Nodejs User Authentication With Jwt Complete Guide

 Last Update:2025-06-22T00:00:00     .NET School AI Teacher - SELECT ANY TEXT TO EXPLANATION.    10 mins read      Difficulty-Level: beginner

Understanding the Core Concepts of NodeJS User Authentication with JWT

NodeJS User Authentication with JWT

Understanding JWT

JWT (JSON Web Tokens) are compact, URL-safe tokens structured in JSON format. These tokens can be used to transfer information securely between two parties. A JWT consists of three parts:

  1. Header: Contains metadata about the token (e.g., algorithm type).
  2. Payload: Holds the user data that needs to be sent (e.g., user ID).
  3. Signature: A combination of the header, payload, a secret key, and the specified algorithm, ensuring data integrity.

Setting Up Node.js Environment

Before implementing JWT authentication, ensure your Node.js environment is correctly set up:

  1. Initialize Node.js Project

    mkdir jwt-auth-app
cd jwt-auth-app
npm init -y

  2. Install Dependencies

    npm i express bcryptjs jsonwebtoken dotenv
    • express - Web server framework.
    • bcryptjs - Library to hash passwords securely.
    • jsonwebtoken - Library for generating and verifying JWTs.
    • dotenv - Load environment variables from a .env file.

Setting Up Express Server

  1. Create index.js for server setup 
    const express = require('express');
const dotenv = require('dotenv');
dotenv.config();
const app = express();

app.use(express.json());

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});
  2. Environment Variables Create a .env file to store sensitive data. 
    PORT=3000
SECRET_KEY=yoursecretpassword

User Registration

  1. Sample User Data For simplicity, we'll store user data in memory. In a real-world application, this would be a database.

    const users = [];
const User = ({ username, password }) => ({ username, password: bcrypt.hashSync(password, bcrypt.genSaltSync(10)) });

  2. Create Registration Route

    app.post('/api/register', (req, res) => {
  const username = req.body.username;
  const password = req.body.password;

  if (!username || !password) {
    return res.status(400).send('Username or password is required.');
  }

  if (users.find(user => user.username === username)) {
    return res.status(409).send('Username already exists.');
  }

  const user = new User({ username, password });
  users.push(user);
  res.status(201).send('User registered successfully!');
});

User Login

  1. Create Login Route 
    app.post('/api/login', (req, res) => {
  const username = req.body.username;
  const password = req.body.password;

  const user = users.find(user => user.username === username);

  if (!user || !bcrypt.compareSync(password, user.password)) {
    return res.status(401).send('Invalid username or password.');
  }

  const token = jwt.sign({ username: user.username }, process.env.SECRET_KEY, { expiresIn: '1h' });
  res.status(200).json({ token });
});

Middleware for Protected Routes

  1. Create Middleware to Verify JWT

    const verifyToken = (req, res, next) => {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1];

  if (token == null) {
    return res.sendStatus(401);
  }

  jwt.verify(token, process.env.SECRET_KEY, (err, user) => {
    if (err) {
      return res.sendStatus(403);
    }
    req.user = user;
    next();
  });
};

  2. Apply Middleware to a Protected Route

    app.get('/api/userinfo', verifyToken, (req, res) => {
  res.json(req.user);
});

Error Handling and Logging

For a robust application, ensure proper error handling and logging mechanisms:

  1. Sample Error Handling

    app.use((err, req, res, next) => {
  console.error(err.stack);
  res.status(500).send('Something broke!');
});

  2. Logging Middleware Implement logging for requests and responses. Libraries like morgan can be used for this purpose.

Conclusion

Online Code run

🔔 Note: Select your programming language to check or run code at

💻 Run Code Compiler

Step-by-Step Guide: How to Implement NodeJS User Authentication with JWT

Prerequisites

  1. Node.js and npm installed on your machine.
  2. Basic knowledge of JavaScript and Node.js.
  3. MongoDB setup (you can use a local instance or MongoDB Atlas for cloud-based MongoDB).

Step 1: Initialize the Project

Create a new directory for your project and initialize it with npm:

mkdir jwt-auth-example
cd jwt-auth-example
npm init -y

Step 2: Install Dependencies

Install the necessary packages, including express, mongoose, jsonwebtoken, and bcryptjs for hashing passwords:

npm install express mongoose jsonwebtoken bcryptjs body-parser dotenv
  • express: For setting up the server routes.
  • mongoose: For interacting with MongoDB.
  • jsonwebtoken: For creating and verifying JSON Web Tokens.
  • bcryptjs: For hashing and comparing passwords.
  • body-parser: To parse incoming request bodies.
  • dotenv: To manage environment variables.

