Previous

Express.js JWT Authentication

JSON Web Token (JWT) is a compact, URL-safe way of representing claims between two parties. In Express.js, JWT is commonly used for securing APIs and implementing authentication mechanisms.

 

Key Features of JWT Authentication

  • Token-Based Authentication: Ensures secure communication between client and server using tokens.
  • Stateless: JWT eliminates the need to store session data on the server.
  • Compact and Secure: Contains encoded payload, making it efficient for transmission.
  • Easy to Verify: The server can validate the token using a secret key.

 

Steps to Implement JWT Authentication

Install Required Packages
Use jsonwebtoken for signing and verifying tokens and bcryptjs for hashing passwords.

npm install jsonwebtoken bcryptjs

Create a Token
Generate a JWT after validating the user’s credentials.

Example:

const jwt = require('jsonwebtoken');

const payload = { id: user.id, username: user.username };
const secret = 'your_secret_key';
const token = jwt.sign(payload, secret, { expiresIn: '1h' });

res.json({ token });

Verify a Token
Protect routes by verifying tokens using middleware.

Example:

const authenticateToken = (req, res, next) => {
    const token = req.headers['authorization'];
    if (!token) return res.status(401).send('Access Denied');

    jwt.verify(token, 'your_secret_key', (err, user) => {
        if (err) return res.status(403).send('Invalid Token');
        req.user = user;
        next();
    });
};

app.get('/protected', authenticateToken, (req, res) => {
    res.send('This is a protected route');
});

Hash Passwords with Bcrypt
Use bcryptjs to securely hash user passwords before saving them in the database.

Example:

const bcrypt = require('bcryptjs');

const salt = bcrypt.genSaltSync(10);
const hashedPassword = bcrypt.hashSync(password, salt);

Compare Passwords
Compare user input with hashed passwords during login.

Example:

const isValid = bcrypt.compareSync(password, hashedPassword);
if (!isValid) return res.status(400).send('Invalid Credentials');

 

Complete Example of JWT Authentication

const express = require('express');
const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');

const app = express();
app.use(express.json());

const users = []; // In-memory user store (for demo)

const secret = 'your_secret_key';

// Register User
app.post('/register', (req, res) => {
    const { username, password } = req.body;
    const hashedPassword = bcrypt.hashSync(password, 10);
    users.push({ id: users.length + 1, username, password: hashedPassword });
    res.send('User registered successfully');
});

// Login User
app.post('/login', (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username);
    if (!user || !bcrypt.compareSync(password, user.password)) {
        return res.status(400).send('Invalid Credentials');
    }

    const token = jwt.sign({ id: user.id, username: user.username }, secret, { expiresIn: '1h' });
    res.json({ token });
});

// Protected Route
app.get('/protected', (req, res) => {
    const token = req.headers['authorization'];
    if (!token) return res.status(401).send('Access Denied');

    jwt.verify(token, secret, (err, user) => {
        if (err) return res.status(403).send('Invalid Token');
        res.send(`Hello ${user.username}, welcome to the protected route.`);
    });
});

app.listen(3000, () => {
    console.log('Server running on port 3000');
});

 

Summary

JWT Authentication in Express.js provides a secure, stateless way to authenticate users. By generating, signing, and verifying tokens, applications can protect routes and manage access effectively. Integrating libraries like jsonwebtoken and bcryptjs ensures robust security for API communication.

Previous