node-api-jwt is a scaffolding template for a nodeJs API that uses JSON Web Tokens (a.k.a, JWTs) for authentication.
The API provides example endpoints to register, identify, and login a User (see authController.js) as well as endpoints to create, update, and delete a User (see userController.js).
The API runs in Express Js Server on your local machine (or in a cloud instance). This example implements a private-public [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem) key pair for it's token signing "secret".
A User collection is stored in the community edition of MongoDB running on your local machine or in a cloud instance.
-
From a command shell, clone this repository:
git clone https://github.com/bobmacneal/node-api-jwt.git
-
From a command shell, navigate to the project root of the clone repo:
cd node-api-jwt
-
From a command shell, install dependencies:
npm i
-
From the project root in your command shell, create a new private key file:
touch private.key
-
From the project root in your command shell, create a new public key file:
touch public.key
-
Generate a 512-bit RSA private-public key pair* here. Be sure to set the key size to 512-bit before clicking Generate. Note that a larger key would be tougher to crack, but every doubling of key size slows the decryption step by ~ 6X.
-
Copy/Paste the entire contents (i.e., including -----BEGIN and -----END) of the generated private key into your private.key file created in step #4.
-
Copy/Paste the entire contents (i.e., including -----BEGIN and -----END) of the generated public key into your public.key file created in step #5.
-
Install the community edition of MongoDB on MacOs, Windows, or Linux per the instructions provided.
-
Optionally, you might choose to install the MongoDB database client Compass. Compass makes it easy to view and modify database collections (i.e., the User collection in our case) and documents (i.e., User documents in our case).
-
From a new tab in your command shell, kick off the MongoDB service using:
mongod
-
Back in the tab at the root of the project, spin up the API on your local express server:
npm run dev
. The dev script invokes nodemon to restart the server following any code updates. -
Install an http client like Insomnia, Postman, or Paw. Paw was used to create the screenshots in the endpoints documentation below.
-
Give it a try!
Using an http client, issue a GET request against the URL: http://localhost:4000/api/v1/
The API should return a 200 OK along with the message API v1 running.
Now try registering yourself (see register screen shot) using a POST against the /api/v1/authentication/register
endpoint. After
successfully registering, use the token you rec'd in the register response to verify that the token is recognized by the API as you
using a GET against the /api/v1/authentication/me
endpoint.
Registers a user. Returns a valid token.
With a user's Bearer token submitted in the Authorization header, the API returns a user object. Note the Bearer token
in the authorization header. The word Bearer is combined with the token returned upon registration (e.g., Bearer eyJhbGciOiJSUzI1NiIsInR...
).
Also note that your application name should be passed as a URL parameter called application (e.g.,
application=application name
):
Posting an application name in the request provides for an extra verification step on the server.
Logs in a user. If the registered email and password match those stored in MongoDB, the API returns a valid token
Fetches all users store in the MongoDB user collection.
Note that as a security measure, code was added to the User model to avert including the user's password hash in the response.
The three remaining endpoints in userController.js (e.g., get by id, update, and delete) do not require a JWT token, however in most cases a token would be advisable to protect records from being updated or deleted by an unauthenticated user.