DEV Community

Cover image for Node.js Express Login example with MongoDB
Tien Nguyen
Tien Nguyen

Posted on • Updated on

Node.js Express Login example with MongoDB

In this tutorial, we're gonna build a Node.js & MongoDB example that supports User Authentication (Login, Registation) & Authorization with JSONWebToken (JWT). You'll know:

  • Appropriate Flow for User Signup & User Login with JWT Authentication
  • Node.js Express Architecture with CORS, Authenticaton & Authorization middlewares, Mongoose ODM
  • Way to configure Express routes to work with JWT
  • How to define Mongoose Models for Authentication and Authorization
  • How to use Mongoose to interact with MongoDB Database

Full Article:

Update: using HttpOnly cookies

Token Based Authentication

Comparing with Session-based Authentication that need to store Session on Cookie, the big advantage of Token-based Authentication is that we store the JSON Web Token (JWT) on Client side: Local Storage for Browser, Keychain for IOS and SharedPreferences for Android… So we don’t need to build another backend project that supports Native Apps or an additional Authentication module for Native App users.

Alt Text

There are three important parts of a JWT: Header, Payload, Signature. Together they are combined to a standard structure: header.payload.signature.

The Client typically attaches JWT in Authorization header with Bearer prefix:

Authorization: Bearer [header].[payload].[signature]
Enter fullscreen mode Exit fullscreen mode

Or only in x-access-token header:

x-access-token: [header].[payload].[signature]
Enter fullscreen mode Exit fullscreen mode

For more details, you can visit:
In-depth Introduction to JWT-JSON Web Token

Node.js Login & Registration with MongoDB example

We will build a Node.js Express application in that:

  • User can signup new account, or login with username & password.
  • By User's role (admin, moderator, user), we authorize the User to access resources

These are APIs that we need to provide:

  • POST /api/auth/signup signup new account
  • POST /api/auth/signin login an account
  • GET /api/test/all retrieve public content
  • GET /api/test/user access User's content
  • GET /api/test/mod access Moderator's content
  • GET /api/test/admin access Admin's content

Flow for Signup & Login with JWT Authentication

The diagram shows flow of User Registration, User Login and Authorization process.


A legal JWT must be added to HTTP x-access-token Header if Client accesses protected resources.

You may need to implement Refresh Token like this:


More details at: Node.js and MongoDB: JWT Refresh Token example

Update: using HttpOnly cookies

Node.js Login & Registration system with MongoDB Architecture

You can have an overview of our Node.js Express App with the diagram below:


Via Express routes, HTTP request that matches a route will be checked by CORS Middleware before coming to Security layer. Security layer includes:

  • JWT Authentication Middleware: verify SignUp, verify token
  • Authorization Middleware: check User's roles with record in database

An error message will be sent as HTTP response to Client when the middlewares throw any error, . Controllers interact with MongoDB Database via Mongoose library and send HTTP response (token, user information, data based on roles...) to Client.

For more details, implementation and Github, please visit:

Further Reading

Related Posts:

You may need to implement Refresh Token like this:


More details at: Node.js and MongoDB: JWT Refresh Token example

Front-end that works well with this:

Docker Compose: Node.js Express and MongoDB example

Top comments (5)

mlippert profile image
Mike Lippert • Edited

I saw the comments by Yasser-Massoud and Muco Rolle Tesor but neither explain why they think httpOnly cookies are a better storage option for a JWT.
As it is important to understand the reasoning behind your decision, I did some googling and found this really good explanation:

tassoman profile image

It's better to store JWT in the cookie storage httpOnly and secure.
So that you can scope it inside the domain, expire in a few minutes and transport by ssl

mucorolle profile image
Muco Rolle Tresor

I think is best practice to store JWT in httpOnly cookie

yassermassoud profile image

it's better to store jwt in httpOnly cookie

mlippert profile image
Mike Lippert

BTW I didn't say this before but I meant to...I really liked your article, it was clear, easy to follow and explained things well. Thanks.