DEV Community: Romeovcn The latest articles on DEV Community by Romeovcn (@romeovcn). https://dev.to/romeovcn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F691719%2F0948fa16-d116-45c8-80f0-f72115a567ce.png DEV Community: Romeovcn https://dev.to/romeovcn en How to make a JWT cookie work in local Romeovcn Tue, 24 Aug 2021 09:18:12 +0000 https://dev.to/romeovcn/how-to-make-a-jwt-cookie-that-work-in-local-48g6 https://dev.to/romeovcn/how-to-make-a-jwt-cookie-that-work-in-local-48g6 <p>When I was making authentification cookies I couldn't find clear help for both client and server side. So to prevent you from wasting time like me, I'm making this article :</p> <h1> Login </h1> <h3> 1. Client side request </h3> <p>This fetch request send the information typed by the user to verify if the name and the password are correct and receive a response back which is the JWT cookie.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://127.0.0.1:8080/user/signin</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">content-type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="na">pseudo</span><span class="p">:</span> <span class="nx">pseudo</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">password</span><span class="p">,</span> <span class="p">}),</span> <span class="p">})</span> <span class="p">.</span><span class="nx">then</span><span class="p">((</span><span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">())</span> <span class="p">.</span><span class="nx">then</span><span class="p">((</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>I've seen a lot of people say "my cookie is working only on postman but not on my local server". The answer to this problem is the CORS (Cross-origin resource sharing) options.</p> <p>The important part here is <code>credentials: "include",</code> it allows you to send cookies even if the URL or the port of the request is different from the response one. In opposite to "same-origin" which is the default value.</p> <h3> 2. CORS options </h3> <p>But for it to work you also need to set two CORS options :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span> <span class="nx">cors</span><span class="p">({</span> <span class="na">origin</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">http://127.0.0.1:8080</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">http://127.0.0.1:5500</span><span class="dl">"</span><span class="p">],</span> <span class="na">credentials</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p><strong>origin :</strong> By default, pages with different URL cannot access to each other. Using <code>origin: ["http://127.0.0.1:8080", "http://127.0.0.1:5500"],</code> will add the two host URL to the Access-Control-Allow-Origin header allowing you to make request between them.</p> <p><strong>credentials :</strong> As i said, by default CORS does not include cookies on cross-origin requests so they can only go to origins from which they came.</p> <h3> 3. Controller </h3> <p>We now make our controller that check if the user information is correct, create the JWT token with the user id and create the cookie with the JWT token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">JWT_MAX_AGE</span> <span class="o">=</span> <span class="mi">1000</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">30</span><span class="p">;</span> <span class="c1">// 30 days in ms</span> <span class="nx">router</span><span class="p">.</span><span class="nx">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">pseudo</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nx">send</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Please provide a pseudo</span><span class="dl">"</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nx">send</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Please provide a password</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">UserObject</span><span class="p">.</span><span class="nx">findOne</span><span class="p">({</span> <span class="na">pseudo</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">pseudo</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nx">send</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">User does not exist</span><span class="dl">"</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span> <span class="o">!==</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nx">send</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Authentification is incorrect</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// create a JWT token with the user id</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">sign</span><span class="p">({</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">your-secret-key</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="nx">JWT_MAX_AGE</span> <span class="p">});</span> <span class="c1">// create a cookie with the jwt token</span> <span class="nx">res</span><span class="p">.</span><span class="nx">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">jwt</span><span class="dl">"</span><span class="p">,</span> <span class="nx">token</span><span class="p">,</span> <span class="p">{</span> <span class="na">maxAge</span><span class="p">:</span> <span class="nx">JWT_MAX_AGE</span><span class="p">,</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nx">send</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">token</span><span class="p">:</span> <span class="dl">"</span><span class="s2">JWT </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">token</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Make sure to store your token secret key in a secure file (.env).</p> <p>You can set some options to your cookies to make it more secure against XSS attacks for exemple :</p> <p>httpOnly : Flags the cookie to be accessible only by the web server and not via JavaScript in the browser.</p> <p>secure : Marks the cookie to be used only by HTTPS protocol and not by HTTP. (except on localhost)</p> <p>maxAge : option for setting the expiry time relative to the current time in milliseconds.