Introduction

In the world of web development, securing user data is paramount. This is where authentication systems come into play, ensuring that only authorized users can access protected resources. One popular and efficient method for authentication is using JSON Web Tokens (JWT).

In this blog series, we'll delve into the process of building a custom authentication system using JWT, covering everything from the fundamental concepts to practical implementation.

Understanding JWT

What is a JWT?

A JWT (JSON Web Token) is a compact and self-contained way to securely transmit information between parties as a JSON object. It consists of three parts separated by dots (.), encoded using base64:

• **Header:** Contains information like the token type (JWT) and the signing algorithm used.
• **Payload:** Holds the actual data, including user claims like username, email, and role.
• **Signature:** Used to verify the authenticity and integrity of the token.

Benefits of using JWT

• Statelessness: Servers don't need to store session information, making it ideal for scalability.
• Decentralized: Tokens can be verified by any party with the secret key.
• Secure: The signature ensures token integrity and prevents tampering.
• Easy to use: JWTs are simple to implement and understand.

Building the Authentication System

1. Setting up the Environment

Let's start by creating a basic Node.js project:

            mkdir my-jwt-auth
            cd my-jwt-auth
            npm init -y
            npm install express jsonwebtoken
            

2. Generating JWT Tokens

We'll use the jsonwebtoken library to create JWT tokens:

            const express = require('express');
            const jwt = require('jsonwebtoken');

            const app = express();

            const secretKey = 'your_secret_key'; // Replace with a strong secret

            app.post('/login', (req, res) => {
                const { username, password } = req.body; 

                // Validate credentials (replace with your actual logic)
                if (username === 'user' && password === 'password') {
                    const payload = {
                        username: username,
                        role: 'user'
                    };

                    const token = jwt.sign(payload, secretKey); 

                    res.json({ token: token });
                } else {
                    res.status(401).json({ message: 'Invalid credentials' });
                }
            });

            app.listen(3000, () => {
                console.log('Server listening on port 3000');
            });
            

3. Verifying JWT Tokens

To protect routes, we'll use middleware to verify incoming JWTs:

            const express = require('express');
            const jwt = require('jsonwebtoken');

            const app = express();

            const secretKey = 'your_secret_key'; 

            function authenticateToken(req, res, next) {
                const authHeader = req.headers['authorization'];
                const token = authHeader && authHeader.split(' ')[1];

                if (token == null) {
                    return res.status(401).json({ message: 'Unauthorized' });
                }

                jwt.verify(token, secretKey, (err, user) => {
                    if (err) {
                        return res.status(403).json({ message: 'Invalid token' });
                    }

                    req.user = user;
                    next();
                });
            }

            app.post('/login', ...); // Login route from previous example

            app.get('/protected', authenticateToken, (req, res) => {
                res.json({ message: 'Welcome to the protected route!', user: req.user });
            });

            app.listen(3000, () => {
                console.log('Server listening on port 3000');
            });
            

Conclusion

This blog series provides a foundation for building a secure and robust custom authentication system with JWT. We covered the basics of JWT, the steps involved in creating tokens, and how to verify them for protected routes. In the next blog post, we'll dive into more advanced topics like handling refresh tokens, implementing role-based access control, and securing your JWT secret key.