How do you implement node js jwt middleware for user authentication and authorization?

1 What is JWT?

JWT is a standard for creating and verifying tokens that can be used to exchange data between parties. A JWT consists of three parts: a header, a payload, and a signature. The header contains metadata about the token, such as the algorithm used to generate the signature. The payload contains the actual data, such as the user ID, role, and expiration time. The signature is a hash of the header and the payload, using a secret key. The signature ensures that the token has not been tampered with.

2 How to create JWT?

To create JWT, you need to use a library that supports the JWT standard. In this article, we will use the jsonwebtoken library, which is available as a npm package. To install it, run the following command in your terminal:

<code>npm install jsonwebtoken --save</code>

To create a JWT, you need to provide a payload object, a secret key, and an optional options object. The payload object can contain any data you want to store in the token, such as the user ID and role. The secret key is a string that only you and your server know, and it is used to generate and verify the signature. The options object can contain additional parameters, such as the expiration time and the issuer of the token. For example, to create a JWT with a one-hour expiration time, you can use the following code:

<code>const jwt = require('jsonwebtoken');

const payload = {

userId: '123',

role: 'admin'

};

const secret = 'your-secret-key';

const options = {

expiresIn: '1h',

issuer: 'your-app-name'

};

const token = jwt.sign(payload, secret, options);</code>

The token variable will contain a string that looks something like this:

<code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIxMjMiLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE2MjQ0NjQwMjIsImV4cCI6MTYyNDQ2NzYyMiwiaXNzIjoieW91ci1hcHAtbmFtZSJ9.0y0w0y0w0y0w0y0w0y0w0y0w0y0w0y0w0y0w0y0w0y0w0y0w</code>

3 How to verify JWT?

To verify JWT, you need to use the same library and secret key that you used to create it. The jsonwebtoken library provides a verify method that takes a token, a secret key, and an optional callback function. The verify method will decode the token, check the signature, and validate the payload. If the token is valid, it will return the payload object. If the token is invalid, it will throw an error or pass it to the callback function. For example, to verify a token and log the payload, you can use the following code:

<code>const jwt = require('jsonwebtoken');

const token = 'your-token-string';

const secret = 'your-secret-key';

jwt.verify(token, secret, (err, payload) => {

if (err) {

console.error(err);

} else {

console.log(payload);

}

});</code>

4 How to use JWT middleware?

To use JWT middleware, you need to create a function that will check the authorization header of the incoming request, extract the token, and verify it. If the token is valid, you can attach the payload to the request object, so that you can access the user data in your route handlers. If the token is invalid, you can send a 401 (Unauthorized) response, or call the next middleware with an error. For example, to create a JWT middleware, you can use the following code:

<code>const jwt = require('jsonwebtoken');

const secret = 'your-secret-key';

const jwtMiddleware = (req, res, next) => {

// get the authorization header

const authHeader = req.headers.authorization;

// check if the header exists and starts with 'Bearer '

if (authHeader && authHeader.startsWith('Bearer ')) {

// get the token from the header

const token = authHeader.split(' ')[1];

// verify the token

jwt.verify(token, secret, (err, payload) => {

if (err) {

// send a 401 response or call the next middleware with an error

res.status(401).send('Invalid token');

// next(err);

} else {

// attach the payload to the request object

req.user = payload;

// call the next middleware

next();

}

});

} else {

// send a 401 response or call the next middleware with an error

res.status(401).send('No token provided');

// next(new Error('No token provided'));

}

};</code>

5 How to apply JWT middleware?

To apply JWT middleware, you need to use the app.use or router.use method of the Express framework, and pass the jwtMiddleware function as an argument. You can apply the middleware globally, to all the routes, or locally, to specific routes. For example, to apply the middleware globally, you can use the following code:

<code>const express = require('express');

const app = express();

const jwtMiddleware = require('./jwtMiddleware');

// apply the middleware to all the routes

app.use(jwtMiddleware);

// define your routes

app.get('/profile', (req, res) => {

// access the user data from the request object

res.send(`Hello, ${req.user.userId}! You are a ${req.user.role}.`);

});

app.get('/secret', (req, res) => {

// check the user role from the request object

if (req.user.role === 'admin') {

res.send('You have access to the secret data.');

} else {

res.send('You are not authorized to see the secret data.');

}

});

app.listen(3000, () => {

console.log('Server running on port 3000');

});</code>

To apply the middleware locally, you can use the following code:

<code>const express = require('express');

const app = express();

const jwtMiddleware = require('./jwtMiddleware');

// define your routes

app.get('/profile', (req, res) => {

// no middleware applied, anyone can access this route

res.send('This is your public profile.');

});

app.get('/secret', jwtMiddleware, (req, res) => {

// middleware applied, only users with valid tokens can access this route

res.send('This is your secret data.');

});

app.listen(3000, () => {

console.log('Server running on port 3000');

});</code>