Tag Archives: express

Authenticate web service urls part 2

Node JS,

ref – https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens

In part 1, we set up a simple project where we let a client create a user through a public URL /setup, then display all the users via /api/users.

Next, let’s make sure that we can authenticate a user and then protect those routes using Express route middleware and requiring a token.

Authenticating and Creating a Token

We then use Postman to query it like so

POST_authen_create_user

why – form-urlencoded vs form-data

To summarize, form-urlencoded has a low fixed cost, but high variable for special characters, so application/x-www-form-urlencoded is good for short messages like those found in most basic web forms. On the other hand, form-data has a high fixed costs due to the additional MIME headers prepended to each message chunk, but low variable cost for special characters, so multipart/form-data is good for long messages such images or large files.

Now, copy that whole token string somewhere to be used later.

Protecting URLS

Now let’s protect /api and /api/users by forcing clients to provide the token whenever they need to access these urls.

So for our var apiRoutes that we get from express.Routes(), we have that routing variable use a function to process requests.

We make it run a middleware function by using .use on it. We basically check the requests’ headers to see if the key x-access-token has a valid value. That value should be the token value we received earlier. If the token is valid, everything checks through via the next(), and we run to the apiRoutes.get(‘/users’, function(req, res) {}); function definitions which gets the user from the database and gives it back as a json response.

For example, if you were to hit http://localhost:8080/api/ or http://localhost:8080/api/ it will run this function definition first….see that x-access-token has not been defined in the headers and return you an error json message.

When the tokens are valid, you’ll see the valid json data returned. If you are to use POSTman, here’s what it should look like:

x-access-token_get_user

Authenticate web service urls part 1

Node JS,

ref – https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens

We’ll build a quick API using Node and Express and we’ll be using POSTman to test it.

Create an application directory, then in your mac terminal:

$ npm install express body-parser morgan mongoose jsonwebtoken –save

  • express is the popular Node framework
  • mongoose is how we interact with our MongoDB database
  • morgan will log requests to the console so we can see what is happening
  • body-parser will let us get parameters from our POST requests
  • jsonwebtoken is how we create and verify our JSON Web Tokens

The –save modifier will also save these packages to our package.json file.

After all the packages have been downloaded, you will see a node_modules folder. The packages are installed inside there.

User Model (/models/user.js)

In your project directory, create models folder. Then inside that models folder, you create user.js file.

The user model that we define will be used when creating and getting users. To create a Mongoose model, let’s create the file app/models/user.js

Now let’s create a configuration file to store configuration settings for our application.

config.js (/config.js)

Basically, the database is hosted on our local machine.

  • secret: used when we create and verify JSON Web Tokens
  • database: the URI with username and password to your MongoDB installation

Note: You should be running GULP for your working environment so that when you make changes, it will automatically help you save. In your gulpfile.js, make sure that gulp.task, script has the string “server.js”.

server.js

Set up all the package variables and db connections

Then we have our app use body parser for POST, morgan for throwing logs to console outputs, and set our config file’s object secret to web token’s super secret key.

public URL for home

Let’s create public URL for the home page and then start the server

Open up a browser and go to

http://localhost:8080/

You’d get the json response:

{“message”:”(GET http://localhost:8080/)”}

If you look at your mac terminal, you’ll also see morgan’s log outputs.

Finally, we put a url where the server creates and inserts a new user along with a password into the database.

Public URL to create a user

Open up a browser and put in

http://localhost:8080/setup

You will get the json data back:

{“success”:true}

This means that you have successfully inserted the user rtsao with pw compaq.

Showing Users through public URL

Put the following code above our routes:

What this means is that the variable apiRoutes always has url start with /api.

Whatever url we specify for a certain request, its always /api/url paired with GET or POST..etc.

Hence in apiRoutes.get(‘/users’…) function definition, it just means for (GET http://localhost:8080/api/users) we will return all the users from the database.

So now when we hit:

http://localhost:8080/api/users

we get:

[{“_id”:”55973f3702e8b0094967b544″,”name”:”rtsao”,”password”:”compaq”,”admin”:true,”__v”:0},{“_id”:”55977f4b06112d75860f9af6″,”name”:”rtsao6680″,”password”:”abcde12345″,”admin”:true,”__v”:0}]

Full Code

/config.js

/server.js

/models/user.js