Web application security is vital, and JSON Web Tokens (JWT) play a key role in authentication and route protection. In this article we will learn how to create a secure backend with Node and Express using JWT, and then we will demonstrate how to set authorization headers in Postman for effective API testing.
Note: We will first create a backend server so that in the latter steps we will know how to set “Authorization header” in Postman.
Prerequisites:
- Basic knowledge of Node and Express.
- Node.js and npm installed on your machine.
- Familiarity with JWT (JSON Web Tokens) concepts.
- Basic Postman skills (creating collections and making new requests).
Steps to create Backend with Node and Express:
Step 1: Create a project directory and initialize it:
mkdir jwt-auth-example
Step 2: Change the directory to jwt-auth-example:
cd jwt-auth-example
Step 3: Initialize the npm:
npm init -y
Step 4: Install Dependencies Express.js and jsonwebtoken:
npm install express jsonwebtoken
Step 5: Implement JWT Authentication by Creating a file named `app.js` and implement the code below:
const express = require("express");
const jwt = require("jsonwebtoken");
const bodyParser = require("body-parser");
const app = express();const PORT = 3000;const SECRET_KEY = "your_secret_key"; // Replace with a strong secret key
app.use(bodyParser.json());// Example User Modelconst users = [{ id: 1, username: "john_doe", password: "password123" }];
// Middleware for JWT Verificationconst verifyToken = (req, res, next) => { // Extract the token from the Authorization header
const token = req.header("Authorization");
// Check if the token is missing
if (!token) {
return res
.status(401)
.json({ message: "Access denied. Token missing." });
}
try {
// Verify the token and decode its payload
const decoded = jwt.verify(token, SECRET_KEY);
// Attach the user information to the request
// for use in the protected route
req.user = decoded;
// Move to the next middleware or route handler
next();
} catch (error) {
// Handle invalid tokens
res.status(401).json({ message: "Invalid token" });
}
};// Protected Routeapp.get("/protected", verifyToken, (req, res) => {
// Send a JSON response with a message
// and the user information from the token
res.json({ message: "This is a protected route!", user: req.user });
});// Login Routeapp.post("/login", (req, res) => {
const { username, password } = req.body;
// Check if user credentials are valid by
// finding a user in the 'users' array
const user = users.find(
(u) => u.username === username && u.password === password
);
// If user is not found, respond with an error
if (!user) {
return res.status(401).json({ message: "Invalid credentials" });
}
// Generate a JWT with user information and
// send it as a response upon successful authentication
const token = jwt.sign(
{ userId: user.id, username: user.username },
SECRET_KEY
);
res.json({ token });
});// Start the serverapp.listen(PORT, () => { console.log(`Server is running on port ${PORT}`);
}); |
Step 6: Start the server
node app.js
Steps to Hit Endpoints Using Postman:
Step 1: Login Endpoint:
- Make a POST request to the `/login` endpoint to obtain a JWT token.
- Set the request type to “POST” and enter the URL for the login endpoint (e.g., `http://localhost:3000/login`).
- Add the necessary request body with valid credentials (username and password).
use the below credentials:
{
"username":"john_doe",
"password":"password123"
}
Step 2. Copy Token:
- If successfully and get the response ( 200 ok )
- Copy the JWT token from the response.
Step 3. Authorization in Postman:
- Go to the headers tab in postman
- Dropdown and add a key :” Authorization “ and token that you have copied as value
Key: Authorization
Value: your_token_here
Step 4: Hit Protected Endpoint:
- Send the request again to the protected endpoint (`http://localhost:3000/protected`) and observe the response.
Output: