stackoom
  简体   繁体   中英

How to correctly use the authentication for nodeJs API using JWT and Passport?

 原文  2017-05-25 09:12:42       node.js/ rest/ authentication/ jwt/ passport.js

Question

I am using JWT-simple for authenticating my express routes.

server side:

var jwt = require('jwt-simple');
var bcrypt = require('bcrypt');
var passport = require('passport');

require('../passport')(passport);

/* Create an Account */
router.post('/signup', function (req, res, next) {
    var verifyCode = Math.random().toString(36).slice(-8);
    var userData =  {
        name: req.body.name,
        email: req.body.email,
        phone: req.body.contact,
        password: req.body.password,
        verify_code: verifyCode,
        status: 0
    };

   loginService.createUser(userData, function (err, data) {
            if (err) {
                res.status(500).json({error: true, data: {message: err.message}});
            } else {
                var token = jwt.encode(data, "secret");
                res.json({success: true, data: {token: 'JWT ' + token}});
            }
        });
});
/* GET the info of an API using the jwt token data */
router.get('/info', passport.authenticate('jwt', {session: false}), function (req, res, next) {
    var token = tokenRetrive.getToken(req.headers);
    if (token) {
        var decoded = jwt.decode(token, configVar.config.secret);
        UserService.getContentUserById(decoded.id, function (err, user) {
            if (err) {
                res.status(500).json({error: true, data: {message: err.message}});
            } else {
                if (!user) {
                    res.send({success: false, msg: 'Authentication failed. User not found.'});
                } else {
                    if (!user) {
                        return res.status(403).send({success: false, msg: 'Authentication failed. User not found.'});
                    } else {
                        res.json({success: true, data: user.toJSON()});
                    }
                }
            }
        });
    } else {
        return res.status(403).send({success: false, msg: 'No token provided.'});
    }
});

client side

var signup = function(user) {
            return $q(function(resolve, reject) {
                $http.post(API_ENDPOINT.url + '/signup', user).then(function(result) {
                    if (result.data.success) {
                        storeUserCredentials(result.data.data.token);
                        resolve(result.data);
                    } else {
                        reject(result.data.msg);
                    }
                });
            });
        };

 function storeUserCredentials(token) {
            window.localStorage.setItem(TOKEN_KEY, token);
            var loggedIn_user_Data = jwt_decode(token);
            $http.defaults.headers.common.Authorization = token;
        }

Using REST client (POSTMAN) when I pass the header info to the API I use

API : localhost:8080/info

Key

Authorization
Content-Type

Value

JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiYXR1bCIsImVtYWlsIjoidHJlZUB0cmVlLmNvbSIsInBob25lIjpudWxsLCJwYXNzZHJlc3MiOm51bGwsImNvdW50cnkiOm51bGwsInN0YXRlIjpudWxsLCJwaW5jb2RlIjpudWxsLCJvcmdfaWQiOjAsInJvbGVzIjpudWxsLCJjcmVhdGVfZGF0ZSI6IjIwMTctMDUtMThUMTk6NTE6MDYuMDAwWiIsImxhc3RfbG9naW4iOiIyMDE3LTA1LTE4VDE5OjUxOjA2LjAwMFoiLCJhdmF0YXJfdXJsIjpudWxsfQ.umxBRd2sazaADSDOW0e8rO5mKDpQYIK1hsaQMZriZFE

application/json

The above API gives me the data only if the correct token is passed and seems working fine.

However in client side I can get the token retrieve using jwt-decode, without the use of any secret in client side, what if the token is caught by middle man, How can the security be enhanced?
Is there something I am missing to have correct use of JWT for my node api routes?

Some places I see the Authorisation is passed as bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiYXR1bCIsImVtYWlsIjoidHJlZUB0cmVlLmNvbSIsInBob25lIjpudWxsLCJwYXNzd29yZCI6IiQyYSQxMCRIQVJPTy5PUEdYWFBvVktXOVhmYnZldk When I try to use bearer I get error to get the info after authenticating. What is this bearer and JWT being passed in value to header?

I am using passport-jwt var JwtStrategy = require('passport-jwt').Strategy;

1 answers

solution1
 2 ACCPTED  2017-05-25 16:43:29

To use JWT tokens, you have to use SSL (https). Without it, you won't have protection at all.

JWT tokens are signed (check the site ). So if someone (middle man) try to change it, it will be invalidated.

JWT and Bearer are basic the same thing. They are just the auth scheme for the authorization header.

The 'JWT' auth scheme is the default of the passport-jwt . If you want to change it, you can use a different jwtFromRequest value.

See:

new Strategy({ ... jwtFromRequest: ExtractJwt.fromAuthHeaderWithScheme('Bearer') ... }, verifyFunction)

Hope its clear.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question passport authentication not working in nodejs using JWT How to use passport with jwt Authentication using Jwt and nodejs authentication using JWT in NodeJS How to update cookie containing jwt using passport authentication How to implement partial JWT authentication on same API endpoint in NodeJS? How to use authenticate web sockets using node, ws and passport with JWT? NodeJs JWT Passport How to send/extract JWT token in nodejs with passport-jwt? Node.js - JWT, API: How To Implement Multiple Passport.js Authentication Middleware?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM