JWT Authentication in Node.js .
Explained Simply.
What authentication means .
so let's see what authentication means, so the means authentication is to verify user identity and check if it valid user or not if not then don't give him to access to do anything in application , if it is valid means user identity validate.
Means it is authenticate , so this is a basic overview what is authentication. Below i explain to you every step one one by one then you got the idea what i want to say.
Step by Step Authentication Guide.
User come to website , we are redirect to him register or login page , if they are register then go for login , if not then go for register.
Assume user do first register , store user data in database. then open a login page for him. Now main service come into picture , let's take basic take then we will discuss more about in next section.
when user do login process check in database if it is valid user , once user login successfully, give him to one token .
now user have token if they comes for next time to request any service , they have a token, then we validate that token , because inside token we have user details, then again database call, if user valid , then give him to access if not access denied. So this is a authentication , now let's see how to we create token and do all stuff.
What JWT is.
So now we understand what the problem statement is. In JWT, the main purpose is to create a secure interaction between the client and the server.
Whenever a user sends a request to the server, the user also sends a token with that request.
If the token is valid, then the user can access the server and its data. If the token is not valid, then the request gets rejected before reaching the server.
The main thing is that whenever you send a request to the server, the server needs to verify your identity and check who you are.
Doing this again and again for every request can become difficult, so instead we create a token.
The token stays with the user. Whenever the user sends a request, we check that token again and again to verify whether it is correct or not.
So this is JWT, which means JSON Web Token.
Structure of a JWT :-
Header:-
Header contains metadata about the token.
For example, it stores information like which algorithm was used to create the token and what the token type is.
So basically, the header contains information about the token.
Payload:-
Payload means the data that we want to store inside the token. When the user logs in, we create a token and store some user data inside it.
Next time, when the user sends the token and we decode it, we can get the same data that we defined in the payload.
So basically, payload is the data that is embedded inside the token.
Signature:-
Signature means a unique secret code. We keep a secret inside our application.
When a user logs in, we create a token so that next time the user can come with that token and we can identify that it is the same user.
So, while creating the token, we use the secret to create a signature. Next time, when the user sends the token, we verify it using the same signature secret.
Login flow using JWT .
- Now the user has registered, which means the account has been created. The user's data is now stored in our database.
The next step is login.
- When the user logs in and then accesses the website, we create a token at the time of login.
Why do we create a token?.
Because the user has already logged in once, and when the user comes back next time, they should not need to log in again and again. The user keeps the token and sends it along with future requests.
On the basis of that token, we allow the user to access the application. This is important because every time a request is sent to the server, the server needs to verify the user’s identity.
When the user enters login details in the login form, we check those details in the database. If the user exists, then we take that user data, put it inside a token, and give the token to the user after successful login.
Next time, we only need to check whether the token is valid, whether it belongs to our application, and whether the details inside the token are ours or not.
Sending token with requests .
Sending token with request means that, as we discussed above, the user sends a token along with every request. But how does the token come with the request?
Basically, the token is sent inside the request headers, usually in the Authorization header. Whenever the user sends a request, the token is also sent inside the header.
We then take the token from the header and decode it before the request reaches the server. If the token is valid, then we move ahead and allow the request.
Otherwise, the request gets rejected. Below is the code to check the token from the headers.
if (req.headers.authorization?.startsWith("Bearer ")) {
token = req.headers.authorization?.split(" ")[1];
} else if (req.cookies?.accessToken) {
token = req.cookies?.accessToken;
}
Protecting routes using tokens .
Protecting routes using tokens means securing some routes of the application so that only valid users can access them. When a user logs in successfully, we create a token and give it to the user.
The user then sends that token along with every request. Before allowing access to a protected route, we first check the token.
We take the token from the request headers and verify whether it is valid or not. If the token is valid, then the user is allowed to access the route and its data.
If the token is invalid or missing, then the request gets rejected and the user cannot access that route.
So basically, protecting routes using tokens means checking the user’s token before giving access to protected resources.
