1
\$\begingroup\$

Here is my code to implement authentication in a Node/Express/Sequelize project. This is my first time using JWT and I would appreciate any help!

// Load required packages const jwt = require('jsonwebtoken'); const expressJwt = require('express-jwt'); const config = require('../config'); const User = require('../models').User; exports.authenticate = function(req, res) { const username = req.body.username; const password = req.body.password; User.findOne({ where: { username: username } }).then((user) => { // Make sure the password is correct if (user.verifyPassword(password)) { const token = jwt.sign({ username: user.username }, config.jwtSecret); res.json({ success: true, token: token, username: user.username }); } }).catch((error) => { console.error(error); res.sendStatus(404); }); } exports.isAuthenticated = expressJwt({ secret: config.jwtSecret });
\$\endgroup\$

    2 Answers 2

    Reset to default
    1
    \$\begingroup\$

    Though not in Javascript, my uses of JWT have always used the password as the JWT secret. The JWT payload is whatever you need to identify the user -- username in your case. You can add in a CSRF token of some sort as well. I have an example on my GitHub that is a very simple application using JWT as the authentication mechanism - https://github.com/dave-shawley/readings/blob/7d2504587daa6a174fc3cbc0a5478fa817412eea/readings/static/js/login.js#L10-L26 is the javascript login code. Mind you that I am most certainly not a javascript programmer so don't read too much into my example for style advice ;)

    My login code builds a JWT payload that looks something like:

    { "exp": 1488027170, "iss": "https://whatever.example.com/login", "csrf": "123456ABCDEF", "nbf": 1488026870 }

    where "nbf" is the current time, "exp" is the expiration time, and "iss" is the referring web site. "csrf" is a one-time token that is embedded in the HTML form.

    I encode this structure using the entered password as the secret and pass the resulting token to my login endpoint. I have the user name in a secured cookie but it could be passed in the JWT payload as well. On the receiving side, I look up the user information in my data store by the user name from the cookie. Then I verify that the JWT payload was signed using the password as the secret and that it is still valid. If everything checks out, then the user is authenticated.

    \$\endgroup\$
      1
      \$\begingroup\$

      I can't be of much help with JWT, however if you are able to use es7 features, I would recommend utilising them.

      const jwt = require('jsonwebtoken'); const expressJwt = require('express-jwt'); const config = require('../config'); const { User } = require('../models'); exports.authenticate = async (req, res) => { const { username, password } = req.body; try { const user = await User.findOne({ username }); if(!user.verifyPassword(password)) { //.. should send some sort of response here return; } const token = jwt.sign({ username: user.username }, config.jwtSecret); res.json({ success: true, token: token, username: user.username }); } catch (error) { console.error(error); res.sendStatus(404); } } exports.isAuthenticated = expressJwt({ secret: config.jwtSecret });
      \$\endgroup\$

        Start asking to get answers

        Find the answer to your question by asking.

        Ask question

        Explore related questions

        See similar questions with these tags.