By Syed Rizwan

building-a-secure-rest-api-using-expressjs-and-jwt-authentication.html

Building a Secure REST API Using Express.js and JWT Authentication

In the modern world of web development, security is paramount, especially when creating a REST API. One of the most efficient ways to secure your API is by implementing JSON Web Tokens (JWT) for authentication. In this article, we will explore how to build a secure REST API using Express.js and JWT authentication, providing you with a comprehensive guide, code snippets, and actionable insights to enhance your coding skills.

What is a REST API?

A REST (Representational State Transfer) API is an architectural style that allows different software applications to communicate over HTTP. It uses standard HTTP methods like GET, POST, PUT, and DELETE to manage data, making it a fundamental building block for web services.

Use Cases of a REST API

  • Mobile Applications: REST APIs are widely used in mobile apps for data exchange.
  • Web Services: Many web services utilize REST APIs for client-server communication.
  • Microservices: REST APIs enable microservices architecture, allowing scalable and independent service deployment.

What is JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties. It allows the server to verify the token's authenticity, ensuring that the user is who they claim to be.

Key Features of JWT

  • Compact: JWTs can be sent via URL, POST parameter, or inside an HTTP header.
  • Self-contained: JWTs contain all the necessary information about the user, reducing the need for multiple database queries.
  • Secure: JWT can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Setting Up Your Project

Step 1: Initialize a Node.js Project

First, you need to create a new directory for your project and initialize a Node.js application.

mkdir my-secure-api
cd my-secure-api
npm init -y

Step 2: Install Required Packages

You will need to install Express.js, JWT, and other necessary middleware.

npm install express jsonwebtoken bcryptjs body-parser cors dotenv
  • express: Framework to build the API.
  • jsonwebtoken: Library to work with JWT.
  • bcryptjs: Library to hash passwords.
  • body-parser: Middleware to parse incoming request bodies.
  • cors: Middleware to enable Cross-Origin Resource Sharing.
  • dotenv: Module to load environment variables.

Step 3: Create the Basic Server

Create a file named server.js and set up a simple Express server.

const express = require('express');
const bodyParser = require('body-parser');
const cors = require('cors');
require('dotenv').config();

const app = express();
app.use(cors());
app.use(bodyParser.json());

const PORT = process.env.PORT || 5000;

app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});

Implementing User Registration and Login

Step 4: User Registration

Create a mock database using an array to store users (for demonstration purposes). In a real application, you would use a database like MongoDB or PostgreSQL.

const users = [];

app.post('/register', (req, res) => {
    const { username, password } = req.body;

    // Check if user already exists
    const existingUser = users.find(user => user.username === username);
    if (existingUser) {
        return res.status(400).send('User already exists');
    }

    // Hash password
    const hashedPassword = bcrypt.hashSync(password, 8);
    users.push({ username, password: hashedPassword });
    res.status(201).send('User registered successfully');
});

Step 5: User Login and JWT Generation

Now, let’s implement the login functionality, where the server generates a JWT upon successful authentication.

app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(user => user.username === username);

    if (!user || !bcrypt.compareSync(password, user.password)) {
        return res.status(401).send('Invalid credentials');
    }

    const token = jwt.sign({ id: user.username }, process.env.JWT_SECRET, {
        expiresIn: 86400 // expires in 24 hours
    });

    res.status(200).send({ auth: true, token });
});

Protecting Routes with JWT

Step 6: Middleware for Authentication

To protect your routes, create a middleware that verifies the JWT.

function verifyToken(req, res, next) {
    const token = req.headers['x-access-token'];

    if (!token) {
        return res.status(403).send('No token provided');
    }

    jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
        if (err) {
            return res.status(500).send('Failed to authenticate token');
        }
        req.userId = decoded.id;
        next();
    });
}

Step 7: Create a Protected Route

With the middleware in place, you can create a protected route that requires authentication.

app.get('/secure-data', verifyToken, (req, res) => {
    res.status(200).send('This is secured data');
});

Testing Your API

You can use tools like Postman or Insomnia to test your API endpoints. Here’s how to test:

  1. Register a User: Send a POST request to /register with a JSON body containing username and password.
  2. Log In: Send a POST request to /login with the same credentials. You should receive a JWT in the response.
  3. Access Protected Route: Use the JWT as a Bearer token in the header of a GET request to /secure-data.

Conclusion

Building a secure REST API using Express.js and JWT is a powerful way to ensure your application’s data remains protected. By following the steps outlined in this article, you can implement user registration, login, and route protection efficiently. Remember to always keep your dependencies updated and to follow best practices for security. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.