Authentication and security are crucial for maintaining user privacy and application integrity. A popular method to manage authentication is by using JSON Web Tokens (JWT)<\/strong>. In this blog, we’ll walk through how to implement JWT authentication using Node.js<\/strong>, along with strategies to manage token expiration using access tokens<\/strong> and refresh tokens<\/strong>.<\/p>\n\n\n\n A JSON Web Token (JWT)<\/strong> is a compact, URL-safe token that carries information between two parties, usually the client and the server. It consists of three parts:<\/p>\n\n\n\n When a user logs in to your application, they receive two tokens<\/strong>:<\/p>\n\n\n\n Let’s dive into how to implement JWT authentication in Node.js using both access and refresh tokens.<\/p>\n\n\n\n When a user logs in, we create two tokens: the access token and the refresh token. Here\u2019s the code to create these tokens:<\/p>\n\n\n\n To protect your API routes, you need a middleware function to authenticate incoming requests using the access token. If the token is valid, the request proceeds; otherwise, an error is returned.<\/p>\n\n\n\n This middleware checks for the presence of a token in the request header. If the token is valid, it extracts the user’s information and attaches it to the request object for use in the next middleware or route handler.<\/p>\n\n\n\n When the access token expires, the client can request a new one using the refresh token. Here\u2019s how you can implement an API endpoint to refresh the access token:<\/p>\n\n\n\n When the access token expires, the client sends the refresh token to this endpoint. If the refresh token is valid, a new access token is issued. If the refresh token is expired or invalid, the user will be logged out.<\/p>\n\n\n\nWhat is a JWT?<\/h3>\n\n\n\n
\n
JWT<\/code>) and the hashing algorithm used (HS256<\/code>).<\/li>\n\n\n\nFlow of JWT Authentication with Access and Refresh Tokens<\/h3>\n\n\n\n
\n
Why Two Tokens?<\/h4>\n\n\n\n
\n
Node.js Implementation<\/h3>\n\n\n\n
Generating Tokens<\/h4>\n\n\n\n
const jwt = require('jsonwebtoken');\n\n\/\/ Create the JWT and refresh tokens\nconst token = jwt.sign(\n { userId: user._id, username: user.username },\n process.env.JWT_SECRET, \/\/ Secret key for signing the access token\n { expiresIn: \"1m\" } \/\/ Access token expires in 1 minute\n);\n\nconst refreshToken = jwt.sign(\n { userId: user._id },\n process.env.JWT_REFRESH_SECRET, \/\/ Secret key for refresh token\n { expiresIn: \"30d\" } \/\/ Refresh token expires in 30 days\n);<\/pre>\n\n\n\n\n
Middleware to Authenticate Requests<\/h4>\n\n\n\n
const JWT_SECRET = process.env.JWT_SECRET;\n\nconst authenticateJWT = (req, res, next) => {\n \/\/ Allow certain requests without authentication\n if (req.url === '\/graphql' && req.method === 'GET') {\n return next();\n }\n\n const query = req.body?.query || '';\n\n if (query.includes('IntrospectionQuery') ||\n query.includes('mutation LoginUser') ||\n query.includes('mutation RefreshToken')) {\n return next();\n }\n\n \/\/ Extract the token from the authorization header\n const token = req.headers.authorization?.split(' ')[1];\n if (!token) {\n return res.status(401).send('Token is required');\n }\n\n \/\/ Verify the token\n jwt.verify(token, JWT_SECRET, (err, user) => {\n if (err) {\n return res.status(403).send('Invalid token');\n }\n\n req.user = user;\n next();\n });\n};\n\napp.use(authenticateJWT);<\/pre>\n\n\n\nRefreshing an Expired Access Token<\/h4>\n\n\n\n
const refreshTokenHandler = (req, res) => {\n const refreshToken = req.cookies.refreshToken; \/\/ Assume refresh token is stored in an HTTP-only cookie\n\n if (!refreshToken) {\n return res.status(403).send('Refresh token is required');\n }\n\n jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET, (err, user) => {\n if (err) {\n return res.status(403).send('Invalid refresh token');\n }\n\n \/\/ Generate a new access token\n const newAccessToken = jwt.sign(\n { userId: user.userId, username: user.username },\n process.env.JWT_SECRET,\n { expiresIn: \"1m\" }\n );\n\n res.json({ accessToken: newAccessToken });\n });\n};\n\napp.post('\/refresh-token', refreshTokenHandler);<\/pre>\n\n\n\nSecurity Considerations<\/h3>\n\n\n\n