![\"\"](\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/03\/jwttokenformatdiagram1.jpeg\")
<\/a>Any jwt can be read by pasting the given token on this website<\/a>.<\/p>\n To set up Node.js<\/strong> on windows you will need to download the installer from this<\/a> link. Click on the installer (also include the NPM package manager) for your platform and run the installer to start with the Node.js setup wizard. Follow the wizard steps and click on Finish when it is done. If everything goes well you can navigate to the command prompt to verify if the installation was successful as shown in Fig. 1.<\/p>\n To set up the application, we will need to navigate to a path where our project will reside and I will be using Visual Studio Code<\/a> as my preferred IDE.<\/p>\n Let us take a look at the code structure.<\/p>\n Navigate to the project directory and run package.json<\/em><\/span><\/p>\n The This file is responsible to validate the token passed in the request to fetch the data. The function will fetch the token from the request header, validate it, and throw the required exception (if any).<\/p>\n auth.js<\/em><\/span><\/p>\n This file is responsible to validate the presence of user roles in the token. These roles will be added to the authentication token after successful credentials validation.<\/p>\n roles.js<\/em><\/span><\/p>\n The This file is responsible for validating user credentials and creating a jwt token. The database authentication is omitted from the scope of the tutorial and hence we will use a mock authentication object but you\u2019re free to update the code as per your wish.<\/p>\n token.js<\/em><\/span><\/p>\n This file is responsible for exposing the endpoints that a user can play with. Each endpoint is protected with authentication and authorization. messages.js<\/em><\/span><\/p>\n This file describes the main implementation (i.e. the driver code).<\/p>\n index.js<\/em><\/span><\/p>\n To run the application navigate to the project directory and enter the following command as shown below in the terminal.<\/p>\n Run command<\/em><\/span><\/p>\n If everything goes well the application will be started successfully at the service endpoint – The application exposes the below endpoints that you can explore around the application with the help of the postman<\/a> tool. You can also download the postman collection from the Downloads<\/a> section and import it into the tool for an easy setup.<\/p>\n Application endpoints<\/em><\/span><\/p>\n That is all for this tutorial and I hope the article served you with whatever you were looking for. Happy Learning and do not forget to share!<\/p>\n In this tutorial, we saw the implementation of securing the restful apis using the JSON web token (jwt). You can download the source code from the Downloads<\/a> section.<\/p>\n This was a tutorial to secure the restful apis in a nodejs and express application.<\/p>\n1.1 Setting up Node.js<\/h3>\n
<\/a>2. Securing Restful APIs with Nodejs and Express<\/h2>\n
<\/a>2.1 Setting up dependencies<\/h3>\n
npm init -y<\/code> to create a package.json<\/code> file. This file<\/a> holds the metadata relevant to the project and is used for managing the project dependencies, script, version, etc. Replace the generated file with the code given below –<\/p>\n{\n \"name\": \"secure-rest-apis\",\n \"version\": \"1.0.0\",\n \"description\": \"how to secure rest apis in express\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"start\": \"node index.js\",\n \"dev\": \"nodemon index.js\",\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"keywords\": [\n \"restful apis\",\n \"jwt\",\n \"express\",\n \"nodejs\",\n \"nodemon\",\n \"bcrypt\",\n \"jsonwebtoken\"\n ],\n \"author\": \"geeks\",\n \"license\": \"MIT\",\n \"dependencies\": {\n \"bcrypt\": \"^5.0.1\",\n \"express\": \"^4.17.3\",\n \"jsonwebtoken\": \"^8.5.1\"\n },\n \"devDependencies\": {\n \"nodemon\": \"^2.0.15\"\n }\n}\n<\/pre>\n2.2 Setting up middleware for the application<\/h3>\n
middleware<\/code> folder is responsible for two items i.e. validation of the authentication token and roles sent to the \/api\/messages<\/code> endpoint.<\/a>2.2.1 Validation of authentication token<\/h4>\n
const jwt = require(\"jsonwebtoken\");\n\nmodule.exports = (req, res, next) => {\n const auth_token = req.header(\"x-auth-token\");\n if (!auth_token)\n return res.status(401).send({\n status: \"unauthorized\",\n code: 401,\n error: \"No auth token provided\"\n });\n\n try {\n const decoded = jwt.verify(auth_token, \"jwtPrivateKey\");\n req.user = decoded;\n } catch (error) {\n return res.status(401).send({\n status: \"unauthorized\",\n code: 401,\n error: \"Token expired\"\n });\n }\n\n next();\n};\n<\/pre>\n<\/a>2.2.2 Validation of roles in the authentication token<\/h4>\n
