DEV Community: Võ Huỳnh Đức Minh The latest articles on DEV Community by Võ Huỳnh Đức Minh (@developerminhvo). https://dev.to/developerminhvo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F457909%2F1d7de8f3-7e16-4054-9f20-d5582b1f698e.jpg DEV Community: Võ Huỳnh Đức Minh https://dev.to/developerminhvo en JSON Web Token: Authorization RESTful API by using JWT Võ Huỳnh Đức Minh Wed, 26 Aug 2020 11:42:36 +0000 https://dev.to/developerminhvo/web-api-security-3ccf https://dev.to/developerminhvo/web-api-security-3ccf <h3> ✔ What is JWT </h3> <blockquote> <p>💡 JSON Web Token is an open and standard <a href="https://tools.ietf.org/html/rfc7519">(RFC 7519)</a> way for you to represent your user’s identity securely during a two-party interaction. Particularly, when two systems exchange data you can use JSON Web Token to identify your user without having to send private credentials on every request.</p> </blockquote> <p>A JWT typically looks like this<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="nx">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9</span><span class="p">.</span><span class="nx">eyJleHAiOjEzODY4OTkxMzEsImlzcyI6ImppcmE6MTU0ODk1OTUiLCJxc2giOiI4MDYzZmY0Y2ExZTQxZGY3YmM5MGM4YWI2ZDBmNjIwN2Q0OTFjZjZkYWQ3YzY2ZWE3OTdiNDYxNGI3MTkyMmU5IiwiaWF0IjoxMzg2ODk4OTUxfQ</span><span class="p">.</span><span class="nx">uKqU9dTB6gKwG6jQCuXYAiMNdfNRw98Hw_IWuA5MaMo</span> </code></pre></div> <p>It looks complicated at first sight, but if you understand, the structure of a JWT is just simple as follows<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="o">&lt;</span><span class="nx">base64</span><span class="o">-</span><span class="nx">encoded</span> <span class="nx">header</span><span class="o">&gt;</span><span class="p">.</span><span class="o">&lt;</span><span class="nx">base64</span><span class="o">-</span><span class="nx">encoded</span> <span class="nx">payload</span><span class="o">&gt;</span><span class="p">.</span><span class="o">&lt;</span><span class="nx">base64</span><span class="o">-</span><span class="nx">encoded</span> <span class="nx">signature</span><span class="o">&gt;</span> </code></pre></div> <p>In other words, a well-formed JWT consists of three concatenated Base64url-encoded strings, separated by dots <code>(.)</code>, which are:</p> <ul> <li>Header</li> <li>Payload</li> <li>Signature</li> </ul> <h3> ✔ Build RESTful API with JWT(JSON Web Token) </h3> <p>First let's create a folder with name "<em>JWT</em>" and take a look at our project structure<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--5rsAHaDK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ut4f6vlnd3f0nel8zvub.PNG" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--5rsAHaDK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/ut4f6vlnd3f0nel8zvub.PNG" alt="Alt Text"></a><br> Then open your command line under JWT directory and write this command<br> </p> <div class="highlight"><pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">--save</span> express body-parser morgan jsonwebtoken </code></pre></div> <h4> 1 - index.js </h4> <div class="highlight"><pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">),</span> <span class="nx">bodyParser</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">body-parser</span><span class="dl">'</span><span class="p">),</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">),</span> <span class="nx">config</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./configurations/config</span><span class="dl">'</span><span class="p">),</span> <span class="nx">cors</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">cors</span><span class="dl">'</span><span class="p">),</span> <span class="nx">app</span> <span class="o">=</span> <span class="nx">express</span><span class="p">();</span> <span class="c1">//set secret</span> <span class="nx">app</span><span class="p">.</span><span class="kd">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Secret</span><span class="dl">'</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">secret</span><span class="p">);</span> <span class="c1">// parse application/x-www-form-urlencoded</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="nx">bodyParser</span><span class="p">.</span><span class="nx">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="c1">// parse application/json</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="nx">bodyParser</span><span class="p">.</span><span class="nx">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nx">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Server is running on port 3000</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">App is running on http://localhost:3000/</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre></div> <h4> 2 - configurations/config.js </h4> <div class="highlight"><pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">secret</span><span class="p">:</span> <span class="dl">"</span><span class="s2">heymynameisminh</span><span class="dl">"</span> <span class="p">}</span> </code></pre></div> <p>Now check if everthing is okay 😃 Run this command line.<br> </p> <div class="highlight"><pre class="highlight shell"><code>node index.js </code></pre></div> <blockquote> <p>❗️ Make sure that you are standing in the right directory to run index.js file (following our project structure)</p> </blockquote> <p>Open your browser at <a href="http://localhost:3000/">http://localhost:3000/</a> </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--JHJPZT4s--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/lba52x2qulj8nedkvssd.PNG" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--JHJPZT4s--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/lba52x2qulj8nedkvssd.PNG" alt="Alt Text"></a></p> <p>Well done! Everything works well. Keep going</p> <h4> 3 - Setting up the authentication system </h4> <p>Assume the username and password in the database are "<em>techx</em>" and "<em>123</em>" then write this code in <em>index.js</em> file<br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/authenticate</span><span class="dl">'</span><span class="p">,</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">username</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">techx</span><span class="dl">"</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user not found!</span><span class="dl">"</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">123</span><span class="dl">"</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">please check your password!</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">check</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Secret</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="mi">14000</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">authentication done</span><span class="dl">'</span><span class="p">,</span> <span class="na">token</span><span class="p">:</span> <span class="nx">token</span> <span class="p">});</span> <span class="p">});</span> </code></pre></div> <p>Now let's make a test with Postman</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Otx0v4Wu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/1a0293fke5j6hidgq309.PNG" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Otx0v4Wu--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/1a0293fke5j6hidgq309.PNG" alt="Alt Text"></a></p> <p>Perfect! 😃 We just sent an HTTP request to the server, which responed with the JWT we asked for. For now, Client's already had the token. Let's move to the next step - <em>Setting route</em><br> </p> <div class="highlight"><pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">ProtectedRoutes</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nx">Router</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ProtectedRoutes</span><span class="p">);</span> <span class="nx">ProtectedRoutes</span><span class="p">.</span><span class="nx">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">access-token</span><span class="dl">'</span><span class="p">];</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nx">send</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No token provided.</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Secret</span><span class="dl">'</span><span class="p">),</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">decoded</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">decoded</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="nx">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">invalid token</span><span class="dl">'</span> <span class="p">});</span> <span class="p">})</span> <span class="p">});</span> <span class="nx">ProtectedRoutes</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/getAllProducts</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">products</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">cheese</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">carottes</span><span class="dl">"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">(</span><span class="nx">products</span><span class="p">)</span> <span class="p">});</span> </code></pre></div> <p>Everything have done, now we are comparing two different ways of getting data</p> <ul> <li><strong>with Token</strong></li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--_wUVBWZJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/s5xhsdoflt6jjqp7q2f1.PNG" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--_wUVBWZJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/s5xhsdoflt6jjqp7q2f1.PNG" alt="Alt Text"></a></p> <ul> <li> <strong>without Token</strong> </li> </ul> <h2> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Z-5Q6oIP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/db8yz3k3xh10qxdb7mnu.PNG" alt="Alt Text"> </h2> security tutorial webdev node