By Syed Rizwan

how-to-secure-your-expressjs-api-with-jwt-authentication.html

How to Secure Your Express.js API with JWT Authentication

In today’s world of web development, security is a top priority, especially when creating APIs that handle sensitive data. As developers, we strive to protect our applications from unauthorized access while ensuring a smooth user experience. One effective way to secure your Express.js API is by using JSON Web Tokens (JWT) for authentication. In this article, we’ll explore what JWT is, how it works, and provide step-by-step instructions on implementing it in your Express.js application.

What is JWT?

JSON Web Token (JWT) is an open standard used to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWT can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Key Components of JWT

  1. Header: Contains metadata about the token, including the type of token (JWT) and the signing algorithm (e.g., HMAC SHA256).
  2. Payload: This section contains the claims, which are statements about an entity (typically, the user) and additional data.
  3. Signature: To create the signature part, you take the encoded header, encoded payload, a secret, and sign it using the algorithm specified in the header.

Use Cases for JWT

  • User Authentication: After a user logs in, a JWT can be generated and sent to the client, which they can use for subsequent requests.
  • Information Exchange: JWTs can securely transmit information between parties, with the ability to verify the authenticity of the sender.

Setting Up Your Express.js API

Let’s break down the process of securing an Express.js API using JWT authentication into manageable steps.

Step 1: Project Initialization

Start by creating a new Express.js project. If you haven't installed Express yet, you can do so using npm:

mkdir express-jwt-example
cd express-jwt-example
npm init -y
npm install express jsonwebtoken dotenv body-parser

Step 2: Create Basic Express Server

Create a file named server.js and set up a basic Express server:

const express = require('express');
const bodyParser = require('body-parser');
const dotenv = require('dotenv');

dotenv.config();

const app = express();
const PORT = process.env.PORT || 3000;

app.use(bodyParser.json());

app.get('/', (req, res) => {
    res.send('Welcome to the Express JWT API!');
});

app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

Step 3: Implement User Registration and Login

To demonstrate JWT authentication, we need users to register and log in. For simplicity, we’ll use an in-memory array to store users.

Add the following code to server.js:

let users = [];

app.post('/register', (req, res) => {
    const { username, password } = req.body;
    const userExists = users.find(user => user.username === username);

    if (userExists) {
        return res.status(400).send('User already exists.');
    }

    users.push({ username, password });
    res.status(201).send('User registered successfully.');
});

app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(user => user.username === username && user.password === password);

    if (!user) {
        return res.status(401).send('Invalid credentials.');
    }

    const token = jwt.sign({ username }, process.env.JWT_SECRET, { expiresIn: '1h' });
    res.json({ token });
});

Step 4: Protecting Routes with JWT

Now that we can generate a token upon login, let's secure our API routes. To do this, we need a middleware function that verifies the JWT.

Add the following middleware function to your server.js:

const jwt = require('jsonwebtoken');

const authenticateToken = (req, res, next) => {
    const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1];

    if (!token) return res.sendStatus(401);

    jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
        if (err) return res.sendStatus(403);
        req.user = user;
        next();
    });
};

Step 5: Creating a Protected Route

Now, let’s create a protected route that only authenticated users can access:

app.get('/protected', authenticateToken, (req, res) => {
    res.send(`Hello, ${req.user.username}. You have access to this protected route!`);
});

Step 6: Testing Your API

You can use tools like Postman or CURL to test your API. Here’s a short guide on how to do it:

  1. Register a User: Send a POST request to http://localhost:3000/register with JSON body: json { "username": "testuser", "password": "testpassword" }

  2. Log In: Send a POST request to http://localhost:3000/login with the same credentials: json { "username": "testuser", "password": "testpassword" } You should receive a JWT token in the response.

  3. Access Protected Route: Send a GET request to http://localhost:3000/protected with the Authorization header: Authorization: Bearer YOUR_JWT_TOKEN

Troubleshooting Common Issues

  • Token Expiration: Ensure you handle token expiration correctly by checking the error in the JWT verification step.
  • Invalid Token: If you receive a 403 status, it likely means that the token is invalid or expired.
  • Missing Authorization Header: Always check if the Authorization header is set correctly when making requests to protected routes.

Conclusion

Securing your Express.js API with JWT authentication is a straightforward yet powerful approach. By following the steps outlined in this article, you can protect your application from unauthorized access while providing a seamless user experience. Remember to keep your JWT secret secure and to handle token expiration properly for optimal security. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.