DEV Community: Emdadul Haque The latest articles on DEV Community by Emdadul Haque (@apu_emdad). https://dev.to/apu_emdad https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3265018%2Fcde96eed-f42e-4ff9-9608-e0a294ad526a.png DEV Community: Emdadul Haque https://dev.to/apu_emdad en Demystifying Promises in JavaScript : A Beginner’s Guide Emdadul Haque Sat, 21 Jun 2025 15:25:31 +0000 https://dev.to/apu_emdad/demystifying-promises-in-javascript-a-beginners-guide-5fi3 https://dev.to/apu_emdad/demystifying-promises-in-javascript-a-beginners-guide-5fi3 <h2> <strong>What is a Promise?</strong> </h2> <p>A Promise is an object in JavaScript that represents the eventual completion (or failure) of an asynchronous operation and its resulting value. It allows you to write asynchronous code in a more manageable and readable way by handling success and error cases.</p> <h3> Using Promises: Creating and Handling </h3> <p>You can create a custom Promise instance to handle asynchronous tasks. Once you have a Promise, there are two main ways to handle its result or error:</p> <ul> <li><strong>Using <code>.then()</code> and <code>.catch()</code></strong></li> <li><strong>Using <code>async/await</code> with <code>try/catch</code></strong></li> </ul> <h4> Example: </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">customPromise</span><span class="p">(</span><span class="nx">condition</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">reject</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">condition</span><span class="p">)</span> <span class="p">{</span> <span class="nf">resolve</span><span class="p">(</span><span class="dl">"</span><span class="s2">Success</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">reject</span><span class="p">(</span><span class="dl">"</span><span class="s2">Failure</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Instead of <code>new Promise ()</code> instance we can use <code>async/await</code> , which acts the same.</p> <p>Equivalent using <code>async/await</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">customPromise</span><span class="p">(</span><span class="nx">condition</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">condition</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">Success</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// resolves</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="dl">"</span><span class="s2">Failure</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// rejects</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>return</code> → resolves the Promise</li> <li> <code>throw</code> → rejects the Promise</li> </ul> <p><strong>Handling promise with <code>.then()</code> and <code>.catch()</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">customPromise</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">result</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Result:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">result</span><span class="p">))</span> <span class="c1">// If the Promise resolves, this block runs</span> <span class="p">.</span><span class="k">catch</span><span class="p">(</span><span class="nx">error</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Error:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">));</span> <span class="c1">// If the Promise rejects, this block runs</span> </code></pre> </div> <p><strong>Handling promise with <code>async/await</code> and <code>try/catch</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">handle</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">customPromise</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="c1">// If 'false', this will reject</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Result:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">result</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Error:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="c1">// This catches the rejection reason</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">handle</span><span class="p">();</span> </code></pre> </div> <h3> Built-in Promises </h3> <p>Many modern JavaScript APIs return Promises by default. For example, the <code>fetch</code> API used for network requests returns a Promise that resolves with the response object.</p> <p>You can handle these Promises using the same techniques (<code>async/await</code> or <code>.then()</code>/<code>.catch()</code>) without needing to create them yourself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchData</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.example.com/data</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Fetch error:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">fetchData</span><span class="p">();</span> </code></pre> </div> <p><strong>Other built-in Promise-returning APIs include:</strong></p> <ul> <li> <code>Response.json()</code> (parsing JSON from fetch response)</li> <li> <code>fs.promises</code> methods in Node.js (<code>readFile</code>, <code>writeFile</code>, etc.)</li> <li> <code>Promise.all()</code>, <code>Promise.race()</code>, <code>Promise.resolve()</code>, <code>Promise.reject()</code> </li> <li> <code>crypto.subtle</code> API (Web Crypto)</li> <li> <code>cacheStorage</code> methods in Service Workers</li> </ul> <h3> Built-in Asynchronous Functions Without Promises </h3> <p>Some built-in asynchronous functions, like <code>setTimeout</code>, execute tasks asynchronously but <strong>do not return Promises</strong>. Instead, they rely on callbacks to handle completion.</p> <p>If you want to use them with Promises or <code>async/await</code>, you need to <strong>wrap these functions manually</strong> in a Promise.