Node.js JWT，从token获取user_id

Question

strong textI am building node.js + mongodb rest api. I use jwt user auth and I have a problem. I need to get details of authenticated user (user_id, name), think they can be obtained from token, but I dont know how to do this. How is it possible to do?

UPDATED

I am doing a post request

router.route('/articles')

  .post(function (req, res) {

      var article= new Article();      
      article.user_id = ???; // here needs user_id
      article.imdb_id = req.body.imdb_id;
      article.title = req.body.title;
      article.thumb = req.body.thumb;

      article.save(function(err) {
          if (err)
              res.send(err);

          res.json({ message: 'Added' });
      });

  });

I need to insert into articles collection authors id (user_id), but I dont know how to get the authenticated user_id.

Tried to do this:

  var token = req.body.token || req.query.token || req.headers['x-access-token'];

  if (token) {
    jwt.verify(token, app.get('superSecret'), function(err, decoded) {      
      if (err) {
        return res.json({ success: false, message: 'Failed to authenticate token.' });    
      } else {
        req.decoded = decoded;
        console.log(decoded);
        next();
      }
    });

decoded returns all info about user (name, password, _id). Is it possible to get only user_id and name from here?

Answer 1

When you sign a JSON web token you can pass it a user object. Here you can store whatever user data you need. This object is then signed and encoded and set as the token. When you send a request to your API passing the JWT in the auth header your validation function should return this user object back to you if the JWT is valid.

I like to use the Hapi framework for creating my Restful APIs so I will give an example using Hapi.

In your server.js file you need to register the hapi-auth-jwt2 package:

server.register(require('hapi-auth-jwt2'), (err) => {
    if (err) {
        throw err;
    }

    server.auth.strategy('jwt', 'jwt', {
        key: config.jwt.secret,
        validateFunc: auth.validate,
        verifyOptions: { algorithms: ['HS256'] }
    });

    server.auth.default('jwt');
});

Your validation function:

export default {
    validate: (tokenObject, req, callback) => {
        validateToken(tokenObject.user_id, (err, user) => {
            if (err) {
                callback(Boom.unauthorized('User is unauthorized.'), false);
            } else {
                req.user = user;
                callback(null, true);
            }
        });
    }
};

The validateToken function should take the user id that you got from the token and query for the user. If a user is found then you know the token is valid and you can return and store the rest of the user information.

To create a token I use "jsonwebtoken" package:

generateToken: (user_id, name, callback) => {
    'use strict';
    callback(null, JWT.sign({
        user_id: user_id,
        name: name
    }, config.JWT.SECRET, {
        expiresIn: 86400
    }));
}

Answer 2

Let's say you need to verify if the token sent from user In the headers already In your Database or not (we're going to call it protect )

const {promisify} = require('util');
const jwt = require('jsonwebtoken');
const User = require('./../models/userModel');

...

exports.protect = catchAsync(async(req, res, next) => {
// 1) Getting token and check if it's there in headers
let token;

//authorization is the name of the header token
if (req.headers.authorization) {
    token = req.headers.authorization;
}


if (!token) {
    return next(new AppError('You are not logged in! Please Login To get Access.', 401));
}

// 2) Verification Token is a valid token
const decoded = await promisify(jwt.verify)(token, process.env.JWT_SECRET);
// WE CAN GET THE USER ID FROM DECODED




// 3) Check if user still exists not deleted
const currentUser = await User.findById(decoded.id);
if (!currentUser) {
    return next(new AppError('the user does not exist.', 401));
}else{
// WHAT EVER YOU WANT TO DO AFTER CHECKING USER FOUND IN DATABASE

})