Authentication & Authorization in Express.js

Learn how to implement secure authentication and authorization in your Express.js applications using JWT tokens, bcrypt password hashing, and role-based access control with best practices.

Implementing Authentication and Authorization in Express.js: A Complete Guide

A futuristic digital security gateway with glowing blue and emerald circuits floating in space representing cyber security and authentication ultra-realistic cinematic 8K high resolution sharp detail

Authentication and authorization are crucial components of any web application. Today, we’ll explore how to implement these security features in Express.js, making your applications both secure and user-friendly.

Understanding the Basics

Before diving into the implementation, let’s clarify the key concepts:

Authentication verifies who a user is
Authorization determines what they can access
Middleware handles these processes in Express.js

Abstract 3D render of interlocking geometric shapes in iridescent colors representing data protection and security layers flowing patterns high-quality ultra-realistic cinematic 8K UHD

Setting Up Authentication

First, we’ll need some essential packages:

const express = require('express');
const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');

User Registration

Let’s implement a basic user registration system:

app.post('/register', async (req, res) => {
  const { username, password } = req.body;
  const hashedPassword = await bcrypt.hash(password, 10);

  // Store user in database
  const user = await User.create({
    username,
    password: hashedPassword
  });

  res.status(201).json({ message: 'User created successfully' });
});

Here’s a secure login implementation:

app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  const user = await User.findOne({ username });

  if (await bcrypt.compare(password, user.password)) {
    const token = jwt.sign(
      { userId: user._id },
      process.env.JWT_SECRET,
      { expiresIn: '24h' }
    );
    res.json({ token });
  }
});

Elegant crystalline structure with red and blue light streams flowing through transparent layers representing data flow and security protocols high-quality ultra-realistic cinematic 8K

Implementing Authorization

Create middleware to protect your routes:

const authMiddleware = (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1];

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = decoded;
    next();
  } catch (error) {
    res.status(401).json({ message: 'Unauthorized' });
  }
};

Role-Based Access Control

const checkRole = (role) => {
  return async (req, res, next) => {
    const user = await User.findById(req.user.userId);
    if (user.role === role) {
      next();
    } else {
      res.status(403).json({ message: 'Forbidden' });
    }
  };
};

Security Best Practices

Always hash passwords before storage
Use environment variables for sensitive data
Implement rate limiting
Set secure HTTP headers
Regular token rotation
Input validation

Conclusion

Implementing authentication and authorization doesn’t have to be complicated. With Express.js, you can create a robust security system that protects your application and users.

A serene cosmic scene with swirling emerald and blue nebulas representing digital security in harmony featuring geometric patterns high-quality ultra-realistic cinematic 8K UHD high resolution