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">delay</span><span class="p">(</span><span class="nx">ms</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">ms</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">run</span><span class="p">()</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">delay</span><span class="p">(</span><span class="mi">1000</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Waited 1 second</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nf">run</span><span class="p">();</span> </code></pre> </div> <p><strong>Other built-in asynchronous functions that use callbacks but do not return Promises:</strong></p> <ul> <li> <code>setInterval()</code> / <code>clearTimeout()</code> / <code>clearInterval()</code> </li> <li><code>navigator.geolocation.getCurrentPosition()</code></li> <li> <code>XMLHttpRequest</code> (older AJAX API)</li> <li>Event listeners (<code>addEventListener</code>)</li> <li>Node.js callback-based <code>fs</code> methods (<code>fs.readFile</code>, <code>fs.writeFile</code>, etc. without <code>.promises</code>)</li> <li> <code>process.nextTick()</code> and <code>setImmediate()</code> in Node.js</li> </ul> Understanding Cookies, Access & Refresh Tokens with Node.js Emdadul Haque Mon, 16 Jun 2025 03:45:20 +0000 https://dev.to/apu_emdad/understanding-cookies-access-refresh-tokens-with-nodejs-di https://dev.to/apu_emdad/understanding-cookies-access-refresh-tokens-with-nodejs-di <p><strong>Cookie:</strong><br> A small piece of data stored by the browser, sent back with every request to the server. It helps the server remember information about the client, like login status.</p> <ul> <li>When you visit a website, the server can give your browser a cookie.</li> <li>Your browser stores it and automatically sends it back to the server every time you visit that site again.</li> <li>Cookies are often used to <strong>remember you</strong>, like keeping you logged in or storing preferences.</li> </ul> <p><strong>Access Token:</strong><br> A short-lived token sent by the server to the client after login. The client uses it to prove authentication when making API requests. It usually expires quickly for security reasons.</p> <ul> <li>When you log in, the server gives you this token.</li> <li>You send it with every request to protected routes (like “get user profile” or “update post”).</li> <li>It usually <strong>expires quickly</strong> (like in 15 minutes) for security.</li> </ul> <p><strong>Refresh Token:</strong><br> A longer-lived token stored safely (usually in a cookie with <code>httpOnly</code>) used to get a new access token when the old one expires. It helps keep the user logged in without asking for credentials repeatedly.</p> <ul> <li>It’s <strong>longer-lasting</strong> than the access token.</li> <li>It’s stored securely in a cookie (usually <code>httpOnly</code>).</li> <li>When your access token expires, your app sends the refresh token to the server to <strong>get a new access token without logging in again</strong>.</li> </ul> <h3> Why Is the Refresh Token Saved in a Cookie? </h3> <p>The refresh token is saved in a cookie—specifically an HTTP-only cookie—to enhance security and protect against XSS (Cross-Site Scripting) attacks.</p> <p>Here’s why:</p> <ul> <li><p><strong>HTTP-only flag</strong><br> When a cookie is set with httpOnly: true, it cannot be accessed by JavaScript running in the browser (e.g., document.cookie).<br> This prevents attackers from stealing the refresh token even if they manage to inject malicious scripts.</p></li> <li><p><strong>Automatically sent with requests</strong><br> Cookies are automatically included in HTTP requests by the browser—no need to manually attach the refresh token on the frontend.<br> This makes the refresh flow seamless and consistent.</p></li> <li><p><strong>Reduces surface area for attacks</strong><br> If you store the refresh token in localStorage or sessionStorage, it's accessible to JavaScript—making it easier for XSS attacks to extract it.<br> Cookies (with proper flags like httpOnly, secure, and sameSite) reduce that risk.</p></li> <li><p><strong>Built-in browser handling</strong><br> The browser takes care of sending the cookie only to the origin you specify (sameSite, domain, path), giving you finer control over exposure.</p></li> </ul> <h3> <strong>Example Setup</strong> </h3> <p><strong>src\app.js</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">//...</span> <span class="k">import</span> <span class="nx">cookieParser</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cookie-parser</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">cors</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cors</span><span class="dl">'</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nf">cors</span><span class="p">({</span> <span class="na">origin</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">http://localhost:5173</span><span class="dl">'</span><span class="p">],</span> <span class="na">credentials</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// ✅ this is mandatory for cookies</span> <span class="p">}),</span> <span class="p">);</span> <span class="c1">//...</span> </code></pre> </div> <p><strong>src\app\modules\Auth\auth.route.js</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AuthControllers</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth.controller</span><span class="dl">'</span><span class="p">;</span> <span class="c1">//...</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">AuthControllers</span><span class="p">.</span><span class="nx">loginUser</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/refresh-token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">AuthControllers</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">);</span> <span class="c1">//..</span> </code></pre> </div> <p><strong>src\app\modules\Auth\auth.controller.js</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AuthServices</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth.service</span><span class="dl">'</span><span class="p">;</span> <span class="c1">//..</span> <span class="kd">const</span> <span class="nx">loginUser</span> <span class="o">=</span> <span class="nf">catchAsync</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">AuthServices</span><span class="p">.</span><span class="nf">loginUser</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">accessToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">result</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">refreshToken</span><span class="dl">'</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">7</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// cookie lasts 7 days</span> <span class="p">});</span> <span class="nf">sendResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="nx">httpStatus</span><span class="p">.