Developing modern web applications requires special attention to security. One of the most critical aspects is authentication, especially when it comes to REST APIs. In this tutorial, we'll explore how to implement a robust authentication system using Node.js and JSON Web Tokens (JWT). Join us as we cover everything from installation to full deployment.
What is JWT?
JSON Web Tokens (JWT) is an open standard that defines a compact, self-contained way to transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. Authentication via JWT is not only secure but also highly scalable.
Advantages of Using JWT
One of the main advantages of using JWT over other authentication techniques is its self-contained nature. This means that tokens contain all the information needed for authentication, eliminating the need to maintain sessions on the server. Another essential benefit is their support for CORS, which is crucial when developing APIs that need to be accessible from different domains.
Setting Up the Environment
Before you begin, make sure you have Node.js installed. You'll need to install a few dependencies: express, jsonwebtoken, and bcrypt. This can be done by running the following command:
$ npm install express jsonwebtoken bcryptBasic Project Structure
You can structure your project as follows:
|-- src | |-- index.js |-- middlewares | |-- auth.js index.js will be our entry point, while auth.js will handle the authentication-related functions.
Creating a Basic API
Next, we'll create a basic API with Express:
// index.js const express = require(express); const app = express(); app.use(express.json()); app.get(/, (req, res) => { res.send(API working!); }); const PORT = process.env.PORT || 3000; app.listen(PORT, () => { console.log(Server running on port ${PORT}); }); Implementing JWT for Authentication
Middleware Code auth.js
// auth.js const jwt = require(jsonwebtoken); const secretKey = my_secret_key; module.exports.authenticateToken = (req, res, next) => { const token = req.header(x-access-token); if (!token) return res.status(403).send(Access is denied.); try { const verified = jwt.verify(token, secretKey); req.user = verified; next(); } catch (err) { res.status(401).send(Invalid Token); } }; Here we have defined a simple middleware that authenticates the validity of the tokens passed in the HTTP headers.
User Handling and Token Generation
Next, we implement the routes to register users and generate tokens:
// index.js const bcrypt = require(bcrypt); const jwt = require(jsonwebtoken); const users = []; app.post(/register, async (req, res) => { try { const salt = await bcrypt.genSalt(10); const hashedPassword = await bcrypt.hash(req.body.password, salt); const user = { name: req.body.name, password: hashedPassword }; users.push(user); res.status(201).send(Registered user!); } catch (err) { res.status(500).send(err.message); app.post(/login, async (req, res) => { const user = users.find((user) => user.name === req.body.name); if (!user) return res.status(404).send(User not found); try { const validPassword = await bcrypt.compare(req.body.password, user.password); if (!validPassword) return res.status(400).send(Invalid password); const token = jwt.sign({ _id: user._id }, my_secret_key); res.header(x-access-token, token).send(Login successful! } catch (err) { res.status(500).send(err.message); Now we have added routes for registration and login. Upon successful login, a JWT token will be generated and returned to the client.
Explore more about the technology here