JSON Web Token Integration in Node.js
In my last article I went over how to integrate JSON Web Tokens into the backend of your Rails application. That article can be found:
In this article I will go over a simple integration of JSON Web Tokens with Node.js, specifically with Express. The request from the frontend will remain the same, namely you will be sending a token to the backend on every request that requires authorization. You do this by adding the Authorization
header to your fetch request with the token. In this example, we will be making a GET request for an individual task…
This request will hit our backend routers and execute the appropriate route. You’ll notice below that the first line of code has an auth
function as the second argument of the get
function. This is a custom middleware function that gets executed between when the request was made and when the route runs. A middleware function in Express has access to to the request
object (req), response
object(res), and next
function. We of course have to load this auth
module in at the top of our router in order to use it.
const auth = require(‘../middleware/auth’)
So what does the auth
middleware function do? Well, remember our goal is to authorize the token that is sent in the request. We don’t actually want to run the route if the user (token) is not authorized. In this context, authorized means that the token
sent with the request exists on the token property of a particular user in the database. As a reference, our database has a name
and tokens
property as shown below. Multiple tokens are stored in an array on the users table so that logging out of your account on one device (smartphone) doesn’t log you out on other devices (laptop).
So, the auth
middleware function should either:
1) Allow the route to continue executing, or
2) Send back a 401 Error (Unauthorized client error)
Like we mentioned above, an Express middleware function takes in req
, res
, and next
. In our auth
function, we are going to find the user in the database that corresponds to the decoded JWT passed in. We do this by utilizing the jsonwebtoken
library. This library gives us access to the verify
method. Before verifying the token, we first need to parse out the token from the request by grabbing the ‘Authorization’ header
property of the req
object and removing the ‘Bearer’ keyword so we are just left with the pure token in string format.
Then we verify the token
by passing in the token
and a public/private key. We use the findOne
method from Mongoose and pass in the user ID
and token
that was decoded previously. If the user is found, we optionally set the token property on the request, req.token = token
and also set the user property on the request, req.user = user
which gives our route
access to the user without searching the database again. We call the next
function which allows our route to continue running. If the user is NOT found, the route will not run, so we change the status to 401
and send back a JSON response with a ‘Please authenticate’ error message.
Here’s what the auth
middleware function looks like:
If next()
is called, our route continues to execute since we are now past the auth
function argument. We have successfully authorized a route, and the great thing is we can use the auth
middleware function over and over again in all of our routes. So if we wanted to create a new task, we can easily add auth
to our POST
request route and it will authorize in the same way!
That’s it!