</span><span class="nx">OK</span><span class="p">,</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User is logged in succesfully!</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nf">catchAsync</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">AuthServices</span><span class="p">.</span><span class="nf">refreshToken</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">);</span> <span class="c1">//verifies the current refresh token. generates and returns new access token upon succesful verification</span> <span class="nf">sendResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="nx">httpStatus</span><span class="p">.</span><span class="nx">OK</span><span class="p">,</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Access token is retrieved succesfully!</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">result</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">AuthControllers</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">loginUser</span><span class="p">,</span> <span class="nx">changePassword</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">};</span> <span class="c1">//..</span> </code></pre> </div> <h3> <strong>Explanation of the provided example in simple terms</strong> </h3> <ol> <li> <strong>Middleware setup (<code>src\app.js</code>)</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nf">cors</span><span class="p">({</span> <span class="na">origin</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">http://localhost:5173</span><span class="dl">'</span><span class="p">],</span> <span class="na">credentials</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// ✅ this is mandatory for cookies</span> <span class="p">}),</span> <span class="p">);</span> </code></pre> </div> <ul> <li> <code>cookieParser()</code> lets your server read cookies sent by the browser.</li> <li> <code>cors()</code> allows your frontend (<code>http://localhost:5173</code>) to talk to this backend, and <code>credentials: true</code> lets cookies be sent in cross-origin requests, which is necessary for storing refresh tokens.</li> </ul> <ol> <li> <strong>Routes (<code>auth.route.js</code>)</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">AuthControllers</span><span class="p">.</span><span class="nx">loginUser</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/refresh-token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">AuthControllers</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">);</span> </code></pre> </div> <ul> <li> <code>/login</code> route handles user login.</li> <li> <code>/refresh-token</code> route is called when the client wants a new access token using the refresh token.</li> </ul> <ol> <li> <strong>Login controller (<code>auth.controller.js</code>)</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">loginUser</span> <span class="o">=</span> <span class="nf">catchAsync</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">//takes login credential (email, password), verifies it and generates refreshToken and accessToken</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">AuthServices</span><span class="p">.</span><span class="nf">loginUser</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">accessToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">result</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">refreshToken</span><span class="dl">'</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">{</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">7</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// cookie lasts 7 days</span> <span class="p">});</span> <span class="nf">sendResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="nx">httpStatus</span><span class="p">.</span><span class="nx">OK</span><span class="p">,</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User is logged in succesfully!</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <ul> <li>When a user logs in, your service returns two tokens: an <code>accessToken</code> and a <code>refreshToken</code>.</li> <li>The refresh token is saved in an HTTP-only cookie (<code>res.cookie(...)</code>), so the browser stores it but JavaScript cannot read it (safer).</li> <li>The access token is sent back in the JSON response, so the frontend can use it to authenticate API calls.</li> </ul> <ol> <li> <strong>Refresh token controller</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nf">catchAsync</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">;</span> <span class="c1">// uses jwt.verify for the verification. expample - jwt.verify( refreshToken, config.jwt_refresh_secret )</span> <span class="c1">// verifies the current refresh token. generates and returns new access token upon successful verification</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">AuthServices</span><span class="p">.</span><span class="nf">refreshToken</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">);</span> <span class="nf">sendResponse</span><span class="p">(</span><span class="nx">res</span><span class="p">,</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="nx">httpStatus</span><span class="p">.</span><span class="nx">OK</span><span class="p">,</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Access token is retrieved succesfully!</span><span class="dl">'</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">result</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <ul> <li>When the frontend detects the access token expired, it calls <code>/refresh-token</code>.</li> <li>The server reads the refresh token from the cookie (<code>req.cookies</code>).</li> <li>It verifies the refresh token and issues a new access token.</li> <li>The new access token is sent back to the client to continue making authenticated requests.