Step 3: Set Up Environment Variables

Create a .env file to store your sensitive information:

PORT=3000
DBConnectionString=mongodb://localhost:27017/auth_example
JWT_SECRET=yoursecretkey

Replace DBConnectionString and JWT_SECRET with your MongoDB connection string and a secret key respectively.

Step 4: Create the Server

Create an index.js file to set up and start our Express server.

const express = require('express');
const mongoose = require('mongoose');
const bodyParser = require('body-parser');
require('dotenv').config();

const app = express();

// Middleware
app.use(bodyParser.json());

// Connect to MongoDB
mongoose.connect(process.env.DBConnectionString, { useNewUrlParser: true, useUnifiedTopology: true })
    .then(() => console.log('MongoDB connected successfully'))
    .catch(err => console.error('MongoDB connection error:', err));

const PORT = process.env.PORT || 5000;
app.listen(PORT, () => {
    console.log(`Server started on port ${PORT}`);
});

Step 5: Define the User Model

Create a models folder and inside it a User.js file to define the user schema and model.

const mongoose = require('mongoose');

const UserSchema = new mongoose.Schema({
    username: {
        type: String,
        required: true,
        unique: true
    },
    email: {
        type: String,
        required: true,
        unique: true
    },
    password: {
        type: String,
        required: true
    }
});

module.exports = mongoose.model('User', UserSchema);

Step 6: Create Routes for Registration and Login

Create a routes folder and inside it auth.js file to handle registration and login logic.

const express = require('express');
const bcrypt = require('bcryptjs');
const jwt = require('jsonwebtoken');
const router = express.Router();
const User = require('../models/User');

// Registration Route
router.post('/register', async (req, res) => {
    try {
        const { username, email, password } = req.body;

        // Check if the user already exists
        let user = await User.findOne({ email: email });
        if (user) return res.status(400).json({ msg: 'User already exists' });

        // Create new user object
        user = new User({
            username,
            email,
            password
        });

        // Hash the password before saving the user
        const salt = await bcrypt.genSalt(10);
        user.password = await bcrypt.hash(password, salt);

        // Save the user to the database
        await user.save();

        // Create JWT payload
        const payload = {
            id: user.id
        };

        // Sign the JWT token
        jwt.sign(payload, process.env.JWT_SECRET, { expiresIn: '1h' }, (err, token) => {
            if (err) throw err;
            res.json({ token });
        });
        
    } catch (err) {
        console.error(err.message);
        res.status(500).send('Server error');
    }
});

// Login Route
router.post('/login', async (req, res) => {
    try {
        const { email, password } = req.body;

        // Check if the user exists
        let user = await User.findOne({ email: email });
        if (!user) return res.status(400).json({ msg: 'Invalid Credentials' });

        // Validate password
        const isMatch = await bcrypt.compare(password, user.password);
        if (!isMatch) return res.status(400).json({ msg: 'Invalid Credentials' });

        // Create JWT payload
        const payload = {
            id: user.id
        };

        // Sign the JWT token
        jwt.sign(payload, process.env.JWT_SECRET, { expiresIn: '1h' }, (err, token) => {
            if (err) throw err;
            res.json({ token });
        });
    } catch (err) {
        console.error(err.message);
        res.status(500).send('Server error');
    }
});

module.exports = router;

Step 7: Integrate Routes

Include these routes in your main index.js file.

const express = require('express');
const mongoose = require('mongoose');
const bodyParser = require('body-parser');
require('dotenv').config();

const app = express();

// Middleware
app.use(bodyParser.json());

// Connect to MongoDB
mongoose.connect(process.env.DBConnectionString, { useNewUrlParser: true, useUnifiedTopology: true })
    .then(() => console.log('MongoDB connected successfully'))
    .catch(err => console.error('MongoDB connection error:', err));

// Import the auth routes
const authRoutes = require('./routes/auth');
app.use('/api/auth', authRoutes);

const PORT = process.env.PORT || 5000;
app.listen(PORT, () => {
    console.log(`Server started on port ${PORT}`);
});

Step 8: Verify JWT Token Middleware

Create a middleware function to verify the JWT token. This will protect our private routes.

