What are JWT tokens?
JSON Web Token, or JWT tokens is a JSON object used to transmit information between parties. The tokens are secured so the information is hard to access which makes them ideal for authentication. JWT tokens can be a greta authentication resource for programming frameworks that do not have their own built-in authentication methods. I’m currently working on a React Native project using an Express API to handle data. For authentication I’m using JWT tokens to send the data submitted by the user to the API to see if the data matches. This will either authenticate an already existing user or create a new user account if one doesn’t already exist.
Think of a JWT token like a driver’s license. It’s a small package of information that is used to prove that you are who you say you are. While that information might be easy to see, it is extremely difficult to change. JWT tokens secure the information in a way that it cannot be tampered with by malicious users.
When used in authentication, when a user inputs their information a JWT token is returned. That token can be used to access a route or resource that requires a user to be logged in. Typically using the Authorization header and the Bearer schema it usually looks like this:
Authorization: Bearer <token goes here>When dealing with protected routes in an application, the server will check for a JWT in the Authorization header to see if it contains the correct data.
In my React Native application, I’m using JWT tokens in conjunction with an Express API with Mongoose and MongoDB. I use JWTs for checking user data with the API in the below example:
const jwt = require('jsonwebtoken');
const mongoose = require('mongoose');
const User = mongoose.model('User');module.exports = (req, res, next) => {
const { authorization } = req.headers;
//authorization === 'Bearer + jwt'if (!authorization) {
return res.status(401).send({ error: 'You must be logged in' });
}const token = authorization.replace('Bearer ', '');
jwt.verify(token, 'MY_SECRET_KEY', async (err, payload) => {
if (err) {
return res.status(401).send({ error: 'You must be logged in' });
}const { userId } = payload;const user = await User.findById(userId);
req.user = user;
next();
});
};
Ok, lots going on here. At the top you can see the require statements for JWTs along with mongoose, and a User module that I had built out. The User module sets up the User object with an email and password. The first If statement is a quick answer saying that if the user didn’t do anything at all, the application will say that the have to be logged in. If the user does try to authenticate. the function will create a token, and try to verify it with the API using the Authorization header. If a user is found using the async/await syntax. A user variable will be created and it will proceed to the next function.
JWT tokens may seem a bit complicated at first, and there are a few steps needed to use them. But they are a great way to send secure information back and forth, for authentication or other reasons. I would highly recommend them.
The above export function dictates what will happen if/when the JWT token is verified by the API.
