By Syed Rizwan

how-to-create-a-secure-api-with-oauth-20-in-expressjs.html

How to Create a Secure API with OAuth 2.0 in Express.js

Creating a secure API is crucial for any web application, especially as cybersecurity threats continue to rise. One of the most effective ways to secure your API is by implementing OAuth 2.0, which allows applications to securely access resources without exposing user credentials. In this article, we’ll walk through the process of creating a secure API using OAuth 2.0 in Express.js, a popular Node.js web application framework.

What is OAuth 2.0?

OAuth 2.0 is an open standard for access delegation commonly used for token-based authentication and authorization. It allows third-party services to exchange information without revealing user credentials. OAuth 2.0 is widely adopted by major platforms like Google, Facebook, and GitHub, making it a reliable choice for modern APIs.

Key Concepts

  • Resource Owner: The user who owns the data and grants access to it.
  • Client: The application requesting access to the resource owner's data.
  • Authorization Server: The server responsible for authenticating the resource owner and issuing access tokens.
  • Resource Server: The server that hosts the protected resources and accepts access tokens.

Use Cases for OAuth 2.0

  • Third-Party Login: Allowing users to log in with their Google or Facebook accounts.
  • API Access: Granting applications limited access to user data without sharing credentials.
  • Mobile Applications: Enabling secure access to backend services from mobile apps.

Setting Up Your Express.js Environment

Before diving into the implementation of OAuth 2.0, let’s set up our Express.js environment.

Step 1: Install Express and Required Packages

First, create a new directory for your project and navigate into it:

mkdir express-oauth-api
cd express-oauth-api

Next, initialize a new Node.js project:

npm init -y

Install the required packages:

npm install express dotenv passport passport-oauth2 jsonwebtoken
  • express: The web framework for Node.js.
  • dotenv: For managing environment variables.
  • passport: Middleware for authentication.
  • passport-oauth2: OAuth 2.0 strategy for Passport.
  • jsonwebtoken: To handle JSON Web Tokens.

Step 2: Create Basic Express Server

Create a file named server.js and set up a basic Express server:

const express = require('express');
const dotenv = require('dotenv');

dotenv.config();

const app = express();
const PORT = process.env.PORT || 3000;

app.use(express.json());

app.get('/', (req, res) => {
    res.send('Welcome to the OAuth 2.0 API!');
});

app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

Implementing OAuth 2.0

Now that we have our basic server running, let’s implement OAuth 2.0.

Step 3: Configure OAuth 2.0 Strategy

You will need to set up the OAuth 2.0 strategy using Passport. Create a new file named passport-setup.js:

const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2');

passport.use(new OAuth2Strategy({
    authorizationURL: process.env.AUTHORIZATION_URL,
    tokenURL: process.env.TOKEN_URL,
    clientID: process.env.CLIENT_ID,
    clientSecret: process.env.CLIENT_SECRET,
    callbackURL: process.env.CALLBACK_URL,
}, (accessToken, refreshToken, profile, done) => {
    // Here you can save the user profile to the database
    done(null, profile);
}));

passport.serializeUser((user, done) => {
    done(null, user);
});

passport.deserializeUser((obj, done) => {
    done(null, obj);
});

Step 4: Set Up Environment Variables

Create a .env file in your project root and add your OAuth credentials:

AUTHORIZATION_URL=https://provider.com/oauth/authorize
TOKEN_URL=https://provider.com/oauth/token
CLIENT_ID=your_client_id
CLIENT_SECRET=your_client_secret
CALLBACK_URL=http://localhost:3000/auth/callback

Step 5: Implement the OAuth Routes

In server.js, add the routes for authentication:

const passport = require('passport');
require('./passport-setup');

app.get('/auth/login', passport.authenticate('oauth2'));

app.get('/auth/callback', 
    passport.authenticate('oauth2', { failureRedirect: '/' }),
    (req, res) => {
        // Successful authentication
        res.send(`Hello ${req.user.displayName}`);
    });

Step 6: Protecting Your API Endpoints

To protect your API endpoints, create a middleware function that checks for a valid token:

const jwt = require('jsonwebtoken');

const authenticateJWT = (req, res, next) => {
    const token = req.headers['authorization'];

    if (token) {
        jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
            if (err) {
                return res.sendStatus(403);
            }
            req.user = user;
            next();
        });
    } else {
        res.sendStatus(401);
    }
};

// Protecting an API route
app.get('/protected', authenticateJWT, (req, res) => {
    res.send('This is a protected route');
});

Step 7: Testing Your API

You can now test your API using tools like Postman or curl. Make a request to the /auth/login route to initiate the OAuth flow, and after successful login, access protected routes using the token received.

Conclusion

Implementing OAuth 2.0 in Express.js provides a robust and scalable solution for securing your API. By following the steps outlined in this article, you can effectively manage user authentication and authorization, ensuring that your application remains secure while offering a seamless user experience. Remember to always keep your dependencies updated and monitor your API for any vulnerabilities. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.