const msg = \"Access denied\";\nconst forbidden = \"forbidden\";\nconst s_code = 403;\n\nfunction admin(req, res, next) {\n if (!req.user.roles.includes(\"admin\"))\n return res.status(403).send({\n status: forbidden,\n code: s_code,\n error: msg\n });\n\n next();\n}\n\nfunction editor(req, res, next) {\n if (!req.user.roles.includes(\"editor\"))\n return res.status(403).send({\n status: forbidden,\n code: s_code,\n error: msg\n });\n\n next();\n}\n\nfunction viewer(req, res, next) {\n if (!req.user.roles.includes(\"viewer\"))\n return res.status(403).send({\n status: forbidden,\n code: s_code,\n error: msg\n });\n\n next();\n}\n\n\/\/ export router\nmodule.exports = { admin, editor, viewer };\n<\/pre>\n2.3 Setting up application routes<\/h3>\n
routes<\/code> folder is responsible to define the application routes.<\/p>\n2.3.1 Creating token endpoint<\/h4>\n
const express = require(\"express\");\nconst jwt = require(\"jsonwebtoken\");\nconst bcrypt = require(\"bcrypt\");\n\n\/\/ setting up express server router\nconst router = express.Router();\n\n\/\/ user authentication\n\n\/\/ http post - http:\/\/localhost:3005\/api\/token\n\/*\n{\n \"email\": \"abc@example.com\",\n \"password\": \"P@ssword01!\"\n}\n*\/\nrouter.post(\"\/\", async (req, res) => {\n \/\/ mock data\n const users = [\n {\n email: \"abc@example.com\",\n password: \"$2b$15$U9UK8N.m5uWbletbMwKlHuYRxXRY5j\/cbaWmtK9TAxSncFgk5vdQu\", \/\/ P@ssword01!\n roles: [\"admin\", \"editor\", \"viewer\"]\n }\n ];\n\n \/\/ get user from db and if not found throw error\n let user = users.find((u) => req.body.email == u.email);\n if (!user) throw new Error(\"Invalid user\");\n\n \/\/ compare password with password from the db\n const valid = await bcrypt.compare(req.body.password, user.password);\n if (!valid) throw new Error(\"Invalid password\");\n\n const tkn = jwt.sign(\n {\n id: user.id,\n roles: user.roles\n },\n \"jwtPrivateKey\",\n { expiresIn: \"15m\" }\n );\n\n res.status(200).send({\n status: \"ok\",\n code: 200,\n token: tkn\n });\n});\n\n\/\/ export router\nmodule.exports = router;\n<\/pre>\n2.3.2 Creating the messages endpoint<\/h4>\n
The auth<\/code> keyword represents the authentication mechanism set by the auth.js<\/a> while the admin<\/code> or editor<\/code> or viewer<\/code> keywords represent the authorization mechanism set by the roles.js<\/a>.<\/p>\nconst express = require(\"express\");\nconst auth = require(\"..\/middleware\/auth\");\nconst { admin, editor, viewer } = require(\"..\/middleware\/roles\");\n\n\/\/ setting up express server router\nconst router = express.Router();\n\n\/\/ mock data\nlet messages = [\n {\n id: 1,\n name: \"Lorem ipsum dolor\"\n }\n];\n\n\/\/ messages routes\n\/\/ each request must have an x-auth-token request header containing a valid access token\n\n\/\/ http get - http:\/\/localhost:3005\/api\/messages\nrouter.get(\"\/\", [auth, viewer], (req, res) => {\n res.status(200).send({\n status: \"ok\",\n code: 200,\n result: messages\n });\n});\n\n\/\/ http post - http:\/\/localhost:3005\/api\/messages\n\/*\n{\n \"name\": \"Some random name\"\n}\n*\/\nrouter.post(\"\/\", [auth, editor], async (req, res) => {\n messages.push({ id: messages.length + 1, name: req.body.name });\n res.status(201).send({\n status: \"created\",\n code: 201\n });\n});\n\n\/\/ http delete - http:\/\/localhost:3005\/api\/messages?key=1\nrouter.delete(\"\/\", [auth, admin], async (req, res) => {\n const idToRemove = req.query.key;\n messages = messages.filter(function (item) {\n return item.id != idToRemove;\n });\n\n res.status(202).send({\n status: \"accepted\",\n code: 202\n });\n});\n\n\/\/ Todo - implement put\n\n\/\/ export router\nmodule.exports = router;\n<\/pre>\n2.4 Setting up implementation file<\/h3>\n
const express = require(\"express\");\n\n\/\/ setting up express server\nconst app = express();\napp.use(express.json());\n\nconst token = require(\".\/routes\/token\");\nconst messages = require(\".\/routes\/messages\");\n\n\/\/ application routes\napp.use(\"\/api\/token\", token);\napp.use(\"\/api\/messages\", messages);\n\n\/\/ driver code\nconst SERVER_PORT = 3005;\napp.listen(SERVER_PORT, () => {\n console.log(`Service endpoint = http:\/\/localhost:${SERVER_PORT}`);\n});\n<\/pre>\n3. Run the Application<\/h2>\n
$ npm run dev\n<\/pre>\n
http:\/\/localhost:3005<\/code><\/p>\n4. Application endpoints<\/h2>\n
\/\/ user authentication\n\/\/ http post - http:\/\/localhost:3005\/api\/token\n\/*\n{\n \"email\": \"abc@example.com\",\n \"password\": \"P@ssword01!\"\n}\n*\/\n\n\/\/ application endpoints\n\/\/ each request must have an \"x-auth-token\" request header containing a valid access token\n\n\/\/ http get - http:\/\/localhost:3005\/api\/messages\n\n\/\/ http post - http:\/\/localhost:3005\/api\/messages\n\/*\n{\n \"name\": \"Some random name\"\n}\n*\/\n\n\/\/ http delete - http:\/\/localhost:3005\/api\/messages?key=1\n<\/pre>\n5. Summary<\/h2>\n
<\/a>6. Download the Project<\/h2>\n