Create a middleware folder and inside it a auth.js file.

const jwt = require('jsonwebtoken');
require('dotenv').config();

function auth(req, res, next) {
    const token = req.header('x-auth-token');

    // Check if no token
    if (!token) return res.status(401).json({ msg: 'No token, authorization denied!' });

    // Verify token
    try {
        const decoded = jwt.verify(token, process.env.JWT_SECRET);
        req.user = decoded;
        next();
    } catch (err) {
        res.status(401).json({ msg: 'Token is not valid!' });
    }
}

module.exports = auth;

Step 9: Create Protected Routes

Now that we have middleware to check the JWT token, let's create some protected routes.

In the routes folder, create a file called protectedRoutes.js.

const express = require('express');
const authMiddleware = require('../middleware/auth');
const router = express.Router();

// Protected route
router.get('/profile', authMiddleware, async (req, res) => {
    try {
        const user = await User.findById(req.user.id).select('-password');
        res.json(user);
    } catch (err) {
        console.error(err.message);
        res.status(500).send('Server Error');
    }
});

module.exports = router;

Update the index.js to include these routes.

const express = require('express');
const mongoose = require('mongoose');
const bodyParser = require('body-parser');
require('dotenv').config();

const app = express();

// Middleware
app.use(bodyParser.json());

// Connect to MongoDB
mongoose.connect(process.env.DBConnectionString, { useNewUrlParser: true, useUnifiedTopology: true })
    .then(() => console.log('MongoDB connected successfully'))
    .catch(err => console.error('MongoDB connection error:', err));

// Import the auth routes
const authRoutes = require('./routes/auth');
app.use('/api/auth', authRoutes);

// Import the protected routes
const protectedRoutes = require('./routes/protectedRoutes');
app.use('/api/private', protectedRoutes);

const PORT = process.env.PORT || 5000;
app.listen(PORT, () => {
    console.log(`Server started on port ${PORT}`);
});

Step 10: Test the Application

You can use tools like Postman or curl to test your API endpoints:

Register a New User

Send a POST request to http://localhost:3000/api/auth/register with JSON body:

{
    "username": "exampleuser",
    "email": "user@example.com",
    "password": "securepassword"
}

Login and Get JWT Token

Send another POST request to http://localhost:3000/api/auth/login with the same user credentials.

Access Protected Route

Use the JWT token from the login response to access the protected /api/private/profile endpoint.

Send a GET request to http://localhost:3000/api/private/profile with the header:

x-auth-token: <token_received_from_login>

If the token is correct and the user exists, you should get the user's profile information.

Conclusion

In this example, we've covered the basics of user registration, login, and using JWT for protecting routes in a Node.js application. You can expand on this example by adding features like email verification, password reset, role-based access control, etc.

Top 10 Interview Questions & Answers on NodeJS User Authentication with JWT

Top 10 Questions and Answers on Node.js User Authentication with JWT

  • Answer: JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs are commonly used for authentication and authorization purposes in stateless server architectures like those based on Node.js. They provide a mechanism to encode user sessions and ensure secure access without needing server-side session storage.

2. How does JWT work in Node.js for user authentication?

  • Answer: In Node.js applications, JWTs typically function via the following steps:
    • The user logs into the application.
    • Upon successful login, the server creates a JWT containing the user's identity information, signs it using a secret key or private key, and sends it to the client.
    • The client stores this JWT, usually in local storage or a cookie, and includes it in every subsequent API request header to maintain the session.
    • For each request, the server verifies the authenticity of the JWT using the same secret or public key.
    • If valid, the user is considered authenticated and access to resources controlled by the application is granted based on the token’s payload (such as role).

3. Can you explain how to sign a JWT in Node.js?

  • Answer: To sign a JWT in Node.js, you usually use libraries like jsonwebtoken. Here’s a basic example:

    const jwt = require('jsonwebtoken');
const SECRET_KEY = 'your_secret_key';

// Create a token with user information
function generateToken(user) {
  return jwt.sign({
    id: user.id,
    email: user.email,
    role: user.role
  }, SECRET_KEY, { expiresIn: '1h' });
}

module.exports = generateToken;

    In this snippet, we import the jsonwebtoken package, create a new token including user data (like ID, email), sign it using a secret key stored in SECRET_KEY, and set its expiration time to one hour.

