Now that we have secured all our todo routes, we need a way to issue tokens to valid users to access the API. We will have the users send their email and password to a route (/auth), and our API will issue back an authentication token which will be used for each request:
- In the /routes folder, create a file auth.js.
- We will now need two more packages for this, jsonwebtoken for signing the authentication token, and md5 for comparing the password since if you recall, we were using MySQL's md5 function to store the user's password:
npm install jsonwebtoken md5 --save
- In the auth.js file, have the following code:
const jwt = require('jsonwebtoken');
const Joi = require('joi');
const md5 = require('md5');
const Knex = require('../db');
module.exports =
{
method: 'POST',
path: '/auth',
...
};
You can find the complete code from the auth.js file at Code/Lesson-3/exercise-b/routes.
- Now, let's register our auth.js route with the server. In server.js, after routes.todo = ..., add the following code:
routes.auth = require('./routes/auth');
- After the line initializing the server, we can add the route registration:
server.route(routes.auth);
- Now, let's try out our route, POST: /auth:
- First, with the incorrect email/password combination:
-
- Then, with the correct password, remember Exercise 14: Creating a Record, step 2 where we created the test user with the password:
- Now, we can copy the generated token and use it for our subsequent requests, for example, GET: /todo, by adding an Authorization header. Thus remember, we start with the word Bearer, then space, then paste the token; that's the JWT convention:
- And we can now access the route without getting the unauthorized responses, like in step 6 of 20th exercise:
- Now, let's go back to the places in our ./routes/todo.js file where we were hardcoding the users, and now get them from the authentication object, that is:
const userId = request.auth.credentials.id;
Recall in the preceding step 3, when we were signing our token, we provided the user details, that is, name, email, and id. This is where we get the .id in request.auth.credentials.id:
jwt.sign(
{
name: user.name,
email: user.email,
id: user.id,
},
...
);
jwt.sign(
{
name: user.name,
email: user.email,
id: user.id,
},
...
);
- Now, let's go back to our phpMyAdmin web interface and create another user, just like we did in Exercise 14: Creating a Record, step 2, and paste the following SQL in the SQL text area:
INSERT INTO 'user' ('id', 'name', 'email', 'password')
VALUES (NULL, 'Another User', '[email protected]',
MD5('12345'));
- Now, let's go and do another POST: /auth request with the new user and obtain the token:
- Let's use this new token to create another todo list by doing a POST: /todo request:
- On Insomnia, go to the Header section, delete the previous Authorization header and replace it with the new one:
-
- Now, let's make our request:
-
- Let's see the new list of todos, by doing GET: /todo:
-
- As you can see, the newly created user can only see what they have created. We have done a good job so far, as far as authorization is concerned. However, let's try and check the items for todo ID 1, which belonged to the first user:
Oops! We can see someone else's todo list items; this is a security flaw. This leads us to the final part of this topic, authorization.