By Syed Rizwan

setting-up-secure-jwt-authentication-in-an-expressjs-api.html

Setting Up Secure JWT Authentication in an Express.js API

In the modern world of web applications, security is paramount. With the proliferation of APIs and microservices, ensuring that your application’s data and endpoints are secure is more important than ever. One robust solution for API security is JSON Web Tokens (JWT). In this article, we will explore how to set up secure JWT authentication in an Express.js API, providing you with the knowledge and tools to implement effective security measures in your applications.

What is JWT?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Key Components of a JWT

A JWT is composed of three parts:

  1. Header: Contains metadata about the token, including the type of token (JWT) and the signing algorithm used (e.g., HS256).

  2. Payload: Contains the claims or the data you want to transmit. This can include user information, roles, and permissions.

  3. Signature: Used to verify that the sender of the JWT is who it claims to be and to ensure that the message wasn't changed along the way.

Why Use JWT for Authentication?

JWTs are favored for several reasons:

  • Stateless: They do not require server-side sessions, making them scalable.
  • Compact: They can be sent through URLs, POST parameters, or inside HTTP headers.
  • Self-contained: They contain all the information needed for authentication.

Setting Up JWT Authentication in Express.js

Let’s dive into the practical steps to implement JWT authentication in an Express.js API.

Prerequisites

Before you start, ensure you have the following:

  • Node.js and npm installed.
  • Basic knowledge of Express.js.
  • A code editor.

Step 1: Create a New Express Project

First, create a new directory for your project and initialize it with npm:

mkdir jwt-auth-example
cd jwt-auth-example
npm init -y

Next, install the necessary packages:

npm install express jsonwebtoken bcryptjs body-parser

Step 2: Set Up the Basic Express Server

Create an index.js file and set up a simple Express server:

const express = require('express');
const bodyParser = require('body-parser');

const app = express();
const PORT = process.env.PORT || 3000;

app.use(bodyParser.json());

app.listen(PORT, () => {
  console.log(`Server is running on http://localhost:${PORT}`);
});

Step 3: Create User Registration and Login Routes

We need routes to register users and log them in. For simplicity, we’ll use an in-memory array to store users.

let users = []; // This will hold our users temporarily

app.post('/register', (req, res) => {
  const { username, password } = req.body;
  const hashedPassword = bcrypt.hashSync(password, 8);
  users.push({ username, password: hashedPassword });
  res.status(201).send({ message: 'User registered successfully!' });
});

app.post('/login', (req, res) => {
  const { username, password } = req.body;
  const user = users.find(u => u.username === username);

  if (!user || !bcrypt.compareSync(password, user.password)) {
    return res.status(401).send({ auth: false, token: null });
  }

  const token = jwt.sign({ username: user.username }, 'your-secret-key', { expiresIn: 86400 });
  res.status(200).send({ auth: true, token });
});

Step 4: Protect Routes with JWT Middleware

Now, let’s create middleware to verify the token and protect certain routes:

function verifyToken(req, res, next) {
  const token = req.headers['authorization'];

  if (!token) return res.status(403).send({ auth: false, message: 'No token provided.' });

  jwt.verify(token, 'your-secret-key', (err, decoded) => {
    if (err) return res.status(500).send({ auth: false, message: 'Failed to authenticate token.' });
    req.userId = decoded.id;
    next();
  });
}

app.get('/protected', verifyToken, (req, res) => {
  res.status(200).send({ message: 'This is a protected route!', userId: req.userId });
});

Step 5: Testing Your API

Now that we have our basic authentication setup, you can use tools like Postman or Insomnia to test the API:

  1. Register a user:
  2. POST to http://localhost:3000/register

  3. Body: { "username": "test", "password": "password123" }

  4. Login the user:

  5. POST to http://localhost:3000/login
  6. Body: { "username": "test", "password": "password123" }

  7. Note the token in the response.

  8. Access the protected route:

  9. GET to http://localhost:3000/protected
  10. Set the Authorization header: Bearer YOUR_TOKEN_HERE

Troubleshooting Common Issues

  • Token not provided: Ensure you’re sending the token in the Authorization header.
  • Token expired: Check the expiration time set in your JWT signing and refresh as needed.
  • User not found: Verify that the registration step was successful and the user exists.

Conclusion

Setting up secure JWT authentication in an Express.js API is a straightforward process that enhances the security of your application. By following the steps outlined in this article, you can implement JWT-based authentication, ensuring your API endpoints are protected and your users’ data remains secure.

With this knowledge, you are now equipped to build robust and secure APIs using Express.js and JWT. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.