4. How can I decode a JWT in Node.js after receiving it from the client?

  • Answer: Decoding a JWT in Node.js usually involves verifying the signature and decoding the payload. Here’s an example:

    const jwt = require('jsonwebtoken');
const SECRET_KEY = 'your_secret_key';

function verifyToken(req, res, next) {
  try {
    // Extract token from headers or cookies
    const token = req.headers.authorization.split(' ')[1]; // assuming format: Bearer <token>

    // Verify and decode token
    const decoded = jwt.verify(token, SECRET_KEY);
    req.user = decoded; // attach decoded data to request object
    next();               // proceed to the next middleware
  } catch(err) {
    // Invalid token or expired token
    return res.status(401).json({ error: 'Invalid or expired token' });
  }
}

module.exports = verifyToken;

    We use the jwt.verify() method which will throw an error if the token is invalid or expired. Otherwise, it returns the decoded token payload that we can then utilize in our application logic.

5. How to handle JWT expiration in user authentication?

  • Answer: When generating a JWT, you can specify an expiration claim (exp) indicating when the token should expire. Upon receipt, your verify middleware function checks whether the token has expired before continuing processing requests. If expired, it should return an error response, prompting users to log back in.

    Example during token creation:

    jwt.sign({ ...userData }, SECRET_KEY, { expiresIn: '30d' });

    The expiresIn option sets a duration after which the token will become invalid. Common units include seconds, minutes, hours ('1y', '6mo', '2w', '30d', '1h', '3m').

6. Are there security concerns with using JWT for authentication?

  • Answer: While JWTs offer many benefits, several security issues must be addressed:
    • Secret Key Storage: Always keep your signing secret safe and never expose it in the source code.
    • CSRF Vulnerabilities: Ensure to protect against Cross-Site Request Forgery (CSRF) attacks since browsers automatically send cookies along with requests. Consider using additional mechanisms like double-submit cookie pattern.
    • JWT Size: Because tokens carry payload data that needs to fit within HTTP header size limits, avoid embedding long user details.
    • Token Revocation: Since tokens are stateless and not tracked by the server, revoking compromised tokens requires more sophisticated handling such as implementing blacklisting or short-lived tokens coupled with refresh tokens.

7. Should tokens be stored in cookies or local storage?

  • Answer: Whether to store JWTs in local storage or cookies depends on security requirements and the application’s architecture:
    • Local Storage: Easier to use across different domains/subdomains due to lack of automatic inclusion in request headers by the browser but exposes tokens to XSS attacks.
    • Cookies (HttpOnly and Secure flags): Provide better protection from XSS attacks as values aren't accessible through JavaScript; however, they are sent with every request to the specific domain which might expose them to CSRF vulnerabilities without mitigating measures.

8. How do you manage token refresh in a Node.js application?

  • Answer: Token refreshing is crucial for maintaining secure and seamless access while minimizing the need for repeated logins. You would typically implement this workflow as follows:
    • Generate short-lived access tokens and longer-lived refresh tokens upon successful login.
    • Store the refresh token securely, e.g., in HttpOnly cookies.
    • After an access token expires, prompt the user to either log back in manually or perform a token refresh using their refresh token.
    • Validate the refresh token and issue a new access token.

9. How to securely log out a user when using JWTs?

  • Answer: Logging out users with JWT-based systems can be challenging due to the stateless nature of JWTs. Since tokens aren't stored at the server, they cannot be invalidated directly. However, you can adopt strategies such as:
    • Session Termination: Combine JWT with other session management techniques where sessions are maintained on the server alongside tokens.
    • Token Blacklisting: Track issued tokens server-side and mark them as invalid when users log out.
    • Use Short-Lived Access Tokens: Encourage users to re-authenticate frequently, thus minimizing the impact of potentially stolen or maliciously used tokens.
    • HTTPS Connections: Ensure all authentication and token operations occur over secure channels preventing interception.

10. Which packages or frameworks can simplify JWT implementation in Node.js?

  • Answer: Many popular Node.js packages facilitate JWT integration into web applications, providing built-in functionality for token generation, verification, etc. Some widely-used ones include:
    • jsonwebtoken: Core library for creating and validating JWTs.
    • express-jwt: Middleware for Express.js that validates JWTs automatically.
    • passport along with its passport-jwt: Passport.js is a flexible authentication middleware for Node.js. It supports JWTs among numerous other authentication strategies.
    • nodemailer and bcrypt: Although not directly related to JWTs, these packages often complement JWT projects for secure password handling and email notifications.

You May Like This Related .NET Topic

📥 Download Code ▶️ Watch Online 📖 Read Description

Login to post a comment.