Here is a typical piece of code for authentication using JWT:
var express = require('express'); var bodyParser = require('body-parser'); var jwt = require('jsonwebtoken'); var expressJwt = require('express-jwt'); var app = express(); var secret = 'top secrect'; var jwtOptions = {algorithm: 'HS256', expiresInMinutes: 1}; // We are going to protect /api routes with JWT app.use('/api', expressJwt({secret: secret})); //app.use(express.json()); app.use(bodyParser.json()); app.use(bodyParser.urlencoded()); app.use('/', express.static(__dirname + '/')); app.use(function(err, req, res, next) { if (err.constructor.name === 'UnauthorizedError') { console.log(err); res.send(401, 'Unauthorized'); } }); app.post('/authenticate', function(req, res) { //TODO validate req.body.username and req.body.password //if is invalid, return 401 if (!(req.body.username === 'john.doe' && req.body.password === 'foobar')) { res.send(401, 'Wrong user or password'); return; } // user object (session data) handled by express-jwt var user = { session: { counter: 0 }, first_name: 'John', last_name: 'Doe', email: ' john@doe.com ', roles: [100, 200, 300, 400, 500, 600, 700, 800, 900, 1000], id: 123 }; // We are sending the user inside the token var token = jwt.sign(user, secret, jwtOptions); res.json({token: token}); }); app.get('/api/restricted', function(req, res) { console.log('user ' + req.user.email + ' is calling /api/restricted with roles: ' + req.user.roles); var token = ''; if (req.headers && req.headers.authorization) { var parts = req.headers.authorization.split(' '); if (parts.length === 2) { var scheme = parts[0] , credentials = parts[1]; if (/^Bearer$/i.test(scheme)) { token = credentials; } } else { return new UnauthorizedError('credentials_bad_format', {message: 'Format is Authorization: Bearer [token]'}); } } else { return new UnauthorizedError('credentials_required', {message: 'No Authorization header was found'}); } // verify token: send by client in Authorization HTTP header // 'session timeout' handled by express-jwt (exp value) and throws 401 jwt.verify(token, secret, jwtOptions, function(err, decoded) { if (err) return new UnauthorizedError('invalid_token', err); req.user = decoded; console.log(req.user); }); // update sample data in the session ... req.user.session.counter = req.user.session.counter + 10; // ... and create new token ... var newToken = jwt.sign(req.user, secret, jwtOptions); // ... and update in the response HTTP header res.header('Authorization', 'Bearer ' + newToken) res.json(req.user); }); app.listen(8080, function() { console.log('listening on http://localhost:8080'); });
I am wondering why create a handler for '/api/resctricted' ? app.use('/', express.static(__dirname + '/')); not yet protected app.use('/', express.static(__dirname + '/')); ?
UPDATE: I also study the source code of express-jwt, it looks like it uses jsonwebtoken.verify() to check the token in the request, which makes me feel confused why use jsonwebtoken.verify() in the '/ api / limited' handler