By Syed Rizwan

how-to-implement-oauth-20-for-secure-api-access-in-nodejs-with-expressjs.html

How to Implement OAuth 2.0 for Secure API Access in Node.js with Express.js

In today’s digital landscape, securing APIs is more critical than ever. OAuth 2.0 is one of the most widely accepted protocols for authorization, allowing secure access to resources across the web. In this article, we’ll walk through the steps to implement OAuth 2.0 in a Node.js application using Express.js, ensuring that your API is both secure and user-friendly.

What Is OAuth 2.0?

OAuth 2.0 is an authorization framework that enables third-party applications to obtain limited access to user accounts on an HTTP service. Unlike traditional authentication methods that require sharing usernames and passwords, OAuth 2.0 allows users to authorize applications without sharing their credentials, enhancing security.

Key Concepts

  • Resource Owner: The user who authorizes an application to access their data.
  • Client: The application requesting access to user data.
  • Authorization Server: The server that authenticates the user and issues access tokens.
  • Resource Server: The server hosting the user data that the client wants to access.

Use Cases

  • Single Sign-On (SSO): Users can access multiple applications with one set of credentials.
  • Third-party Authentication: Applications can authenticate users via services like Google, Facebook, or GitHub.
  • Scoped Access: Allows applications to request specific permissions, minimizing data exposure.

Setting Up Your Node.js Environment

Before we dive into the implementation, let’s set up our Node.js and Express.js environment.

Prerequisites

  • Node.js installed
  • Basic knowledge of JavaScript and Express.js

Step 1: Initialize Your Project

Start by creating a new directory for your project and initializing it with npm:

mkdir oauth2-example
cd oauth2-example
npm init -y

Step 2: Install Required Packages

We will need a few packages to handle OAuth 2.0:

npm install express axios dotenv express-session passport passport-oauth2
  • Express: A web framework for Node.js.
  • Axios: A promise-based HTTP client for making requests.
  • dotenv: A module to load environment variables.
  • express-session: Middleware for managing user sessions.
  • passport: Authentication middleware, along with passport-oauth2 for OAuth 2.0 support.

Step 3: Create Your Directory Structure

Create the following directory structure:

oauth2-example/
│
├── .env
├── index.js
└── views/
    └── index.html

Step 4: Configure Environment Variables

In your .env file, add your OAuth 2.0 credentials. For this example, we'll use GitHub as the OAuth provider:

GITHUB_CLIENT_ID=your_client_id
GITHUB_CLIENT_SECRET=your_client_secret
GITHUB_CALLBACK_URL=http://localhost:3000/auth/github/callback
SESSION_SECRET=your_session_secret

Replace your_client_id and your_client_secret with your GitHub OAuth application's credentials.

Implementing OAuth 2.0 in Express.js

Step 1: Setting Up Express and Middleware

In your index.js file, set up the Express server and configure middleware:

require('dotenv').config();
const express = require('express');
const session = require('express-session');
const passport = require('passport');
const GitHubStrategy = require('passport-github2').Strategy;

const app = express();

app.use(session({ secret: process.env.SESSION_SECRET, resave: false, saveUninitialized: true }));
app.use(passport.initialize());
app.use(passport.session());
app.set('view engine', 'ejs');

// GitHub OAuth Strategy
passport.use(new GitHubStrategy({
    clientID: process.env.GITHUB_CLIENT_ID,
    clientSecret: process.env.GITHUB_CLIENT_SECRET,
    callbackURL: process.env.GITHUB_CALLBACK_URL
}, (accessToken, refreshToken, profile, done) => {
    return done(null, profile);
}));

passport.serializeUser((user, done) => {
    done(null, user);
});

passport.deserializeUser((user, done) => {
    done(null, user);
});

Step 2: Creating Routes

Now, let’s create the routes for authentication:

app.get('/', (req, res) => {
    res.render('index', { user: req.user });
});

// Authenticate with GitHub
app.get('/auth/github', passport.authenticate('github', { scope: ['user:email'] }));

// Callback after GitHub has authenticated the user
app.get('/auth/github/callback',
    passport.authenticate('github', { failureRedirect: '/' }),
    (req, res) => {
        res.redirect('/profile');
    });

// User Profile
app.get('/profile', (req, res) => {
    if (!req.isAuthenticated()) {
        return res.redirect('/');
    }
    res.send(`<h1>Hello ${req.user.username}</h1><a href="/logout">Logout</a>`);
});

// Logout
app.get('/logout', (req, res) => {
    req.logout();
    res.redirect('/');
});

// Start server
app.listen(3000, () => {
    console.log('Server is running on http://localhost:3000');
});

Step 3: Creating Views

Create a simple view in views/index.html for our application:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>OAuth 2.0 Example</title>
</head>
<body>
    <h1>Welcome to OAuth 2.0 Example</h1>
    <% if (user) { %>
        <h2>Hello, <%= user.username %>!</h2>
        <a href="/profile">Profile</a> | <a href="/logout">Logout</a>
    <% } else { %>
        <a href="/auth/github">Login with GitHub</a>
    <% } %>
</body>
</html>

Testing Your Application

  1. Start your server:

bash node index.js

  1. Open your browser and navigate to http://localhost:3000.

  2. Click on "Login with GitHub" and authorize the application.

  3. After successful authentication, you will be redirected to your profile page.

Troubleshooting Tips

  • Invalid Client ID or Secret: Ensure your GitHub app settings are correct and match those in your .env.
  • Session Issues: If sessions are not working, verify your session middleware setup.
  • Callback URL Mismatch: Double-check that your callback URL is set correctly in both your GitHub app and .env.

Conclusion

Implementing OAuth 2.0 in a Node.js application with Express.js is straightforward. This powerful authorization framework enhances security while providing a seamless user experience. By following the steps outlined in this article, you can start securing your APIs and allow users to authenticate easily using third-party services.

Remember, OAuth 2.0 is not just a technical implementation; it’s about providing trust and security in your applications. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.