By Syed Rizwan

how-to-set-up-a-secure-api-with-oauth2-and-jwt-authentication-in-nodejs.html

How to Set Up a Secure API with OAuth2 and JWT Authentication in Node.js

In the world of web development, ensuring the security of your API is paramount. With the rise of mobile applications and single-page applications (SPAs), developers need robust authentication methods to protect sensitive data. Two popular technologies that serve this purpose are OAuth2 and JSON Web Tokens (JWT). In this article, we'll explore how to set up a secure API using these technologies in a Node.js environment, providing you with a solid foundation to build upon.

Understanding OAuth2 and JWT

Before diving into the implementation, let’s clarify what OAuth2 and JWT are:

What is OAuth2?

OAuth2 is an authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service. It enables secure token-based authentication and is widely used by platforms such as Google, Facebook, and GitHub.

What is JWT?

JWT, or JSON Web Token, is a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Use Cases

You might want to implement OAuth2 and JWT authentication in scenarios such as:

  • Single Page Applications (SPAs): Where you need to authenticate users without reloading the page.
  • Mobile Applications: That require secure communication with a backend API.
  • Microservices: Where services need to authenticate users in a distributed environment.

Now, let’s get started with setting up a secure API with OAuth2 and JWT authentication in Node.js!

Step-by-Step Implementation

Step 1: Setting Up Your Project

First, create a new directory for your project and initialize a Node.js application.

mkdir secure-api
cd secure-api
npm init -y

Step 2: Install Required Packages

Next, install the necessary packages. You'll need Express for creating the API, jsonwebtoken for generating JWTs, and bcryptjs for hashing passwords.

npm install express jsonwebtoken bcryptjs dotenv

Step 3: Create Your Basic Express Server

Create a file named server.js and set up a basic Express server.

// server.js
const express = require('express');
const app = express();
const dotenv = require('dotenv');

dotenv.config();

app.use(express.json());

app.get('/', (req, res) => {
    res.send('Welcome to the Secure API!');
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log(`Server is running on port ${PORT}`);
});

Step 4: User Registration and Password Hashing

Create routes for user registration and use bcryptjs to hash passwords. Add the following code to server.js.

const users = []; // In-memory user storage for demo purposes

app.post('/register', (req, res) => {
    const { username, password } = req.body;

    const hashedPassword = bcrypt.hashSync(password, 8);
    users.push({ username, password: hashedPassword });

    res.status(201).send({ message: 'User registered successfully!' });
});

Step 5: User Login and JWT Generation

Next, create a login route that generates a JWT upon successful authentication.

app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username);

    if (!user || !bcrypt.compareSync(password, user.password)) {
        return res.status(401).send({ message: 'Invalid credentials' });
    }

    const token = jwt.sign({ username: user.username }, process.env.JWT_SECRET, { expiresIn: '1h' });
    res.status(200).send({ auth: true, token });
});

Step 6: Protecting Routes with JWT

To secure your API routes, create a middleware function that verifies the JWT.

function verifyToken(req, res, next) {
    const token = req.headers['x-access-token'];
    if (!token) return res.status(403).send({ message: 'No token provided!' });

    jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
        if (err) return res.status(500).send({ message: 'Failed to authenticate token.' });

        req.userId = decoded.id;
        next();
    });
}

Now, apply this middleware to protected routes.

app.get('/protected', verifyToken, (req, res) => {
    res.status(200).send({ message: 'This is a protected route!', userId: req.userId });
});

Step 7: Testing Your API

You can test your API using tools like Postman or curl. Here’s how you can do it:

  1. Register a User: Send a POST request to /register with a JSON body containing a username and password.
  2. Login: Send a POST request to /login with the same credentials to receive a JWT.
  3. Access Protected Route: Use the received token in the x-access-token header when making a GET request to /protected.

Troubleshooting Common Issues

  • Invalid Token Error: Ensure you are passing the token correctly in the headers.
  • Hashing Error: If you encounter issues with password hashing, double-check your bcryptjs installation.
  • Server Not Starting: Make sure your environment variables are set correctly in your .env file.

Conclusion

Setting up a secure API with OAuth2 and JWT authentication in Node.js is a powerful way to ensure your application is protected. By implementing these techniques, you can safeguard user data and create a seamless authentication experience. With the steps outlined in this article, you're well on your way to building secure APIs that stand the test of time.

Feel free to expand on this foundation by incorporating features like token expiration, refresh tokens, or integrating with a database for user management. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.