</p> <h2> Display user informations </h2> <h3> 1. Passport </h3> <p>Once you're logged in, we want to manage route authorization. So we need to get the value of the desired cookie and decrypt the JWT token to get the user id. To do this we will need <a href="https://www.passportjs.org/packages/passport-jwt/.">Passport-JWT strategy</a>, which has also the nice feature to add the DB user in the request object, so that it's available in the controller afterwards.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">passport</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">passport</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./config</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">JwtStrategy</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">passport-jwt</span><span class="dl">"</span><span class="p">).</span><span class="nx">Strategy</span><span class="p">;</span> <span class="c1">// load up the user model</span> <span class="kd">const</span> <span class="nx">User</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">./models/user</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cookieExtractor</span> <span class="o">=</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">token</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nx">req</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">)</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">[</span><span class="dl">"</span><span class="s2">jwt</span><span class="dl">"</span><span class="p">];</span> <span class="k">return</span> <span class="nx">token</span><span class="p">;</span> <span class="c1">// return the value of the cookie named jwt</span> <span class="p">};</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">passport</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="k">new</span> <span class="nx">JwtStrategy</span><span class="p">(</span> <span class="p">{</span> <span class="na">jwtFromRequest</span><span class="p">:</span> <span class="nx">cookieExtractor</span><span class="p">,</span> <span class="c1">// JWT token value</span> <span class="na">secretOrKey</span><span class="p">:</span> <span class="dl">"</span><span class="s2">your-secret-key</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="k">async</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">jwtPayload</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nx">findById</span><span class="p">(</span><span class="nx">jwtPayload</span><span class="p">.</span><span class="nx">_id</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="nx">done</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">user</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">error passport</span><span class="dl">"</span><span class="p">,</span> <span class="nx">e</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">done</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">)</span> <span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nx">use</span><span class="p">(</span><span class="nx">passport</span><span class="p">.</span><span class="nx">initialize</span><span class="p">());</span> <span class="p">};</span> </code></pre> </div> <p>If the token is properly decrypted and not expired, we will try to get the user from the database, and if a user exists, passport will add this user in the request object.<br> Otherwise, passport will reject the request by sending something like <code>res.status(401).send({ ok: false, error: 'Unauthorized' })</code></p> <h3> 2. Controller </h3> <p>And the result route to display the user informations<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span> <span class="dl">"</span><span class="s2">/result</span><span class="dl">"</span><span class="p">,</span> <span class="nx">passport</span><span class="p">.</span><span class="nx">authenticate</span><span class="p">(</span><span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}),</span> <span class="nx">catchErrors</span><span class="p">(</span><span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Identified user</span><span class="dl">"</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nx">send</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="p">});</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <h2> Logout </h2> <h3> 1. Client side request </h3> <p>We can now make our Logout route.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://127.0.0.1:8080/user/logout</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET</span><span class="dl">"</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nx">then</span><span class="p">((</span><span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nx">json</span><span class="p">())</span> <span class="p">.</span><span class="nx">then</span><span class="p">((</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>This fetch function load our logout route and clear our cookie.</p> <h3> 2. Controller </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span> <span class="dl">"</span><span class="s2">/logout</span><span class="dl">"</span><span class="p">,</span> <span class="nx">catchErrors</span><span class="p">(</span><span class="k">async</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// delete the cookie with the name jwt</span> <span class="nx">res</span><span class="p">.</span><span class="nx">clearCookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">jwt</span><span class="dl">"</span><span class="p">,</span> <span class="p">{});</span> <span class="nx">res</span><span class="p">.</span><span class="nx">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nx">send</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Successfully logged out</span><span class="dl">"</span> <span class="p">});</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>Make sure to secure your CORS options before sending to production. You can easily find good articles about that.</p> <p>You can find all the files in my <a href="https://github.com/Romeovcn/jwt-token-cookie">github repository</a></p> <p>Hope this helped.</p> javascript node