Authentication & Authorization with Axios in Node.js

Master secure authentication and authorization in Node.js using Axios.

Learn to implement JWT tokens, refresh mechanisms, and role-based access control for building robust web applications.

A futuristic abstract architecture with flowing data streams featuring metallic silver and butterscotch yellow colors intertwining in a dynamic pattern shot from a low angle perspective with dramatic lighting high-quality ultra-realistic cinematic 8K UHD high resolution sharp and detail

In today’s interconnected world, securing our web applications has become more crucial than ever. As developers, we need to ensure our Node.js applications handle authentication and authorization properly. Let’s dive into how we can achieve this using Axios, a popular HTTP client library.

Understanding the Basics

Before we jump into the implementation, let’s clarify the difference between authentication and authorization. Authentication verifies who you are, while authorization determines what you can do. Think of it as entering a building - authentication is showing your ID at the entrance, while authorization is having the right keycard to access specific floors.

Setting Up Axios Interceptors

Interceptors are one of Axios’s most powerful features for handling authentication. They act like middleware, allowing you to modify requests before they’re sent and responses before they’re handled.

const axios = require('axios');

// Create an axios instance
const api = axios.create({
    baseURL: 'https://api.example.com'
});

// Request interceptor
api.interceptors.request.use(
    config => {
        const token = localStorage.getItem('token');
        if (token) {
            config.headers.Authorization = `Bearer ${token}`;
        }
        return config;
    },
    error => {
        return Promise.reject(error);
    }
);

Abstract visualization of interconnected cloud networks floating in space featuring bright neon green and dark green color schemes captured from a bird's eye view perspective high-quality ultra-realistic cinematic 8K UHD high resolution sharp and detail

Handling JWT Authentication

JSON Web Tokens (JWT) have become the standard for modern web authentication. Here’s how to implement JWT authentication with Axios:

async function login(username, password) {
    try {
        const response = await axios.post('/auth/login', {
            username,
            password
        });

        const { token } = response.data;
        localStorage.setItem('token', token);

        return token;
    } catch (error) {
        console.error('Login failed:', error);
        throw error;
    }
}

Implementing Refresh Tokens

To enhance security while maintaining a smooth user experience, we can implement refresh token logic:

api.interceptors.response.use(
    response => response,
    async error => {
        const originalRequest = error.config;

        if (error.response.status === 401 && !originalRequest._retry) {
            originalRequest._retry = true;

            const refreshToken = localStorage.getItem('refreshToken');
            const newToken = await refreshAccessToken(refreshToken);

            axios.defaults.headers.common['Authorization'] = `Bearer ${newToken}`;
            return api(originalRequest);
        }

        return Promise.reject(error);
    }
);

Elegant crystalline structure resembling data flow patterns with amethyst and black colors blending in geometric formations photographed from a dutch angle perspective high-quality ultra-realistic cinematic 8K UHD high resolution sharp and detail

Role-Based Authorization

Implementing role-based access control (RBAC) adds another layer of security:

function checkPermission(requiredRole) {
    return async (req, res, next) => {
        const token = req.headers.authorization?.split(' ')[1];
        if (!token) {
            return res.status(401).json({ message: 'No token provided' });
        }

        try {
            const decoded = jwt.verify(token, process.env.JWT_SECRET);
            if (!decoded.roles.includes(requiredRole)) {
                return res.status(403).json({ message: 'Insufficient permissions' });
            }
            next();
        } catch (error) {
            return res.status(401).json({ message: 'Invalid token' });
        }
    };
}

Best Practices and Security Considerations

Always use HTTPS in production
Implement token expiration
Sanitize user inputs
Use environment variables for sensitive data
Implement rate limiting
Keep your dependencies updated

Remember, security is not a one-time implementation but an ongoing process. Regular security audits and staying updated with the latest security practices are crucial for maintaining a robust authentication system.

Organic flowing patterns representing secure data transmission featuring bright butterscotch yellow and metallic silver colors in an abstract composition captured from a worm's eye view perspective high-quality ultra-realistic cinematic 8K UHD high resolution sharp and detail