Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Node.js passport-jwt how to send token in a cookie?

1) Once user is authenticated, How can I set the token in a cookie so that user does not send username password in each request?

2) What is the ideal way of sending token to the client side?

    apiRoutes.post('/authenticate', function (req, res) {
        User.findOne({
            email: req.body.email
        }, function (err, user) {
            if (err) throw err;

            if (!user) {
                res.send({ success: false, message: 'Authentication failed. User not found.' });
            } else {
                // Check if password matches
                user.comparePassword(req.body.password, function (err, isMatch) {
                    if (isMatch && !err) {
                        // Create token if the password matched and no error was thrown
                        var claims = {
                            sub: user._id,
                            email:user.email,
                            iss: 'https://NodeLogin.com',
                            permissions: user.role
                        };

                        var token = jwt.sign(claims, config.secret, {
                            expiresIn: 60 // in seconds
                        });
                        res.json({ success: true, token: 'JWT ' + token });
                    } else {
                        res.send({ success: false, message: 'Authentication failed. Passwords did not match.' });
                    }
                });
            }
        });
    });

    apiRoutes.get('/dashboard',
        passport.authenticate('jwt', { session: false }), function (req, res) {
        res.send('Worked' + req.user._id + '.');
    });
like image 582
Vaibhav Ramteke Avatar asked Aug 26 '16 09:08

Vaibhav Ramteke


People also ask

How do I store JWT tokens in cookie?

How to securely store JWTs in a cookie. A JWT needs to be stored in a safe place inside the user's browser. If you store it inside localStorage, it's accessible by any script inside your page. This is as bad as it sounds; an XSS attack could give an external attacker access to the token.

Should JWT be stored in cookie?

So based on the above premise - it will be best if we store JWT in Cookies. On every request to server, the JWT will be read from Cookies and added in the Authorization header using Bearer scheme. The server can then verify the JWT in the request header (as opposed to reading it from the cookies).

Does passport use JWT?

A Passport strategy for authenticating with a JSON Web Token. This module lets you authenticate endpoints using a JSON web token. It is intended to be used to secure RESTful endpoints without sessions.


1 Answers

you should follow code:

user.comparePassword(req.body.password, function (err, isMatch) {
  if (isMatch && !err) {
    // Create token if the password matched and no error was thrown
    var claims = {
      sub: user._id,
      email:user.email,
      iss: 'https://NodeLogin.com',
      permissions: user.role
    };

    var token = jwt.sign(claims, config.secret, {
      expiresIn: 60 // in seconds
    });

    res.cookie('jwt',token); // add cookie here
    res.json({ success: true, token: 'JWT ' + token });
  } else {
    res.send({ success: false, message: 'Authentication failed. Passwords did not match.' });
  }
});

and passport config:

var cookieExtractor = function(req) {
  var token = null;
  if (req && req.cookies) token = req.cookies['jwt'];
  return token;
};
module.exports = function(passport) {  
  var opts = {};
  opts.jwtFromRequest = cookieExtractor; // check token in cookie
  opts.secretOrKey = config.secret;
  passport.use(new JwtStrategy(opts, function(jwt_payload, done) {
    User.findOne({id: jwt_payload.id}, function(err, user) {
      if (err) {
        return done(err, false);
      }
      if (user) {
        done(null, user);
      } else {
        done(null, false);
      }
    });
  }));
};

it's working for me :)

like image 62
Chris Nguyen Avatar answered Sep 17 '22 15:09

Chris Nguyen