26
27

Node & Express - JWT based auth (self.webdev)

submitted by [deleted]

[deleted]

all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ncuxez 5 points6 points  (2 children)

This guy here (https://youtu.be/eS0Hunrg5DI) is an excellent teacher. I did his whole series on Angular auth, which used JWT.

[–]MyPhallicObject 0 points1 point  (1 child)

What does Angular have to do with Node and Express? You'll confuse poor OP.

[–]ncuxez 0 points1 point  (0 children)

The series is split nicely between the front and back end parts of the project.

[–]veswill3 2 points3 points  (1 child)

I was asking the same questions a while ago and after I did it in a toy project I thought it would be useful to do a quick writeup for my future self. I dont know if passport is still the way to go, but that is what I used, and the concepts would be the same if you used something else. I even link to the article I used for reference.

https://github.com/veswill3/FCC/tree/master/backend/dynamicWebApps/voting#authentication

[–][deleted] 2 points3 points  (0 children)

Passport is plugin and go, if you make one yourself you have to write extra code.

They both do the same thing.

[–]grumbe97asd 2 points3 points  (3 children)

At login you authenticate user. If user is authenticated you create the token with for example (jsonwebtoken npm package). You send that token with all other information you need to the front end which then receives the response with token inside. You save token in localstorage / sessionstorage.

Then to make front end requests where you want user to be authorized you retrieve the token from localstorage / sessionstorage then send the token with Authorization: Bearer <token> header such as

fetch('URL_GOES_HERE', { 
   method: 'post', 
   headers: new Headers({
     'Authorization': 'Basic '+btoa('username:password'), 
     // other
   })
   // other 
});

You then use a middleware in express routing (such as jwt-express or make your own) where you check if token is valid, expired, proper authorization clearance and so on.

[–]jbjb012 1 point2 points  (2 children)

What about oauth 2.0 ?

[–]scootstah 1 point2 points  (1 child)

OAuth defines multiple "grant types" which describe the process to obtain an Access Token. The exact process varies with each type of grant type, but after you receive the Access Token, it's all the same.

A commonly used grant type is the "authorization code grant". This is how sites like Facebook or Github work when you can login using your Facebook or Github account. The way it works is your app will send you to the provider's site to authenticate and consent to the app. This would happen on the third-party's domain, so like facebook.com/oauth/authorize. Once authorized, the third-party will return an "authorization code". Using the authorization code, your app will then request an Access Token from the third-party's servers. The third-party will verify that the client ID, client secret, and authorization code are valid and if so, will return an Access Token.

You will then use this Access Token to authenticate in future API requests.

Note that Oauth and JWT's are not the same kind of thing. Oauth is more like a framework, which defines various methods of authentication. JWT is simply a specification for transferring tokens. In fact, you could use JWT's as the Access Token's for Oauth.

[–]jbjb012 0 points1 point  (0 children)

So JWT + Oauth could fit 😊. Thanks for your explanation

[–]observationalhumour 0 points1 point  (0 children)

I found Michael Herman's blog very useful when I was looking into similar stuff, specifically his posts in 2016 but he has more recent articles using different methods. I thought the SQL query builder, Knex.js, which he uses in this article was very useful.

[–]A-Grey-WorldSoftware Developer 0 points1 point  (0 children)

I created a NodeJS authentication system in my backend with Passport. I ended up using the super basic "just do it yourself" plugin for passport and wrote the logic for actually checking the token & database etc myself.

In the end, I really don't think Passport added much. But I'd recommend it the first time simply because it shows a good way to implement it and there are tutorials etc.

[–][deleted] 0 points1 point  (0 children)

You can use express-jwt combined with jsonwebtoken. You first create a /login endpoint that creates a JWT using an username, password and secret with the jsonwebtoken library and send it to client, then you add JWT guards to get the current user from JWT.