Learn using JWT with Passport authentication
Introduction
Almost every web and mobile app nowadays has authentication. Most of them offer different login methods like Facebook, Google or email/password at once.
Passport is a Node.js middleware that offers a variety of different request authentication strategies that are easy to implement. By default, it stores the user object in session.
JSON Web Tokens is an authentication standard that works by assigning and passing around an encrypted token in requests that helps to identify the logged in user, instead of storing the user in a session on the server and creating a cookie. It has different integrations including a Node.js module.
Below is a tutorial about using this two modules together and setting up an authentication on an express based backend. Luckily, Passport allows an option to store the user object in request instead of the session.
The tutorial will use a simple local (email/password) authentication, but it may as well be used with any other strategy.
First, lets install the dependencies.
npm install --save passport passport-local passport-jwt jsonwebtokenNow here is how everything is going to work:
- When the user logs in, the backend creates a signed token and returns it in response
- The client saves the token locally (typically in localStorage) and sends it back in every subsequent request that needs authentication
- All requests needing authentication pass through a middleware that checks the provided token and allows the request only if the token is verified
So, let’s implement this logic.
Login
Assume we have set up and used the local passport strategy in a separate file next to app.js like this:
//passport.jsconst passport = require('passport’);
const LocalStrategy = require('passport-local').Strategy;passport.use(new LocalStrategy({
usernameField: 'email',
passwordField: 'password'
},
function (email, password, cb) { //this one is typically a DB call. Assume that the returned user object is pre-formatted and ready for storing in JWT return UserModel.findOne({email, password})
.then(user => {
if (!user) {
return cb(null, false, {message: 'Incorrect email or password.'});
} return cb(null, user, {message: 'Logged In Successfully'});
})
.catch(err => cb(err));
}
));
We need to require this file in app.js.
//app.jsconst express = require('express');
...
require('./passport');
const app = express();
...
const auth = require('./routes/auth');
app.use('/auth', auth);
Now, in our auth.js route file, we’ll implement the login action. Here, we call the passport authentication function with local strategy, handle the errors and log in the user.
//routes/auth.jsconst express = require('express');
const router = express.Router();
const jwt = require('jsonwebtoken');
const passport = require("passport”);/* POST login. */
router.post('/login', function (req, res, next) { passport.authenticate('local', {session: false}, (err, user, info) => {
if (err || !user) {
return res.status(400).json({
message: 'Something is not right',
user : user
});
} req.login(user, {session: false}, (err) => {
if (err) {
res.send(err);
} // generate a signed son web token with the contents of user object and return it in the response const token = jwt.sign(user, 'your_jwt_secret');
return res.json({user, token});
});
})(req, res);
});
Note, that we pass {session: false} in passport options, so that it wont save the user in the session. Also, we create and return a signed JSON web token based on the user object to the client. You can, of course, choose any object to create a token with, as long as it will help you identify your user. The idea is, to store the minimum info that you can use without having to retrieve the user from the database in all the authenticated requests.
Protected requests
Now, we’ll create a middleware, that allows only requests with valid tokens to access some special routes needing authentication, eg. /user/profile. For this, we will use the passport-jwt strategy. We’ll add it in our passport.js file.
//passport.js
...
const passportJWT = require("passport-jwt");
const JWTStrategy = passportJWT.Strategy;
const ExtractJWT = passportJWT.ExtractJwt;
...passport.use(new JWTStrategy({
jwtFromRequest: ExtractJWT.fromAuthHeaderAsBearerToken(),
secretOrKey : 'your_jwt_secret'
},
function (jwtPayload, cb) {
//find the user in db if needed. This functionality may be omitted if you store everything you'll need in JWT payload.
return UserModel.findOneById(jwtPayload.id)
.then(user => {
return cb(null, user);
})
.catch(err => {
return cb(err);
});
}
));
Note, that we assume that the client will send the JWT token in Authorization Header as a Bearer Token. The Passport JWT Strategy supports many other ways of getting the token from requests. Choose whichever suits your needs.
Now, all we need to do is to use this middleware in our app for the protected routes. For this tutorial, we’ll prepare a simple user route like this:
//routes/user.jsconst express = require('express');
const router = express.Router();
/* GET users listing. */
router.get('/', function(req, res, next) {
res.send('respond with a resource');
});
/* GET user profile. */
router.get('/profile', function(req, res, next) {
res.send(req.user);
});
module.exports = router;
And use the passport authentication middleware on user route as shown below:
//app.jsconst express = require('express');
...
require('./passport');
const app = express();
...
const auth = require('./routes/auth');
const user = require('./routes/user');app.use('/auth', auth);
app.use('/user', passport.authenticate('jwt', {session: false}), user);
And that’s it!
Go on and try out some requests, now they’ll be backed with JSON Web Token authorization with Passport 👍
Want more on JWT?
Here is my article on how you can log out the user when authenticating with JWT.
PS. Here are the final files in Gist:
