Implementing JWT Authentication in NodeJS

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. In this tutorial, we will go through the process of implementing JWT authentication in a Node.js application.

Step 1: Set up your Node.js project
First, create a new Node.js project by running the following command in your terminal:

npm init -y

Next, install the necessary packages for our project by running the following commands:

npm install express body-parser jsonwebtoken

Step 2: Create a basic Express server
Now, let’s create a basic Express server in a file named server.js.

const express = require('express');
const bodyParser = require('body-parser');
const jwt = require('jsonwebtoken');

const app = express();

app.use(bodyParser.json());

const secretKey = 'secret_key';

app.post('/login', (req, res) => {
  const { username, password } = req.body;

  // Perform authentication logic
  if (username === 'admin' && password === 'password') {
    const token = jwt.sign({ username }, secretKey);
    res.json({ token });
  } else {
    res.status(401).json({ message: 'Invalid username or password' });
  }
});

app.get('/profile', (req, res) => {
  const token = req.headers.authorization.split(' ')[1];

  jwt.verify(token, secretKey, (err, decoded) => {
    if (err) {
      return res.status(401).json({ message: 'Invalid token' });
    }

    res.json({ username: decoded.username });
  });
});

app.listen(3000, () => {
  console.log('Server started on http://localhost:3000');
});

In this code snippet, we create an Express server with two routes: /login for generating a JWT token upon successful authentication, and /profile for accessing a protected resource.

Step 3: Test the authentication flow
To test the authentication flow, run the server using the following command:

node server.js

Now, open a new terminal window and send a POST request to the /login endpoint with the following command:

curl -X POST -H "Content-Type: application/json" -d '{"username": "admin", "password": "password"}' http://localhost:3000/login

You should receive a response containing a JWT token. Use this token to access the /profile endpoint by sending a GET request with the following command:

curl -H "Authorization: Bearer <token>" http://localhost:3000/profile

You should receive a response containing the username associated with the token.

Step 4: Adding token expiration
To add token expiration to our JWT authentication, modify the token generation code in the /login endpoint as follows:

const token = jwt.sign({ username }, secretKey, { expiresIn: '1h' });

Now, the generated token will expire after 1 hour.

Step 5: Securing routes with JWT authentication
To secure specific routes in your application, you can use middleware to verify the JWT token before allowing access to the route. Modify the /profile route in server.js as follows:

app.get('/profile', verifyToken, (req, res) => {
  jwt.verify(req.token, secretKey, (err, decoded) => {
    if (err) {
      return res.status(401).json({ message: 'Invalid token' });
    }

    res.json({ username: decoded.username });
  });
});

function verifyToken(req, res, next) {
  const bearerHeader = req.headers.authorization;

  if (typeof bearerHeader !== 'undefined') {
    const bearerToken = bearerHeader.split(' ')[1];
    req.token = bearerToken;
    next();
  } else {
    res.status(403).json({ message: 'Forbidden' });
  }
}

Now, the /profile route is secured with the verifyToken middleware, which verifies the JWT token before allowing access to the route.

Conclusion
In this tutorial, we’ve covered the basics of implementing JWT authentication in a Node.js application using Express and the jsonwebtoken package. We’ve created a simple JWT authentication flow, added token expiration, and secured routes with JWT authentication. By following these steps, you can enhance the security of your Node.js applications with JWT authentication.