</li> </ul> <p><strong>Summary:</strong><br> Cookies store the refresh token securely. The frontend uses the access token for requests. When access token expires, frontend calls <code>/refresh-token</code> endpoint, sending the refresh token automatically via cookie, and gets a new access token without asking the user to log in again.</p> <p><strong>AuthService example code</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../user/user.model</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// util function to generate tokens</span> <span class="kd">const</span> <span class="nx">createToken</span> <span class="o">=</span> <span class="p">(</span><span class="nx">jwtPayload</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="nx">expiresIn</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">jwtPayload</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="p">{</span> <span class="nx">expiresIn</span> <span class="p">});</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">loginUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwtPayload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nf">createToken</span><span class="p">(</span> <span class="nx">jwtPayload</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">jwt_access_secret</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">jwt_access_expires_in</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nf">createToken</span><span class="p">(</span> <span class="nx">jwtPayload</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">jwt_refresh_secret</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">jwt_refresh_expires_in</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">};</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">jwt_refresh_secret</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwtPayload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nf">createToken</span><span class="p">(</span> <span class="nx">jwtPayload</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">jwt_access_secret</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">jwt_access_expires_in</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="p">};</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">AuthServices</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">loginUser</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="p">};</span> </code></pre> </div> jwt cookie express How to Use a Higher-Order Component (HOC) the Right Way in React Emdadul Haque Sat, 14 Jun 2025 10:41:48 +0000 https://dev.to/apu_emdad/how-to-use-a-higher-order-component-hoc-the-right-way-in-react-1g5l https://dev.to/apu_emdad/how-to-use-a-higher-order-component-hoc-the-right-way-in-react-1g5l <h3> What is a HOC? </h3> <p>A <strong>Higher-Order Component</strong> is a function that:</p> <ul> <li>Takes a React component as input</li> <li>Returns a <strong>new</strong> React component with extra features</li> </ul> <h3> Example of a HOC </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">withAdminRole</span> <span class="o">=</span> <span class="p">(</span><span class="nx">WrappedComponent</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// takes a component as argument and returns new component</span> <span class="k">return </span><span class="p">(</span><span class="nx">props</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">WrappedComponent</span> <span class="p">{...</span><span class="nx">props</span><span class="p">}</span> <span class="nx">role</span><span class="o">=</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span> <span class="o">/&gt;</span><span class="p">;</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">WelcomeUser</span> <span class="o">=</span> <span class="p">({</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">role</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Welcome</span><span class="p">,</span> <span class="p">{</span><span class="nx">name</span><span class="p">}</span><span class="o">!</span> <span class="nx">Your</span> <span class="nx">role</span> <span class="na">is</span><span class="p">:</span> <span class="p">{</span><span class="nx">role</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="err">; </span><span class="p">};</span> </code></pre> </div> <h3> ❌ Inefficient Way to Use It </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Don't do this</span> <span class="kd">const</span> <span class="nx">UserWithRole</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">withAdminRole</span><span class="p">(</span><span class="nx">WelcomeUser</span><span class="p">);</span> <span class="o">&lt;</span><span class="nx">UserWithRole</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">Apu</span><span class="dl">"</span> <span class="o">/&gt;</span><span class="p">;</span> </code></pre> </div> <p><strong>What’s wrong here?</strong></p> <ul> <li> <code>withAdminRole(WelcomeUser)</code> is called <strong>every time</strong> <code>&lt;UserWithRole /&gt;</code> renders</li> <li>This creates a <strong>new component on every render</strong> </li> <li>React <strong>can’t optimize</strong> this</li> <li>It can cause <strong>unnecessary re-renders</strong> </li> </ul> <h3> ✅ Efficient Way to Use It </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Do this instead</span> <span class="kd">const</span> <span class="nx">UserWithRole</span> <span class="o">=</span> <span class="nf">withAdminRole</span><span class="p">(</span><span class="nx">WelcomeUser</span><span class="p">);</span> <span class="o">&lt;</span><span class="nx">UserWithRole</span> <span class="nx">name</span><span class="o">=</span><span class="dl">"</span><span class="s2">Apu</span><span class="dl">"</span> <span class="o">/&gt;</span><span class="p">;</span> </code></pre> </div> <p><strong>What’s right here?</strong></p> <ul> <li> <code>withAdminRole(WelcomeUser)</code> is called only <strong>once</strong>,</li> <li> <code>UserWithRole</code>is now a <strong>stable component</strong> </li> <li>React can <strong>optimize performance</strong> </li> <li>Your code is <strong>cleaner and safer</strong> </li> </ul> <h3> Simple Rule </h3> <blockquote> <p><strong>Always assign the result of a HOC to a constant. Don’t call the HOC inside a component or inside render.</strong></p> </blockquote> react higherordercomponent hoc webdev