Page Content

Tutorials

Load more

What is API Authentication in Node.js? Explained with Code

Node.js
Agarapu Drakshyani
Author: Agarapu Drakshyani
6 min.read

API Authentication in Node.js

API authentication in Node.js refers to the process of verifying the identity of a client (such as a user or another service) attempting to access resources or functionalities provided by your Node.js application’s API. This process is known as API authentication in Node.js. This is essential for data security and making sure that only authorized users have access to your system.

This explains the many types of API authentication and how Node.js implements them, frequently using frameworks like Express.js:

Securely Storing Passwords

A key component of API security is the safe storage of passwords, particularly for user authentication. Passwords are usually salted and hashed rather than stored in plain text, which increases security risks. One popular library for this is Bcrypt.

The login method is two-step: first, the user’s email is retrieved, and then Bcrypt is used to check whether the password they entered matches the hashed password that is kept in the database. When both procedures are completed successfully, the user’s identity is verified.

JSON Web Tokens (JWT)

When it comes to issuing and validating authentication tokens, JSON Web Tokens (JWTs) offer a reliable solution. With the use of these tokens, a client can avoid logging in repeatedly for each action they take on the server.

A library such as jsonwebtoken is usually installed in order to use JWTs. A new token is created using the sign method, which takes three parameters:

  1. Data to embed: A user’s unique identifier must be included.
  2. Secret phrase: A code that is used to avoid tampering in token issuance and validation.
  3. Options: like expiresIn to specify the duration of the token’s validity (e.g., seven days).

Example of generating a JWT:

const jwt = require('jsonwebtoken')
const token = jwt.sign({ _id: 'abc123' }, 'thisismynewcourse', { expiresIn: '7 days' })

Tokens can be given to users upon registration or login, kept by the client, and then provided along with further authentication requests. Using the verify method, which requires the token and the secret phrase, the server confirms the token. The server is able to identify the user executing the action by returning the embedded data if it is legitimate.

Example of verifying a JWT:

const data = jwt.verify(token, 'thisismynewcourse') // data._id contains the user id of the user that owns this token

The user profile can also contain authentication tokens that can be saved in the database. This allows users to log out by deleting specific tokens or to log out of all sessions by deleting all related tokens.

Passport.js

The well-liked Node.js authorization plugin Passport.js simplifies the process of managing authorization requests. More than 300 strategies are supported, making it easier to integrate with different login mechanisms like Facebook, Google, or custom databases through the use of a LocalStrategy. Passport makes it easier to authenticate people using your own database of registered users (password and username).

Basic Authentication

Basic authentication entails utilizing normal HTTP headers to transmit usernames and passwords in plain text over the wire. This approach is straightforward, but because data is sent over HTTP without encryption, it is insecure. In the actual world, it needs to be used in conjunction with a secure protocol such as HTTPS.

In order to provide basic authentication, a Node.js server must examine the incoming request’s Authorization header. A 401 Unauthorized status with a WWW-Authenticate header may be sent by the server in the event that the header is absent or invalid, asking the client (such as a browser) for credentials. The authorization header usually contains the Base64-encoded credentials (username:password). These are decoded and verified by the server using user records that are saved.

Example of a Node.js server handling basic authentication:

var http     = require('http');
var redis     = require("redis");
var client    = redis.createClient(); // Assuming Redis client is set up
http.createServer(function(req, res) {
    var auth = req.headers['authorization'];
    if(!auth) {
        res.writeHead(401, {'WWW-Authenticate': 'Basic realm="Secure Area"'});
        return res.end('<html><body>Please enter some credentials.</body></html>');
    }
    var tmp = auth.split(' '); // Expected format: Basic <Base64EncodedCredentials>
    var buf = new Buffer(tmp, 'base64');
    var plain_auth = buf.toString();
    var creds = plain_auth.split(':');
    var username = creds;
    var password = creds;
    // Validate credentials (e.g., against Redis user database)
    client.get(username, function(err, data) {
        if(err || !data) {
            res.writeHead(401, {'WWW-Authenticate': 'Basic realm="Secure Area"'});
            return res.end('<html><body>You are not authorized.</body></html>');
        }
        // In a real app, compare 'password' with 'data' (hashed password from DB)
        // For this example, assuming 'data' contains the password directly or allows comparison
        res.statusCode = 200;
        res.end('<html><body>Welcome!</body></html>');
    });
}).listen(8080);

Challenge-Response System

Passwords can be sent using a challenge-response mechanism instead of plain text. When a client requests access, they usually receive a “public key” (the challenge) created by the server. They then combine this key with their password, hash the result (for example, using SHA256), and give back to the server just the hash. After carrying out the identical hashing process, the server compares the outcomes.

Example client-side SHA256 hash generation for challenge-response:

<script src="sha256.js"></script> <!-- Assuming sha256.js library is available -->
<script>
$.get("/authenticate/jack", function(publicKey) {
    if(publicKey === "no data") {
        return alert("Cannot log in.");
    }
    // Client forms a string: publicKey + password, then hashes it
    var response = Sha256.hash(publicKey + "beanstalk"); // "beanstalk" is the user's password
    $.get("/login/" + response, function(verdict) {
        if(verdict === "failed") {
            return alert("No Dice! Not logged in.");
        }
        alert("You're in!");
    });
});
</script>

Creating the publicKey, storing it briefly (for example, in Redis with a limited expiration date), and then comparing the received hash to its own computed hash would be the server-side implementation.

Express Middleware for Authentication

Functions of express middleware are essential to Node.js API authentication. In the application’s request-response cycle, these are functions that have access to the request object (req), the response object (res), and the subsequent middleware function (next). This gives you the ability to fine-tune how your server handles requests.

It is possible to use middleware to verify a user’s authentication before granting them access to particular activities or routes. To retrieve the user’s profile after validating an authentication token (such as a JWT), an auth middleware function can be used.

Example of an auth middleware function:

const jwt = require('jsonwebtoken')
const User = require('../models/user') // Assuming a Mongoose User model
const auth = async (req, res, next) => {
    try {
        const token = req.header('Authorization').replace('Bearer ', '') // Extract token from header
        const decoded = jwt.verify(token, 'thisismynewcourse') // Verify token
        const user = await User.findOne({ _id: decoded._id, 'tokens.token': token }) // Find user by ID and token
        if (!user) {
            throw new Error()
        }
        req.user = user // Attach user to the request object
        next() // Pass control to the next middleware/route handler
    } catch (e) {
        res.status(401).send({ error: 'Please authenticate.' }) // Send 401 if authentication fails
    }
}
module.exports = auth

You can then use this auth middleware to secure specific endpoints. As a second input to a route handler (such as router.get), it ensures user authentication by running before the main route handler.

Example of applying middleware to a route:

router.get('/users/me', auth, async (req, res) => {
    res.send(req.user) // Only runs if 'auth' middleware passes
})

By ensuring that the route handler may access req.user, which contains the profile of the authenticated user, without having to retrieve it again, this structure simplifies the application logic. This modular design improves the codebase’s readability and maintainability.

Previous article
What Is Performance Optimization in React.js With Example
Next article
What Are Go Decision Making Statements With Code Examples
Agarapu Drakshyani
Agarapu Drakshyani

About Us 

Contact Us

Privacy Polacy

Disclaimer

© G Solutions

Index