JSON Web Tokens (JWT) are a secure and efficient way to pass information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
When you are developing a web application with NodeJS, it may be necessary to store a JWT in a cookie. This can be useful for keeping a user authenticated between sessions. Here's an overview of how you can do this.
Installing the Required Dependencies
Before you start working with JWTs, you need to install some dependencies. You will need the 'jsonwebtoken' package to create and verify JWTs. You will also need the 'cookie-parser' package to work with cookies. You can install these dependencies using npm (Node Package Manager):
npm install jsonwebtoken cookie-parser
Creating a JWT
After installing the necessary dependencies, you can create a JWT. Here is an example of how you can do this:
const jwt = require('jsonwebtoken');
let payload = {
id: user.id,
email: user.email
};
let secret = 'your-secret-key';
let token = jwt.sign(payload, secret);
In this example, the payload is an object that contains information about the user. The secret is a string that is used to sign the token. The 'sign' method returns the JWT token.
Storing a JWT in a Cookie
Once you create a JWT, you can store it in a cookie. Here is an example of how you can do this:
const cookieParser = require('cookie-parser');
app.use(cookieParser());
app.get('/login', (req, res) => {
res.cookie('token', token, { httpOnly: true });
res.json({ token });
});
In this example, the 'cookie' method is used to create a new cookie. The first argument is the cookie name, the second argument is the cookie value (the JWT), and the third argument is an options object. The 'httpOnly' option is set to true to prevent the cookie from being accessed through client-side scripts.
Verifying a JWT
Once you store a JWT in a cookie, you can verify the JWT. Here is an example of how you can do this:
app.get('/profile', (req, res) => {
let token = req.cookies.token;
if (!token) {
return res.status(401).json({ message: 'Unauthorized' });
}
jwt.verify(token, secret, (err, decoded) => {
if (err) {
return res.status(401).json({ message: 'Unauthorized' });
}
res.json({ user: decoded });
});
});
In this example, the JWT is extracted from the cookie. If the JWT is not present, the response will be an 'Unauthorized' message. If the JWT is present, it is verified using the 'verify' method. If the check succeeds, the response is the decoded payload.
Conclusion
Working with JSON Web Tokens in NodeJS may seem daunting at first, but once you understand the basics, you'll find it to be a powerful and flexible way to handle authentication and authorization. Remember that it is important to protect your secret and to configure your cookie options correctly to ensure the security of your application.
I hope this tutorial was helpful for you to understand how to work with JWTs in NodeJS and how to store them in cookies. If you follow the steps described in this tutorial, you will be able to successfully create, store and verify JWTs in your NodeJS application.
