Making Your Express.js API Secure: Authentication Middleware & Token Management

M DISHA SHETTY — Fri, 07 Mar 2025 07:07:14 +0000

Link
Why Authentication Matters

Imagine leaving your house unlocked—anyone could walk in and take what they want. APIs work the same way. Without proper authentication, attackers can gain access to sensitive data or manipulate your system. JWTs and API keys provide a structured way to ensure only authorized users can use your API securely.

How Authentication Middleware Works
_
Our middleware handles two types of authentication:_

API Keys: If an API key is included in the request, it’s checked against a stored value.

JWTs: If no API key is found, the system looks for a JWT token in the Authorization header, validates it, and checks the user's permissions.

Here’s the authMiddleware.js in action:

import Configs from '../configs/config.js';
import { verifyAccessToken } from '../helpers/tokenManager.js';
import errorHandler from '../helpers/errorHandler.js';

export default function authMiddleware(requiredRoles = []) {
  return async (req, res, next) => {
    try {
      const authHeader = req.headers.authorization;
      const apiKeyHeader = req.headers['x-api-key'];

      if (apiKeyHeader) {
        if (!Configs?.X_API_KEY_DEV) {
          throw new Error('NOT_FOUND X_API_KEY_DEV is not set in environment');
        }

        if (apiKeyHeader !== Configs?.X_API_KEY_DEV) {
          throw new Error('FORBIDDEN Invalid or missing x-api-key');
        }
        return next();
      }

      if (!authHeader || !authHeader.startsWith('Bearer ')) {
        throw new Error('UNAUTHORIZED Authentication token is missing or malformed.');
      }

      const token = authHeader.replace('Bearer ', '');
      const decoded = await verifyAccessToken(token);

      if (decoded.name === 'TokenExpiredError') {
        throw new Error('UNAUTHORIZED Token expired.');
      }

      if (requiredRoles.length && !requiredRoles.includes('XAPIKEY')) {
        const hasRole = requiredRoles.some(roleNeeded =>
          decoded.roles?.some(role => role.permissions?.includes(roleNeeded))
        );
        if (!hasRole) {
          throw new Error('FORBIDDEN You do not have the required permissions.');
        }
      }

      req.user_id = decoded.sub || null;
      return next();
    } catch (err) {
      const error = errorHandler(err);
      return res.status(error.code).json({ message: error.message, keyword: error.keyword });
    }
  };
}

How JWT Token Management Works

JWT tokens contain user details and are signed to ensure their validity. To verify a token, we:

Decode its header to get the kid (Key ID).

Fetch the public key from the JWKS endpoint.

Use the key to validate the token’s signature and confirm its authenticity.

Here’s how we handle it in tokenManager.js:

import fs from 'fs';
import path from 'path';
import axios from 'axios';
import jwt from 'jsonwebtoken';
import crypto from 'crypto';
import Configs from '../configs/config.js';

const keysDirPath = path.join(__dirname, '../../keys');
const baseUrl = `${Configs.JWKS_URI}?secret=${Configs.JWKS_SECRET}&kid=`;

export async function verifyAccessToken(token) {
  try {
    const decodedHeader = jwt.decode(token, { complete: true }).header;
    let publicKey = checkLocalKeyDirectory(decodedHeader.kid);
    if (!publicKey) {
      publicKey = await fetchAndSaveKey(decodedHeader.kid);
    }

    const verifyOptions = { issuer: Configs.TOKEN_ISSUER, algorithms: ['RS256'] };
    if (Configs.TOKEN_AUDIENCE) {
      verifyOptions.audience = Configs.TOKEN_AUDIENCE;
    }

    return jwt.verify(token, publicKey, verifyOptions);
  } catch (error) {
    throw error;
  }
}

Best Practices for Secure Authentication

Keep Secrets Safe: Store API keys and JWT secrets in environment variables.

Handle Token Expiry: Implement token refresh to prevent expired tokens from causing issues.

Rate Limit Requests: Prevent API abuse by limiting request frequency per user.

Monitor Authentication Failures: Log failed login attempts for security analysis.

Use Role-Based Access Control (RBAC): Assign permissions based on user roles.

Utilizing Worker Threads in Node.js to Efficiently Facilitate the Upload Process of a File into an Amazon S3 Bucket.

M DISHA SHETTY — Wed, 05 Mar 2025 09:28:04 +0000

LINK FOR FLOWCHART

*How to Implement *

File Upload Process:

The user will upload the file via /upload endpoint and API immediately returns a response: "File uploaded successfully
The file details (path, job_applicant_id) are added to a queue for processing.
A worker thread picks up the file and uploads it to S3 Bucket.
THe Path is stored in Database as well with the path name

Fetching the File:

1.When a user requests the file via and API(fetch/job_applicant_id/filepath) by the path name

2.The API generates a signed URL for temporary access and returns it

IMPLEMENTATION PART:

1. File Upload API
Uses multer to handle file uploads.
Adds the file path to a queue for processing.
Responds immediately without waiting for the file to upload.

const express = require('express');
const multer = require('multer');
const threadController = require('./threadController');

const app = express();
const upload = multer({ dest: 'uploads/' });

app.post('/upload', upload.single('file'), (req, res) => {
    const { job_applicant_id } = req.body;
    const filePath = req.file.path;
    const fileName = req.file.originalname;

    threadController.addToQueue(job_applicant_id, filePath, fileName);
    res.json({ message: 'File uploaded successfully' });
});

app.listen(3000, () => {
    console.log('Server running on port 3000');
});

2. Worker Thread for Uploading to S3
Picks up files from the queue.
Uploads them to S3 under job_applicant_id.

const { isMainThread, parentPort, workerData } = require('worker_threads');
const AWS = require('aws-sdk');
const fs = require('fs');

AWS.config.update({
    accessKeyId: 'AWS_ACCESS_KEY',
    secretAccessKey: 'AWS_SECRET_KEY',
    region: 'us-east-1'
});

const s3 = new AWS.S3();

if (!isMainThread) {
    const { job_applicant_id, filePath, fileName } = workerData;
    const fileStream = fs.createReadStream(filePath);

    const params = {
        Bucket: 'my-file-bucket',
        Key: `${job_applicant_id}/${fileName}`,
        Body: fileStream,
        ContentType: 'application/pdf'
    };

    s3.upload(params).promise()
        .then(data => console.log(`File uploaded: ${data.Location}`))
        .catch(err => console.error(`Upload failed: ${err.message}`));
}

3. Fetch File API
Retrieves a temporary signed URL to access the file.
app.get('/get-file/:job_applicant_id/:file_name', (req, res) => {

` const { job_applicant_id, file_name } = req.params;

    const params = {
        Bucket: 'my-file-bucket',
        Key: `${job_applicant_id}/${file_name}`,
        Expires: 60 * 5 // Link valid for 5 minutes
    };

    const url = s3.getSignedUrl('getObject', params);
    res.json({ url });
});`

DEV Community: M DISHA SHETTY

Making Your Express.js API Secure: Authentication Middleware & Token Management

Utilizing Worker Threads in Node.js to Efficiently Facilitate the Upload Process of a File into an Amazon S3 Bucket.