Building a secure and scalable authentication system doesn’t have to be complicated. What if you could eliminate the need for managing server-side sessions while keeping user sessions lightweight and secure?<\/p>\n\n\n\n
Enter JSON Web Tokens (JWT)<\/strong> \u2014 a fast, stateless, and reliable solution for user authentication. JWTs are ideal for modern web applications, from single-page apps to complex microservices architectures.<\/p>\n\n\n\n In this guide, you\u2019ll learn how to set up JWT in a Node.js application from scratch & create a secure login system that avoids server-side session storage.<\/p>\n\n\n\n Before we jump into the coding magic, let’s set up our project.<\/p>\n\n\n\n First, create a new project directory and initialize a Node.js<\/a> project using npm. Don\u2019t worry; it\u2019s a one-liner to get started!<\/p>\n\n\n\n This creates a package.json file that will keep track of all your dependencies.<\/p>\n\n\n\n Now, let\u2019s install the key packages we’ll need:<\/p>\n\n\n\n Run this command to install both:<\/p>\n\n\n\n With the dependencies set up, we\u2019re ready to write some code!<\/p>\n\n\n\n Create a new file called index.js. This is where the magic begins. We\u2019ll start by setting up a basic Express server that listens on a port and can handle incoming requests.<\/p>\n\n\n\n Here\u2019s the code for that:<\/p>\n\n\n\n With this simple server in place, we\u2019re ready to add our authentication route.<\/p>\n\n\n\n Now, let\u2019s add the \/login route, which will authenticate the user based on their credentials and generate a JWT<\/a>. For simplicity, we\u2019ll use hardcoded values for username and password. But in a real-world application, you would check against a database.<\/p>\n\n\n\n Here\u2019s the code for the login route:<\/p>\n\n\n\n Here\u2019s what happens when a user hits this \/login route:<\/p>\n\n\n\n Think of the JWT as a secure passport. It\u2019s a compact string that contains all the necessary information to verify a user\u2019s identity. Once generated, the user can use this token to access protected routes within the app without needing to log in again \u2014 as long as the token hasn\u2019t expired!<\/p>\n<\/blockquote>\n\n\n\n Now that we have our login route set up, it\u2019s time to test it. You can use Postman (or any other API testing tool) to send a POST request to \/login with a username and password in the body.<\/p>\n\n\n\n Here\u2019s what you do:<\/p>\n\n\n\n Click Send, and if your credentials match the hardcoded ones, you\u2019ll receive a response like this:<\/p>\n\n\n\n This token is your ticket to access protected resources in your app!<\/p>\n\n\n\n Once we have our JWT, we can use it to authenticate the user for future requests. For example, let\u2019s create a protected route that can only be accessed if the user provides a valid JWT.<\/p>\n\n\n\n Instead of verifying the JWT in each route, we can create a middleware that will handle the token verification. This way, we can reuse the middleware for any route that requires authentication.<\/p>\n\n\n\n Here\u2019s how you can structure the middleware:<\/p>\n\n\n\n Now that you have the verifyToken middleware, use it in the \/protected route. This will ensure that only authenticated users can access the protected resource.<\/p>\n\n\n\n Here\u2019s how to modify your code:<\/p>\n\n\n\n Step 5: Testing the Protected Route<\/strong><\/p>\n\n\n\n To test the \/protected route, follow these steps:<\/p>\n\n\n\n Login: Send a POST request to \/login with the credentials in the request body:<\/p>\n\n\n\n If the credentials are valid, you will receive a JWT token in the response:<\/p>\n\n\n\n Access Protected Route: To access the \/protected route, send a GET request to \/protected with the token in the Authorization header as follows:<\/p>\n\n\n\n If the token is valid, the response will be:<\/p>\n\n\n\nStep 1: Project Setup \u2013 Let\u2019s Build the Foundation<\/strong><\/h2>\n\n\n\n
