loading...

Learn using JWT with Passport authentication

_arpy profile image Arpy Vanyan Originally published at Medium on ・4 min read

Introduction

Almost every web and mobile app nowadays have authentication. Most of them offer different login methods like Facebook, Google or email/password at once.

Passport is a Node.js middleware that offers a variety of different request authentication strategies that are easy to implement. By default, it stores the user object in session.

JSON Web Tokens is an authentication standard that works by assigning and passing around an encrypted token in requests that helps to identify the logged in user, instead of storing the user in a session on the server and creating a cookie. It has different integrations including a Node.js module.

Below is a tutorial about using this two modules together and setting up an authentication on an express based backend. Luckily, Passport allows an option to store the user object in request instead of the session.

The tutorial will use a simple local (email/password) authentication, but it may as well be used with any other strategy.

First, let's install the dependencies.

npm install --save passport passport-local passport-jwt jsonwebtoken

Now here is how everything is going to work:

  • When the user logs in, the backend creates a signed token and returns it in response
  • The client saves the token locally (typically in localStorage ) and sends it back in every subsequent request that needs authentication
  • All requests needing authentication pass through a middleware that checks the provided token and allows the request only if the token is verified

So, let’s implement this logic.

Login

Assume we have set up and used the local passport strategy in a separate file next to app.js like this:

//passport.js

const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;

passport.use(new LocalStrategy({
        usernameField: 'email',
        passwordField: 'password'
    }, 
    function (email, password, cb) {

//this one is typically a DB call. Assume that the returned user object is pre-formatted and ready for storing in JWT

return UserModel.findOne({email, password})
           .then(user => {
               if (!user) {
                   return cb(null, false, {message: 'Incorrect email or password.'});
               }

return cb(null, user, {message: 'Logged In Successfully'});
          })
          .catch(err => cb(err));
    }
));

We need to require this file in  app.js.

//app.js

const express = require('express');
...
require('./passport');

const app = express();
...
const auth = require('./routes/auth');
app.use('/auth', auth);

Now, in our auth.js route file, we’ll implement the login action. Here, we call the passport authentication function with local strategy, handle the errors and log in the user.

//routes/auth.js

const express = require('express');
const router = express.Router();
const jwt = require('jsonwebtoken');
const passport = require("passport”);

/* POST login. */
router.post('/login', function (req, res, next) {

passport.authenticate('local', {session: false}, (err, user, info) => {
        if (err || !user) {
            return res.status(400).json({
                message: 'Something is not right',
                user : user
            });
        }

req.login(user, {session: false}, (err) => {
           if (err) {
               res.send(err);
           }

// generate a signed son web token with the contents of user object and return it in the response

const token = jwt.sign(user, 'your_jwt_secret');
           return res.json({user, token});
        });
    })(req, res);
});

Note, that we pass {session: false} in passport options so that it won't save the user in the session. Also, we create and return a signed JSON web token based on the user object to the client. You can, of course, choose any object to create a token with, as long as it will help you identify your user. The idea is, to store the minimum info that you can use without having to retrieve the user from the database in all the authenticated requests.

Protected requests

Now, we’ll create a middleware, that allows only requests with valid tokens to access some special routes needing authentication, eg. /user/profile. For this, we will use the passport-jwt strategy. We’ll add it in our passport.js file.

//passport.js

...
const passportJWT = require("passport-jwt");
const JWTStrategy = passportJWT.Strategy;
const ExtractJWT = passportJWT.ExtractJwt;
...

passport.use(new JWTStrategy({
        jwtFromRequest: ExtractJWT.fromAuthHeaderAsBearerToken(),
        secretOrKey : 'your_jwt_secret'
    },
    function (jwtPayload, cb) {

        //find the user in db if needed. This functionality may be omitted if you store everything you'll need in JWT payload.
        return UserModel.findOneById(jwtPayload.id)
            .then(user => {
                return cb(null, user);
            })
            .catch(err => {
                return cb(err);
            });
    }
));

Note, that we assume that the client will send the JWT token in Authorization Header as a Bearer Token. The Passport JWT Strategy supports many other ways of getting the token from requests. Choose whichever suits your needs.

Now, all we need to do is to use this middleware in our app for the protected routes. For this tutorial, we’ll prepare a simple user route like this:

//routes/user.js

const express = require('express');
const router = express.Router();

/* GET users listing. */
router.get('/', function(req, res, next) {
  res.send('respond with a resource');
});

/* GET user profile. */
router.get('/profile', function(req, res, next) {
    res.send(req.user);
});

module.exports = router;

And use the passport authentication middleware on user route as shown below:

//app.js

const express = require('express');
...
require('./passport');

const app = express();
...
const auth = require('./routes/auth');
const user = require('./routes/user');

app.use('/auth', auth);
app.use('/user', passport.authenticate('jwt', {session: false}), user);

And that’s it!

Go on and try out some requests, now they’ll be backed with JSON Web Token authorization with Passport 👍


Posted on by:

_arpy profile

Arpy Vanyan

@_arpy

I’m a coder, a reader, a photographer, a passionate traveler and a cyclist. Currently crafting http://booktrail.co

Discussion

markdown guide