Implementing JWT Token Authentication in Node.js

The cornerstone of modern web security is ensuring that user data is protected as it moves between the client and server. JWT (JSON Web Token) provides a compact, URL-safe method of securely transmitting information between parties. Its use in Node.js applications has exploded due to its simplicity, flexibility, and effectiveness in creating stateless authentication.

Imagine this: you’ve just logged into an app. The app needs to remember that you're authenticated without asking for your password again every time you make a request. Here's where JWT steps in.

What is a JWT?
A JSON Web Token is a string composed of three parts:

1. Header: Specifies the algorithm used and the type of token.
2. Payload: Contains the claims (information about the user).
3. Signature: Ensures that the token hasn’t been tampered with.

Why Use JWT for Authentication?

JWT allows you to create a stateless authentication system, meaning the server does not need to store session data. This reduces memory overhead and increases scalability. By sending the token back and forth between the client and server, you maintain a secure way to verify users.

The Typical Flow of JWT in Node.js Authentication:

1. User Login: User provides credentials, like a username and password.
2. Token Generation: The server generates a JWT after successful authentication.
3. Client Stores Token: The client (usually a browser) stores the JWT in either localStorage or cookies.
4. Client Sends Token: With every subsequent request, the client sends the JWT to the server in the HTTP headers.
5. Server Verifies: The server checks the token’s validity. If valid, it allows access to protected routes. If not, access is denied.

Practical Implementation in Node.js

Step 1: Set up a Node.js project

Start by initializing a Node.js project. You’ll need two key packages:

• express: To create your web server.
• jsonwebtoken: To handle token creation and verification.

bash
npm init -y
npm install express jsonwebtoken

Create an app.js file:

js
const express = require('express');
const jwt = require('jsonwebtoken');

const app = express();
app.use(express.json());

const SECRET_KEY = 'your-secret-key';

// Mock user
const user = {
  id: 1,
  username: 'john',
  password: 'password123',
};

Step 2: Create a Login Route

In this step, the server authenticates the user and generates a JWT.

js
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if (username === user.username && password === user.password) {
    const token = jwt.sign({ id: user.id, username: user.username }, SECRET_KEY, {
      expiresIn: '1h',
    });
    return res.json({ token });
  }
  return res.status(401).send('Invalid credentials');
});

Explanation:

• We check the user credentials (in a real-world scenario, this would come from a database).
• If credentials are valid, a JWT is created using the jwt.sign() function.
• The token includes the user's ID and username and is set to expire in 1 hour.

Step 3: Protect Routes Using JWT

Now that we have a login route, we need to protect certain routes that require authentication. For that, we create a middleware function to validate the JWT.

js
const authenticateToken = (req, res, next) => {
  const token = req.headers['authorization'];
  if (!token) return res.status(403).send('Token required');

  jwt.verify(token, SECRET_KEY, (err, user) => {
    if (err) return res.status(403).send('Invalid token');
    req.user = user;
    next();
  });
};

app.get('/protected', authenticateToken, (req, res) => {
  res.send('This is a protected route');
});

Explanation:

• The authenticateToken middleware retrieves the token from the authorization header.
• It then verifies the token using the jwt.verify() method, which checks the token’s integrity against the secret key.
• If verification succeeds, the request proceeds to the next middleware or route handler. Otherwise, access is denied.

Step 4: Testing the JWT Flow

Let’s break down how you would test the application.

1. Login:
   First, you make a POST request to /login with the username and password. If successful, you'll receive a token.

   Example request:

   bash
   curl -X POST -H "Content-Type: application/json" -d '{"username": "john", "password": "password123"}' http://localhost:3000/login
   

   The response will contain the token, which you will use for accessing protected routes.

2. Accessing a Protected Route:
   Once you have the token, include it in the Authorization header to access the protected routes.

   Example request:

   bash
   curl -H "Authorization: Bearer " http://localhost:3000/protected
   

   If the token is valid, you’ll gain access to the protected route.

Refresh Tokens: A Vital Addition

Although JWTs are convenient, one potential issue is that when a token expires, the user must log in again. To handle this, refresh tokens are used. These are long-lived tokens that allow the generation of a new JWT without requiring the user to re-enter credentials.

Implementing refresh tokens in Node.js:

js
let refreshTokens = [];

app.post('/token', (req, res) => {
  const refreshToken = req.body.token;
  if (!refreshToken || !refreshTokens.includes(refreshToken)) return res.sendStatus(403);

  jwt.verify(refreshToken, SECRET_KEY, (err, user) => {
    if (err) return res.sendStatus(403);
    const accessToken = jwt.sign({ id: user.id, username: user.username }, SECRET_KEY, { expiresIn: '15m' });
    res.json({ accessToken });
  });
});

app.post('/logout', (req, res) => {
  const refreshToken = req.body.token;
  refreshTokens = refreshTokens.filter(token => token !== refreshToken);
  res.sendStatus(204);
});

Explanation:

• We create a new route /token that generates a new access token if the provided refresh token is valid.
• The /logout route allows the user to invalidate the refresh token, removing it from the stored list.

Security Considerations

While JWTs are powerful, they also come with security considerations:

• Secure your secret key: If an attacker gets hold of your key, they can generate valid tokens.
• Short token expiration times: Reduce the risk of stolen tokens by limiting their lifespan.
• HTTPS: Always use JWTs over HTTPS to avoid man-in-the-middle attacks.
• Store tokens safely: Avoid storing tokens in localStorage for sensitive apps; cookies with the HttpOnly flag set are safer.

JWTs are great for microservices and API-first architectures because they allow you to scale without the overhead of session management. But with great power comes great responsibility—be sure to use them correctly to avoid security pitfalls.