Authentication JWT Login in NodeJs

Author : Andoni ALONSO TORT

Implementing authentication and JWT in node js.

Node.js application designed as a foundation for any project requiring authentication and user role management on the server side. This project provides a robust and scalable structure with ready-to-use features.

• ✅ User authentication via JWT (JSON Web Tokens) for secure sessions.
• ✅ A role management system to define specific permissions and access.
• ✅ A RESTful architecture for creating, reading, updating, and deleting users and their roles.
• ✅ Error handling with clear responses for unauthorized or invalid actions.
• ✅ Integration with a database for secure storage of user information (password hashing with bcrypt).
• ✅ A modular and extensible structure to easily integrate new features.

This back-end is designed to work seamlessly with the React front-end project, offering a complete and secure solution for any application requiring authentication and role management.

Start Node.js project :

npm init

Setting eslint config :

npm init @eslint/config

eslint.config.mjs has been generated

See eslint page for more information.

Install Eslint & Error Lens packages in VS Code to highlighting of errors in files.

Nodemon package has been include for running dev environnment :

npm i --save-dev nodemon

To run it, please use :

npm run devStart

Another packages installed :

• bcrypt : To hash and compare paswords.
• jsonwebtoken : To generate and compare token between server & client.
• cookie-parser : Parse Cookie header and populate req.cookies with an object keyed by the cookie names.
• mongoose : Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.
• mocha : Mocha is a feature-rich JavaScript test framework running on Node.js and in the browser, making asynchronous testing simple and fun. Mocha tests run serially, allowing for flexible and accurate reporting, while mapping uncaught exceptions to the correct test cases.
• chai : Chai is a BDD / TDD assertion library for node and the browser that can be delightfully paired with any javascript testing framework. See documentation
• chai-http : Chai HTTP provides an interface for live integration testing via superagent. To do this, you must first construct a request to an application or url.

Upon construction you are provided a chainable api that allows you to specify the http VERB request (get, post, etc) that you wish to invoke.

To generate our ACCESS_TOKEN_SECRET :

node require('crypto').randomBytes(64).toString('hex')

copy this string to the ACCESS_TOKEN_SECRET key in your .env Do it again and put the value in REFRESH_TOKEN_SECRET key

== TEST DETAILS ==

To charge init data in database for development please run:

node src/api/services/tests/users_data_test.js

Execute tests

• Test Helpers

  • npm run testHelpers

• Test Services

  • npm run testServices

• Test Apis

  • npm run testApis

== USER MODEL ==

Attribute	Rules & Info
username	Type: String Required Unique Without Special Characters Min length: 3 User id to login
email	Type: email Required Unique Min length: 10
firstname	Type: String Required Min length: 3
lastname	Type: String Required Min length: 3
password	Type: String Required Min length: 8 At least one special character (e.g., @$!%*?&()#^/). At least one uppercase letter. At least one lowercase letter. At least one number. Hashed with bcrypt
createdAt	Type: Date Generated by default when creating an object
updatedAt	Type: Date Generated by default when creating an object and updated when updating an object
roles	Type: [Number] User role by default: [2000] Can only contain User and Admin roles [1000, 2000] Roles can only be assigned by another admin, you cannot create an user with an admin role
refreshToken	Type: [String] Default: [] An user can contain several refreshTokens for different connections This attribute is stocked in cookies and allow the user to refresh his accesToken when it has been expired.

== USER ROLES ==

Role	Code
Admin	1000
User	2000

== ROUTES ==

/api/auth/

•   🔵 /login [POST]

  Allow the user to login in the application, this API returns the a valid acces token for the user with 10m duration and store another token (refresh token) in cookies if first token expires. Also the refresh token is also stored en database.

•   🟢 /token [GET]

  Allow the user to get a new access token if his token is already expired. This API uses the token stored in cookies in order to valid the connected user and return a new valid token.

•   🟢 /logout [GET]

  Disconnect user from the application and clean cookies and remove the refresh token from the database.

/api/users/

•   🟢 / [GET]

  Returns all the users in the application. However the information is filtered depending of the user connected role.

•   🔵 / [POST]

  Creates a new user, this API can only be called when we are not connected. It allow an user to create an account in the application.

•   🟢 /:id [GET]

  Get an user by an id. This id can be the _id in database, or the username or email of user. The information is filtered depending of the user connected role.

•   🟡 /:id [PUT]

  This API allows the user to modify his own information. Or if it's an admin, a user information.

  A user can only modify : username, lastname, email and password. An admin can also modify the roles.

•   🔴 /:id [DELETE]

  This API allows the user delete his account. Or if it's an admin, a user account. The admin cannot be deleted if he is the last admin in the application.

---

Author: Andoni ALONSO TORT