Authenticate

Authentication vs Authorization

Authentication: User has logged in correctly
Authorization: User has the right permission

Generate JWT

const jwt = require('jsonwebtoken');
const accessToken = jwt.sign({id:'001',username:'test',role:'admin'},process.env.JWTPRIVATEKEY); 

router.post('/', async (req,res)=>{   //we are authenticating: checking username and password
  username = req.body.username;
  password = req.body.password;
  var sql = "SELECT * FROM user WHERE username=?";
  var prepared = [username];
  const [result, fields] = await conn.execute(sql,prepared);
  if(result.length===0) return res.status(400).json({success:false,error:'Invalid username or password'});
  if(result.length>0){
    const passwordInDB = result[0].password;
    const id = result[0].id;
    const role = result[0].role;
    const validPassword = await bcrypt.compare(password, passwordInDB);
    if(!validPassword) return res.status(400).json({success:false,error:'Invalid username or password'});
    const accessToken = jwt.sign({id:id,username:username,role:role},process.env.JWTPRIVATEKEY); 
    res.status(200).json({success:true,accessToken:accessToken});
  }
})  

Return JWT in header

res.status(200).header('x-auth-token',accesstoken).json(success:true);

Authentication middleware

//create a file in middleware folder, called authenticateMiddle
const jwt = require('jsonwebtoken');
require('dotenv').config();
const { jwtDecode } = require('jwt-decode');
const moment = require('moment');

const authenticateMiddle = (req,res,next) => {
  const token = req.header('x-auth-token');
  //no token provided
  if(!token) return res.status(401).json({success:false,message:'Access Denied. No token provided.'});
  //token expired
  if (jwtDecode(token).exp < moment().unix()) {return res.status(401).json({success:false,message:'Access Denied. Token expired.'});}
  try{
    const decoded = jwt.verify(token,process.env.JWTPRIVATEKEY);
    req.user = decoded;
    next();
  }catch(err){res.status(401).json({success:false,message:'Invalid Token'});}
}

module.exports = authenticateMiddle;

Use authentication middleware

// in the routes that need authentication
const authenticateMiddle = require('../middleware/authenticateMiddle');
route.get('/',authenticateMiddle,async(req,res))=>{		//route will first execute middleware before request
...
}

Authorization middleware

//create a file in middleware folder, called authorizeMiddle
const jwt = require('jsonwebtoken');
require('dotenv').config();
const { jwtDecode } = require('jwt-decode');

const authorizeMiddle = (req,res,next) => {
  const token = req.header('x-auth-token');
  //token's isAdmin is not true
  if (jwtDecode(token).isAdmin!=true) {return res.status(403).json({success:false,message:'Access Denied, Unauthorized to acesss this resource.'});}
  next();
}

module.exports = authorizeMiddle;

Use authorization middleware

// in the routes that need authentication
const authenticateMiddle = require('../middleware/authenticateMiddle');
const authorizeMiddle = require('../middleware/authorizeMiddle');
route.get('/',[authenticateMiddle,authorizeMiddle],async(req,res))=>{		//route will first execute middlewares before request
...
}

Authentication vs Authorization​

Generate JWT​

Generate JWT after successful login and return it to the client​

Return JWT in header​

Authentication middleware​

Use authentication middleware​

Authorization middleware​

Use authorization middleware​

Authentication vs Authorization

Generate JWT

Generate JWT after successful login and return it to the client

Return JWT in header

Authentication middleware

Use authentication middleware

Authorization middleware

Use authorization middleware