JSON Web Token: REST API authentication issue with JWT (JSON Web Token)
- Tram Ho
Ask the reader
1 – Understand what restful api is?
2 – What is JSON Web Token?
3 – Why authenticate REST API (Nodejs) with JWT (JSON Web Token)?
Quickview
What is restful api?
REST (REpresentational State Transfer) was launched in 2000, in the doctoral thesis of Roy Thomas Fielding (co-founder of HTTP protocol). It is a form of data structure transformation, an architectural style for designing connected applications. It uses simple HTTP to create communication between machines. So instead of using a URL for handling some user information, REST sends an HTTP request like GET, POST, DELETE, etc. to a URL to process the data.
What is JSON Web Token? JSON Web Code (JWT) is an open standard (RFC 7519) that defines a compact and closed way to securely transmit information between parties as a JSON object. This information can be verified and reliable because it contains digital signatures. JWTs can be signed with a secret algorithm (with HMAC algorithm) or a public / private key using RSA encryption. Example eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEzODY4OTkxMzEsImlzcyI6ImppcmE6MTU0ODk1OTUiLCJxc2giOiI4MDYzZmY0Y2ExZTQxZGY3YmM5MGM4YWI
Why authenticate REST API (Nodejs) with JWT (JSON Web Token)?
This is an important question to help you understand security in developing a restful api. Of course this is only a security part in many of the rest of the security.
For example: You have a rest api link: https://domain.com/users/getAll At first glance, you also see what is its task? That is to get all the users currently in the users collection. If this link anyone can access and get it, what are the consequences? So it is only possible to authenticate someone who has been granted permission to obtain those users. So we can use JSON Web Token to solve that problem.
The process of authenticating JWT and restful nodejs.
5 steps to help us understand faster
1 – Client sends passWord, nameUser to server to authenticate login
2- If login successfully back-end will generate a generate a random String of json web token sent to the client
3 – The client receives the token, then stores it somewhere (cookies, storageSession ..)
4 – When the client wants to get some data, always attach this token with the http request.
5 – Server receives http request from client, is this check token available? Then go ahead, not stop it, and can report this ip.
Build a resful api with JWT (JSON Web Token)
1 – install project
npm install --save express body-parser morgan jsonwebtoken
2 – index.js
1 | const express = require('express'), bodyParser = require('body-parser'), jwt = require('jsonwebtoken'), config = require('./configurations/config'), app = express(); //set secret app.set('Secret', config.secret); // parse application/x-www-form-urlencoded app.use(bodyParser.urlencoded({ extended: true })); // parse application/json app.use(bodyParser.json()); app.listen(3000,()=>{ console.log('server is running on port 3000') }); app.get('/', function(req, res) { res.send('Hello world app is running on http://localhost:3000/'); }); |
3 – configurations / config.js
1 | module.exports = { secret : "heymynameismohamedaymen" } |
Run here to watch and run?
node index.js opens your browser on http: // localhost: 3000 /
ok to run.
4 – Setting up system authentication
write in index.js file, assume password and user in database is 123 and anonystick respectively
1 | app.post('/authenticate',(req,res)=>{ if(req.body.username==="anonystick"){ if(req.body.password===123){ //if eveything is okey let's create our token const payload = { check: true }; var token = jwt.sign(payload, app.get('Secret'), { expiresIn: 1440 // expires in 24 hours }); res.json({ message: 'authentication done ', token: token }); }else{ res.json({message:"please check your password !"}) } }else{ res.json({message:"user not found !"}) } }) |
Now run on postman, OK.
Client has a token. Next test is Setting routes
1 | const ProtectedRoutes = express.Router(); app.use('/api', ProtectedRoutes); ProtectedRoutes.use((req, res, next) =>{ // check header for the token var token = req.headers['access-token']; // decode token if (token) { // verifies secret and checks if the token is expired jwt.verify(token, app.get('Secret'), (err, decoded) =>{ if (err) { return res.json({ message: 'invalid token' }); } else { // if everything is good, save to request for use in other routes req.decoded = decoded; next(); } }); } else { // if there is no token res.send({ message: 'No token provided.' }); } }); |
Write a route for getting data
1 | ProtectedRoutes.get('/getAllProducts',(req,res)=>{ let products = [ { id: 1, name:"cheese" }, { id: 2, name:"carottes" } ] res.json(products) }) |
Done, how will we compare the two ways to get data?
Without Token
with Token 
Source : viblo.asia