Authenticate Users With JWT for Access to Protected Resources
In this lesson, we build a simple API with two endpoints, one public and one secure. Using JWT and validating with the signature, we ensure that the user is authorized and has access to a protected resource before serving it.
Instructor: [00:00] In this lesson, we will create an API with two routes. The first one for the /resource endpoint will be public, and simply return a status of 200, and a message saying, "Public resource. You can see this."
[00:22] Our second route will be for the /resource/secret endpoint. This will be a secured route. For this endpoint, we will return a 200, as well as a message that says, "Secret resource. You should be logged in to see this."
[00:42] This server will run on the port specified by the environment variable API port. Let's go into our terminal, set this using export, and set the API port to 5000. Now, we can run the server by using Node and the name of the file.
[01:00] To test our API, we will use Postman. If we go to localhost:5000, we're getting a 404, page not found, because that route was not defined. If we try localhost:5000/resource, we should see our public resource there. If we try localhost:5000/resource/secret, we can also see the content of this resource. Our next step will be to block those requests by requesting a valid JSON web token. To do so, we will require the Express JWT middleware.
[01:39] Let's now open a terminal, and install it, using npm install express-jwt. Good. Now, let's define this middleware. We can initialize this middleware by using Express JWT and passing it some options. If you are using a real authentication server, you'd want to check for the issuer, the audience, and more to validate the integrity of the server.
[02:01] In our case, we will only check to see in the signature matches the one from our authentication server, my super secret key, in this case. Finally, we can secure our private route by adding the middleware as the second argument of our app.get method. We are now ready to restart our server and test it in Postman.
[02:24] Now, if we try a route again, we see that we're getting an error message, saying that no authorization token was found. Let's go to the authorization section, and select a bearer token type of authentication.
[02:38] We can take a valid token from JWT-IO in this case, and simply paste that in the token box in Postman. We can now try to make our call to /resource/secret again, and we can now see the content of this route. Now, you have an API with a secured endpoint.
...
This is super helpful. I've been looking for a good resource on JWT since I got hungup on a Prisma project. Thanks!
I believe there is a step that is missing. When getting a valid JWT from https://jwt.io, you need to update the secret key to match the secret key in your code, in this example, "mysupersecretkey".
You can update the secret key on https://jwt.io in the last section of "Decoded" where it says "Verify Signature". There is a text input to enter your secret key. After updated your key, the encoded JWT will update automatically. Copy and paste this key into Postman to fix the "invalid signature" error.
Not sure what Postman version the course instructor is using, but mine do not have 'Bearer' as an option in the Authorization tab. I had to add it manually by going to the 'Headers' tab and adding a header with the key as 'Authorization' and value as 'Bearer JWT_TOKEN_STRING'
This course is pretty disorganized, it's definitely not the same quality that I normally experience with Egghead. For it to be better, the videos need to be ordered better, and as mentioned it feels like bits are missing, it is hard to follow along when the code from lesson to lesson does not match up. Also, this is a very technical subject and there is not enough information to really feel confident I can integrate this into my own project and be confident I have a secure auth system. It's a shame because this is an intersting subject.
If the intention of the video was to offer a brief overview of auth and then advocate AuthO, this should be mentioned.
THANK YOU @Todd!!
I believe there is a step that is missing. When getting a valid JWT from https://jwt.io, you need to update the secret key to match the secret key in your code, in this example, "mysupersecretkey".
You can update the secret key on https://jwt.io in the last section of "Decoded" where it says "Verify Signature". There is a text input to enter your secret key. After updated your key, the encoded JWT will update automatically. Copy and paste this key into Postman to fix the "invalid signature" error.
Thanks, @Todd
I believe there is a step that is missing. When getting a valid JWT from https://jwt.io, you need to update the secret key to match the secret key in your code, in this example, "mysupersecretkey".
You can update the secret key on https://jwt.io in the last section of "Decoded" where it says "Verify Signature". There is a text input to enter your secret key. After updated your key, the encoded JWT will update automatically. Copy and paste this key into Postman to fix the "invalid signature" error.
I hit a wall in this course at this video. Spending a lot of time trying to make up for knowledge gaps and inconsistencies in the lessons code. Philips comment sums it up well.
If someone is running into a "algorithms should be set" error, just add the algorithms array to the jwtCheck definition like so:
const jwtCheck = expressjwt({ secret: "mysupersecretkey", algorithms: ["HS256"], })
Just to expand on the comment above, if you do run into an "algorithms should be set" error, there's a change between the version of jwt-express used in this video and the current one (version 6 at time of writing). You can either run "npm install express-jwt@5.3.3" to install the latest version of version 5.x.x, or you can add the algorithm as an option in the expressjwt constructor (more info here https://stackoverflow.com/questions/62665636/if-options-algorithms-throw-new-erroralgorithms-should-be-set-error-alg)
I'm getting an error while running this file: expressjwt is not a function can someone please help me out?
@anatta with new version of expressjwt there is no default export so use it like that
const { expressjwt } = require('express-jwt');
...
const jwtCheck = expressjwt({
secret: 'secret',
algorithms: ["HS256"],
});
Argument alghoritms is required
Oh, boy I hate 'courses' like this, SOO, we are jumping from lession 6 to do some cors changes, to lession 5, then back to lession 2 code example to do this video. What a mess of a cours.