Node.js Authentication Middleware

G5 Cyber Security

2 weeks ago

TL;DR

This guide shows you how to create authentication middleware in Node.js using Express. This middleware checks if a user is logged in before allowing access to protected routes.

Prerequisites

Node.js and npm installed
An Express application set up (basic routing working)
A basic understanding of HTTP requests and responses

Step 1: Install Required Packages

If you haven’t already, install the necessary packages. We’ll use jsonwebtoken for creating and verifying tokens.

npm install jsonwebtoken express

Step 2: Create a Secret Key

You need a secret key to sign your JSON Web Tokens (JWTs). Important: Keep this key secure! Don’t hardcode it directly into your code in production. Use environment variables instead.

const jwtSecret = 'your-super-secret-key'; // Replace with a strong, random string

Step 3: Implement the Authentication Middleware

This middleware function will verify the user’s token. It checks for a token in the Authorization header.

function authenticate(req, res, next) {
  const authHeader = req.headers['authorization'];

  if (!authHeader) {
    return res.status(401).send('No token provided');
  }

  const token = authHeader.split(' ')[1]; // Bearer 

  jwt.verify(token, jwtSecret, (err, user) => {
    if (err) {
      return res.status(403).send('Invalid token');
    }

    req.user = user;
    next(); // Pass control to the next middleware/route handler
  });
}

Explanation:

authHeader retrieves the Authorization header from the request.
If no header is present, it returns a 401 (Unauthorized) error.
The token is extracted from the header (assuming ‘Bearer ‘ format).
jwt.verify() attempts to verify the token using your secret key.
If verification fails (e.g., invalid signature, expired token), it returns a 403 (Forbidden) error.
If verification succeeds, the decoded user object is attached to the request object (req.user).
Finally, next() passes control to the next middleware function or route handler in the chain.

Step 4: Apply Middleware to Protected Routes

Now you can use your authentication middleware to protect specific routes.

const express = require('express');
const jwt = require('jsonwebtoken');
const app = express();

// ... (your other route definitions)

app.get('/protected', authenticate, (req, res) => {
  res.send(`Welcome to the protected route, ${req.user.username}!`);
});

Explanation:

The authenticate middleware function is placed before the route handler for /protected.
Before the route handler executes, Express will run the authenticate middleware.
Only if the authentication succeeds (token is valid) will the route handler be called. Otherwise, a 401 or 403 error will be sent.

Step 5: Example Token Creation (for testing)

This shows how you might create a token after successful login.

app.post('/login', (req, res) => {
  // ... (your authentication logic)

  const user = { username: 'testuser' }; // Replace with actual user data

  jwt.sign(user, jwtSecret, { expiresIn: '1h' }, (err, token) => {
    if (err) {
      return res.status(500).send('Token creation failed');
    }
    res.send({ token });
  });
});

Explanation:

This example assumes you have a /login route that handles user authentication.
After successful login, it creates a JWT using jwt.sign().
The token is signed with your secret key and includes the user object as payload.
The expiresIn: '1h' option sets the token to expire after one hour.