By Syed Rizwan

how-to-create-a-secure-rest-api-with-expressjs-and-jwt-authentication.html

How to Create a Secure REST API with Express.js and JWT Authentication

In today's digital landscape, security is paramount, especially when building web applications that handle sensitive user data. One of the most effective ways to secure your application is by implementing a REST API (Representational State Transfer Application Programming Interface) with JWT (JSON Web Token) authentication. In this article, we'll walk you through the process of creating a secure REST API using Express.js and JWT authentication, complete with code examples and actionable insights.

What is Express.js?

Express.js is a minimal and flexible Node.js web application framework that provides a robust set of features for building web and mobile applications. With its simple syntax and powerful middleware capabilities, Express.js has become one of the most popular frameworks for creating RESTful APIs.

What is JWT Authentication?

JWT is an open standard (RFC 7519) that defines a compact, self-contained way for securely transmitting information between parties as a JSON object. It is used for authentication and information exchange, allowing your API to validate the authenticity of requests by verifying tokens issued to users.

Use Cases for a Secure REST API

  1. User Authentication: Verify user identities and manage sessions.
  2. Data Protection: Ensure sensitive data is only accessible to authorized users.
  3. Microservices Communication: Secure communication between different microservices.
  4. Third-Party Integrations: Allow secure access to data for external applications.

Setting Up Your Environment

Before diving into the code, ensure you have the following tools installed:

  • Node.js
  • npm (Node package manager)
  • A code editor (like VSCode)
  • Postman (for testing your API)

Step 1: Initialize Your Project

First, create a new directory for your project and navigate into it:

mkdir express-jwt-api
cd express-jwt-api

Now, initialize a new Node.js project:

npm init -y

Step 2: Install Required Packages

You’ll need to install Express, JSON Web Token, and other necessary packages:

npm install express jsonwebtoken bcryptjs dotenv
  • express: The framework we are using to build the API.
  • jsonwebtoken: To create and verify JWT tokens.
  • bcryptjs: For hashing passwords.
  • dotenv: To manage environment variables.

Step 3: Create the Basic Express Server

Let’s create a simple Express server. Create a file named server.js in your project directory:

// server.js
const express = require('express');
const app = express();
const dotenv = require('dotenv');

dotenv.config();

app.use(express.json());

app.get('/', (req, res) => {
    res.send('Hello World!');
});

const PORT = process.env.PORT || 5000;
app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
});

Step 4: User Registration and Password Hashing

Next, let’s create a basic user registration endpoint that hashes passwords. For simplicity, we'll store users in memory.

// server.js (continued)
const users = [];

app.post('/register', (req, res) => {
    const { username, password } = req.body;
    const hashedPassword = bcrypt.hashSync(password, 8); // Hashing the password
    const user = { username, password: hashedPassword };
    users.push(user);
    res.status(201).send('User registered successfully');
});

Step 5: JWT Token Generation

Now let's create a login endpoint that generates a JWT token when a user logs in successfully.

// server.js (continued)
app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username);
    if (!user || !bcrypt.compareSync(password, user.password)) {
        return res.status(401).send('Invalid credentials');
    }

    const token = jwt.sign({ username: user.username }, process.env.JWT_SECRET, { expiresIn: '1h' });
    res.json({ auth: true, token });
});

Step 6: Middleware for Token Verification

To protect our routes, we need middleware that verifies the JWT token.

// server.js (continued)
const verifyToken = (req, res, next) => {
    const token = req.headers['x-access-token'];
    if (!token) return res.status(403).send('No token provided');

    jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
        if (err) return res.status(500).send('Failed to authenticate token');
        req.userId = decoded.id;
        next();
    });
};

Step 7: Protected Route Example

Now, let’s create a protected route that requires a valid token to access.

// server.js (continued)
app.get('/me', verifyToken, (req, res) => {
    const user = users.find(u => u.username === req.userId);
    if (!user) return res.status(404).send('User not found');
    res.json({ username: user.username });
});

Step 8: Testing Your API

You can test your API using Postman.

  1. Register a User: Send a POST request to http://localhost:5000/register with a JSON body of {"username": "testuser", "password": "testpass"}.
  2. Login: Send a POST request to http://localhost:5000/login with the same credentials. You should receive a JWT token.
  3. Access Protected Route: Send a GET request to http://localhost:5000/me with the token in the headers (x-access-token).

Conclusion

Creating a secure REST API with Express.js and JWT authentication can significantly enhance the security of your web applications. By following the steps outlined in this article, you can build a robust API that not only protects user data but also streamlines authentication processes. Remember to always keep your JWT secret safe, and never expose sensitive information in your code.

Now it’s your turn to implement these techniques in your projects. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.