided.' });

    jwt.verify(token, 'your_secret_key', (err, decoded) => {
        if (err) return res.status(500).send({ auth: false, message: 'Failed to authenticate token.' });
        req.userId = decoded.id;
        next();
    });
}

Step 5: Creating Protected Routes

Now, let’s create a protected route that only authenticated users can access.

app.get('/me', verifyToken, (req, res) => {
    const user = users.find(u => u.username === req.userId);
    if (!user) return res.status(404).send({ message: 'User not found.' });
    res.status(200).send(user);
});

Testing the API

You can use tools like Postman or curl to test your API endpoints:

  1. Register a new user: Send a POST request to /register with a JSON body containing username and password.
  2. Login: Send a POST request to /login with the same credentials. You should receive a JWT token.
  3. Access protected route: Use the token from the login response as a Bearer token in the Authorization header to access the /me route.

Conclusion

Securing a Node.js API with JWT authentication and Express.js is a straightforward process that enhances the security of your application. By following the steps outlined in this article, you can implement JWT authentication, ensuring that your API is protected against unauthorized access.

Best Practices

  • Use HTTPS: Always use HTTPS to protect the token during transmission.
  • Keep Your Secret Key Safe: Store your secret key in environment variables and never hard-code it in your application.
  • Token Expiration: Implement token expiration to minimize the risk of token theft.

With these insights and practical steps, you’re well on your way to building a secure API with Node.js and JWT authentication. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.