Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
JSON Web Token Tutorial: Express
// file: index.js
var _ = require("lodash");
var express = require("express");
var bodyParser = require("body-parser");
var jwt = require('jsonwebtoken');
var passport = require("passport");
var passportJWT = require("passport-jwt");
var ExtractJwt = passportJWT.ExtractJwt;
var JwtStrategy = passportJWT.Strategy;
var users = [
{
id: 1,
name: 'jonathanmh',
password: '%2yx4'
},
{
id: 2,
name: 'test',
password: 'test'
}
];
var jwtOptions = {}
jwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeader();
jwtOptions.secretOrKey = 'tasmanianDevil';
var strategy = new JwtStrategy(jwtOptions, function(jwt_payload, next) {
console.log('payload received', jwt_payload);
// usually this would be a database call:
var user = users[_.findIndex(users, {id: jwt_payload.id})];
if (user) {
next(null, user);
} else {
next(null, false);
}
});
passport.use(strategy);
var app = express();
app.use(passport.initialize());
// parse application/x-www-form-urlencoded
// for easier testing with Postman or plain HTML forms
app.use(bodyParser.urlencoded({
extended: true
}));
// parse application/json
app.use(bodyParser.json())
app.get("/", function(req, res) {
res.json({message: "Express is up!"});
});
app.post("/login", function(req, res) {
if(req.body.name && req.body.password){
var name = req.body.name;
var password = req.body.password;
}
// usually this would be a database call:
var user = users[_.findIndex(users, {name: name})];
if( ! user ){
res.status(401).json({message:"no such user found"});
}
if(user.password === req.body.password) {
// from now on we'll identify the user by the id and the id is the only personalized value that goes into our token
var payload = {id: user.id};
var token = jwt.sign(payload, jwtOptions.secretOrKey);
res.json({message: "ok", token: token});
} else {
res.status(401).json({message:"passwords did not match"});
}
});
app.get("/secret", passport.authenticate('jwt', { session: false }), function(req, res){
res.json({message: "Success! You can not see this without a token"});
});
app.get("/secretDebug",
function(req, res, next){
console.log(req.get('Authorization'));
next();
}, function(req, res){
res.json("debugging");
});
app.listen(3000, function() {
console.log("Express running");
});
{
"name": "jwt-tutorial",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"body-parser": "^1.15.2",
"express": "^4.14.0",
"jsonwebtoken": "^7.1.9",
"lodash": "^4.16.4",
"passport": "^0.3.2",
"passport-jwt": "^2.1.0"
}
}
@dumptyd

This comment has been minimized.

Copy link

commented Jan 10, 2017

Thanks 👍

@ghost

This comment has been minimized.

Copy link

commented Mar 21, 2017

Thank you for this sample.
I have a question in regards to this part:

app.get("/secret", passport.authenticate('jwt', { session: false }), function(req, res){
  res.json({message: "Success! You can not see this without a token"});
});

when I do the get request I get:

Unauthorized

Do I set a header parameter passing in the token with that get request?
How do I use the generated token with that GET request to get the success message?

@nikolay-govorov

This comment has been minimized.

Copy link

commented Apr 25, 2017

Thank, it is that I need! 👍

@PJCHENder

This comment has been minimized.

Copy link

commented Jun 21, 2017

Great Article!!

@Evgenyx82

This comment has been minimized.

Copy link

commented Aug 18, 2017

developermhayden use fetch polyfill with headers options (https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch)

@harrylincoln

This comment has been minimized.

Copy link

commented Aug 23, 2017

TypeError: ExtractJwt.fromAuthHeader is not a function

Line 28 needs to change to: jwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme('jwt'); ?

Reference: https://www.npmjs.com/package/passport-jwt#migrating-from-2xx-to-3xx

@lmontoya1974

This comment has been minimized.

Copy link

commented Sep 8, 2017

Hi,
I have all working now and I'm getting===== > "Success! You can not see this without a token".

I need to continue with my application and adding more options like:

app.post("/read", function(req, res) {  
     **//
    // do all here just when the access is granted, but error if no access or  "Unauthorized"
   //**
	} 

What else I need to include?

Thank you all guys.

@premgowda

This comment has been minimized.

Copy link

commented Nov 28, 2017

@developermhayden

prefix token with JWT
example : "JWT token"

@wisetc

This comment has been minimized.

Copy link

commented Dec 29, 2017

I used ExtractJwt.fromAuthHeaderAsBearerToken() instead of ExtractJwt.fromAuthHeader() and set Authorization header to 'Bearer ' + token.
image

image

It worked.

@jjjjcccjjf

This comment has been minimized.

Copy link

commented Jan 6, 2018

@wisetc I used this instead
jwtOptions.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme('bearer');

@soumodips

This comment has been minimized.

Copy link

commented Feb 3, 2018

Hello everyone. I still have this issue. Tried using bearer strategy too. Here is the link to my repo https://github.com/soumodips/JWT-passport-OAuth

I will be glad if any one can help.

Screenshots from Postman:
image

image

Thanks a ton in advance!

ISSUE SOLVED:
Be sure to use all key names as expected by the modules. I had used 'exp' for expiry time in the payload instead of 'expiresIn'. Enjoy!!

@ClausClaus

This comment has been minimized.

Copy link

commented Jul 14, 2018

Thanks

@ianfabs

This comment has been minimized.

Copy link

commented Aug 19, 2018

@rmar72

This comment has been minimized.

Copy link

commented Sep 2, 2018

These 2 ways worked for me:
ExtractJwt.fromAuthHeaderWithScheme('bearer') or with ('jwt');

Headers: Authorization: bearer + token or jwt + token

@ironbyte

This comment has been minimized.

Copy link

commented Oct 5, 2018

Very helpful! Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.