By Syed Rizwan

how-to-create-a-secure-api-with-expressjs-and-jwt-authentication.html

How to Create a Secure API with Express.js and JWT Authentication

In today's digital age, creating secure APIs is crucial for any application that handles sensitive user data. Express.js, a minimal and flexible Node.js web application framework, combined with JSON Web Tokens (JWT), offers a powerful solution for implementing secure authentication in your applications. This article will guide you through the process of setting up a secure API using Express.js and JWT authentication, complete with code examples and actionable insights.

Understanding the Basics

What is an API?

An Application Programming Interface (API) allows different software applications to communicate with each other. APIs are essential for enabling functionalities like user authentication, data retrieval, and interaction between front-end and back-end systems.

What is JWT?

JSON Web Tokens (JWT) are an open standard used to securely transmit information between parties as a JSON object. They are compact, URL-safe, and can be verified and trusted because they are digitally signed. JWTs are commonly used for authentication and information exchange.

Use Cases for JWT Authentication

  • Single Sign-On (SSO): Allow users to authenticate once and access multiple applications.
  • Mobile Applications: Securely authenticate users in mobile apps without storing sensitive information.
  • Microservices: Facilitate secure communication between different microservices.

Setting Up Your Environment

Before diving into the code, ensure you have Node.js and npm installed on your machine. You can check this by running:

node -v
npm -v

Next, create a new directory for your project and initialize it:

mkdir secure-api
cd secure-api
npm init -y

Now, install the necessary packages:

npm install express jsonwebtoken bcryptjs dotenv
  • express: A web framework for Node.js.
  • jsonwebtoken: A library to work with JWT.
  • bcryptjs: A library to hash passwords securely.
  • dotenv: A module to load environment variables from a .env file.

Creating the API

Step 1: Setting Up Express Server

Create a file named server.js and set up a basic Express server:

const express = require('express');
const bodyParser = require('body-parser');
const dotenv = require('dotenv');

dotenv.config();
const app = express();
const PORT = process.env.PORT || 5000;

app.use(bodyParser.json());

app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});

Step 2: User Registration and Password Hashing

Create a simple user model and a registration endpoint. For demonstration purposes, we will store users in an in-memory array.

let users = [];

app.post('/register', (req, res) => {
  const { username, password } = req.body;

  // Hash the password
  const hashedPassword = bcrypt.hashSync(password, 8);
  users.push({ username, password: hashedPassword });

  res.status(201).send({ message: 'User registered successfully!' });
});

Step 3: User Login and Token Generation

Next, add a login endpoint that verifies user credentials and generates a JWT.

app.post('/login', (req, res) => {
  const { username, password } = req.body;
  const user = users.find(u => u.username === username);

  if (!user || !bcrypt.compareSync(password, user.password)) {
    return res.status(401).send({ message: 'Invalid credentials!' });
  }

  const token = jwt.sign({ username: user.username }, process.env.JWT_SECRET, {
    expiresIn: '1h',
  });

  res.status(200).send({ auth: true, token });
});

Step 4: Protecting Routes with Middleware

To protect your routes, create an authentication middleware that verifies the JWT:

const verifyToken = (req, res, next) => {
  const token = req.headers['x-access-token'];

  if (!token) return res.status(403).send({ auth: false, message: 'No token provided.' });

  jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
    if (err) return res.status(500).send({ auth: false, message: 'Failed to authenticate.' });
    req.username = decoded.username;
    next();
  });
};

Step 5: Creating a Protected Route

Now, create a protected route that only authenticated users can access:

app.get('/dashboard', verifyToken, (req, res) => {
  res.status(200).send(`Welcome to your dashboard, ${req.username}!`);
});

Step 6: Testing Your API

You can use tools like Postman or curl to test your API. Here’s a quick rundown of the requests you can make:

  1. Register a User:

  2. POST to /register with a JSON body containing username and password.

  3. Login:

  4. POST to /login with the same credentials to receive a JWT.

  5. Access Protected Route:

  6. GET /dashboard with the token in the header as x-access-token.

Conclusion

Building a secure API with Express.js and JWT authentication is a straightforward process that enhances your application's security. By following the steps outlined in this article, you can create a robust authentication system that protects user data and ensures secure communication between your front-end and back-end.

Key Takeaways

  • Use Express.js for building your API.
  • Implement JWT for secure authentication.
  • Always hash passwords before storing them.
  • Protect sensitive routes using middleware.

With these best practices in mind, you can confidently create APIs that are not only functional but also secure. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.