joshuaquek/.JWT-ExpressJS-Without-PassportJS

## .JWT-ExpressJS-Without-PassportJS
Summary: Authentication for ExpressJS without the need of using PassportJS. Slightly modified version of the code mentioned here: https://codeforgeek.com/refresh-token-jwt-nodejs-authentication/

## app.js
const express = require('express')
const bodyParser = require('body-parser')
const jwt = require('jsonwebtoken')
const tokenCheckerMiddleware = require('./tokenCheckerMiddleware')

const config = require('./config')
const tokenList = {}

const app = express()
app.use(bodyParser.json())

router.get('/', (req,res) => {
    res.send('Ok');
})

router.post('/login', (req,res) => {
    const postData = req.body;
    const user = {
        "email": postData.email,
        "name": postData.name
    }
    // do the database authentication here, with user name and password combination.
    const token = jwt.sign(user, config.secret, { expiresIn: config.tokenLife})
    const refreshToken = jwt.sign(user, config.refreshTokenSecret, { expiresIn: config.refreshTokenLife})
    const response = {
        "status": "Logged in",
        "token": token,
        "refreshToken": refreshToken,
    }
    tokenList[refreshToken] = response
    res.status(200).json(response);
})

router.post('/token', (req,res) => {
    // refresh the token
    const postData = req.body
    // if refresh token exists
    if((postData.refreshToken) && (postData.refreshToken in tokenList)) {
        const user = {
            "email": postData.email,
            "name": postData.name
        }
        const token = jwt.sign(user, config.secret, { expiresIn: config.tokenLife})
        const response = {
            "token": token,
        }
        // update the token in the list
        tokenList[postData.refreshToken].token = token
        res.status(200).json(response);
    } else {
        res.status(404).send('Invalid request')
    }
})

// Add tokenCheckerMiddleware as a param to all routes that you want to protect
router.get('/secure', tokenCheckerMiddleware, (req,res) => {
    // all secured routes goes here
    res.send('I am secured...')
})


app.listen( process.env.PORT || 3000);

## config.json
{
    "secret": "some-secret-stuff-goes-here",
    "refreshTokenSecret": "some-secret-refresh-token-stuff",
    "tokenLife": 900,
    "refreshTokenLife": 86400
}

## tokenCheckerMiddleware.js
const jwt = require('jsonwebtoken')
const config = require('./config')

module.exports = (req,res,next) => {
  const token = req.body.token || req.query.token || req.headers['x-access-token']
  // decode token
  if (token) {
    // verifies secret and checks exp
    jwt.verify(token, config.secret, function(err, decoded) {
        if (err) {
            return res.status(401).json({"error": true, "message": 'Unauthorized access.' });
        }
      req.decoded = decoded;
      next();
    });
  } else {
    // if there is no token
    // return an error
    return res.status(403).send({
        "error": true,
        "message": 'No token provided.'
    });
  }
}
	const express = require('express')
	const bodyParser = require('body-parser')
	const jwt = require('jsonwebtoken')
	const tokenCheckerMiddleware = require('./tokenCheckerMiddleware')

	const config = require('./config')
	const tokenList = {}

	const app = express()
	app.use(bodyParser.json())

	router.get('/', (req,res) => {
	res.send('Ok');
	})

	router.post('/login', (req,res) => {
	const postData = req.body;
	const user = {
	"email": postData.email,
	"name": postData.name
	}
	// do the database authentication here, with user name and password combination.
	const token = jwt.sign(user, config.secret, { expiresIn: config.tokenLife})
	const refreshToken = jwt.sign(user, config.refreshTokenSecret, { expiresIn: config.refreshTokenLife})
	const response = {
	"status": "Logged in",
	"token": token,
	"refreshToken": refreshToken,
	}
	tokenList[refreshToken] = response
	res.status(200).json(response);
	})

	router.post('/token', (req,res) => {
	// refresh the token
	const postData = req.body
	// if refresh token exists
	if((postData.refreshToken) && (postData.refreshToken in tokenList)) {
	const user = {
	"email": postData.email,
	"name": postData.name
	}
	const token = jwt.sign(user, config.secret, { expiresIn: config.tokenLife})
	const response = {
	"token": token,
	}
	// update the token in the list
	tokenList[postData.refreshToken].token = token
	res.status(200).json(response);
	} else {
	res.status(404).send('Invalid request')
	}
	})

	// Add tokenCheckerMiddleware as a param to all routes that you want to protect
	router.get('/secure', tokenCheckerMiddleware, (req,res) => {
	// all secured routes goes here
	res.send('I am secured...')
	})


	app.listen( process.env.PORT \|\| 3000);
	{
	"secret": "some-secret-stuff-goes-here",
	"refreshTokenSecret": "some-secret-refresh-token-stuff",
	"tokenLife": 900,
	"refreshTokenLife": 86400
	}
	const jwt = require('jsonwebtoken')
	const config = require('./config')

	module.exports = (req,res,next) => {
	const token = req.body.token \|\| req.query.token \|\| req.headers['x-access-token']
	// decode token
	if (token) {
	// verifies secret and checks exp
	jwt.verify(token, config.secret, function(err, decoded) {
	if (err) {
	return res.status(401).json({"error": true, "message": 'Unauthorized access.' });
	}
	req.decoded = decoded;
	next();
	});
	} else {
	// if there is no token
	// return an error
	return res.status(403).send({
	"error": true,
	"message": 'No token provided.'
	});
	}
	}