1.1: Initialize a Node.js Project<\/strong><\/h3>\n\n\n\n
mkdir jwt-auth-app\ncd jwt-auth-app\nnpm init \u2013y\n<\/code><\/pre>\n\n\n\n1.2: Install the Necessary Packages<\/strong><\/h3>\n\n\n\n
\n
npm install express jsonwebtoken<\/code><\/pre>\n\n\n\nStep 2: Building the Authentication Route<\/strong><\/h2>\n\n\n\n
2.1: Set Up the Express Server<\/strong><\/h3>\n\n\n\n
const express = require('express');\nconst app = express();\n\n\n\/\/ Middleware to parse JSON bodies\napp.use(express.json());\n\n\nconst PORT = process.env.PORT || 3000;\napp.listen(PORT, () => {\n console.log(`Server running on port ${PORT}`);\n});\n<\/code><\/pre>\n\n\n\n2.2: Defining the Login Route<\/strong><\/h3>\n\n\n\n
const jwt = require('jsonwebtoken');\nconst SECRET_KEY = 'your_secret_key'; \/\/ Keep this secret in production!\n\n\napp.post('\/login', (req, res) => {\n const { username, password } = req.body;\n\n\n \/\/ Hardcoded credentials (replace this with actual database checks in production)\n if (username === 'user' && password === 'password') {\n \/\/ Create a JWT with user info and an expiration time of 1 hour\n const token = jwt.sign({ username }, SECRET_KEY, { expiresIn: '1h' });\n\n\n \/\/ Send the token back to the user\n res.json({ token });\n } else {\n res.status(401).send('Unauthorized');\n }\n});\n\n<\/code><\/pre>\n\n\n\n\n
\n
What\u2019s a JWT?<\/em><\/strong><\/h3>\n\n\n\n
Step 3: Testing the Login Route<\/strong><\/h2>\n\n\n\n
\n
{\n\"username\": \"user\",\n\"password\": \"password\"\n}\n<\/code><\/pre>\n\n\n\n{\n\"token\": \"your.jwt.token.here\"\n}\n<\/code><\/pre>\n\n\n\nStep 4: Using the JWT for Protected Routes<\/strong><\/h2>\n\n\n\n
4.1: Create a Middleware to Verify the JWT<\/strong><\/h3>\n\n\n\n
\/\/ Middleware to verify JWT\nconst jwt = require('jsonwebtoken');\nconst SECRET_KEY = 'your_secret_key'; \/\/ Make sure to use an environment variable in production!\n\n\nfunction verifyToken(req, res, next) {\n const token = req.header('Authorization')?.replace('Bearer ', ''); \/\/ Get token from Authorization header\n \n if (!token) {\n return res.status(401).send('Access Denied: No token provided');\n }\n\n\n try {\n \/\/ Verify the token using jwt.verify and decode it\n const decoded = jwt.verify(token, SECRET_KEY);\n \n \/\/ Attach the decoded user info to the request object for use in subsequent route handlers\n req.user = decoded;\n \n \/\/ Proceed to the next middleware or route handler\n next();\n } catch (error) {\n res.status(400).send('Invalid Token');\n }\n}\n\n\nmodule.exports = verifyToken; \/\/ Export the middleware\n<\/code><\/pre>\n\n\n\n4.2: Use the Middleware in the \/protected Route<\/strong><\/h3>\n\n\n\n
const verifyToken = require('.\/verifyToken'); \/\/ Import the middleware\n\n\n\/\/ Protected route using the verifyToken middleware\napp.get('\/protected', verifyToken, (req, res) => {\n \/\/ If we reached this point, it means the token is valid\n res.send(`Welcome to the protected route, ${req.user.username}!`);\n});\n\n\napp.listen(PORT, () => {\n console.log(`Server running on port ${PORT}`);\n});\n<\/code><\/pre>\n\n\n\n{\n \"username\": \"user\",\n \"password\": \"password\"\n}<\/code><\/pre>\n\n\n\n{\n \"token\": \"your.jwt.token.here\"\n}\n<\/code><\/pre>\n\n\n\nAuthorization: Bearer your.jwt.token.here<\/code><\/pre>\n\n\n\nWelcome to the protected route, user!<\/code><\/pre>\n\n\n\n