const express = require('express'); const jwt = require('jsonwebtoken'); const cookieParser = require('cookie-parser'); // For cookie parsing (if needed) const app = express(); const secretKey = 'our_secret_key'; // Replace with our actual secret key // Use middleware to parse cookies (if token is in a cookie) app.use(cookieParser()); app.get('/protected', (req, res) => { let token; // 1. Extract token: // Check Authorization header first if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') { token = req.headers.authorization.split(' ')[1]; } else { // If not in header, check for cookie (optional) token = req.cookies.token; } // Return 401 Unauthorized response if the token is missing if (!token) { return res.status(401).json({ error: 'No token provided' }); } try { // 2. Verify and decode token const decodedToken = jwt.verify(token, secretKey); // 3. Token is valid, proceed with request // We assume the user information can be accessed from `decodedToken` // e.g., decoded.userId, decoded.username, etc. if (decodedToken.role === 'admin') { res.json({ message: 'Protected resource accessed!', user: decodedToken }); } else { // User is not authorized res.status(403).json({ error: 'Forbidden' }); } } catch (err) { // 4. Error handling if (err instanceof jwt.TokenExpiredError) { return res.status(401).json({ error: 'Token expired' }); } else if (err instanceof jwt.JsonWebTokenError) { return res.status(401).json({ error: 'Invalid token' }); } else { // Handle other unexpected errors (e.g., database errors) console.error(err); return res.status(500).json({ error: 'Internal server error' }); } } }); app.listen(3000, () => { console.log('Server listening on port 3000'); });