API Design in Node.js, v3 JSON Web Token Module
This course has been updated! We now recommend you take the API Design in Node.js, v4 course.
Transcript from the "JSON Web Token Module" Lesson
>> Scott Moss: So before we get into the exercise, what I'm gonna do is i'm going to check out to lesson five.
>> Scott Moss: And then what you'll see in here is, if you go down to utils > auth, some stuff in here. I just wanna walk through what's in here, that's already here that you already have and what it's doing.
[00:00:32] That way you'll have more context when you actually go complete the exercise. So if you go to auth.js, you'll see two functions in here that are already filled out. There is a function called newToken and a function called verifyToken. These are the two things that I was talking about.
[00:00:45] So newToken, given a user objects from the database, a user document, will create a new JSON Web Token based on that user's ID. That's basically what it does. So given a user object, it'll return back adjacent web token based on that user ID, signed with the correct secrets and expiration time.
[00:01:05] That's already done for you. And then verifyToken does the opposite. Given a token, it'll verify that that token was created with the same secret from the same server, and then it will return the payload, which in this case will be a user. So it'll do the opposite of newToken, they're the opposites of each other.
[00:01:21] Those are already done for you. And you might be thinking about, well, damn, what are we gonna do if that's already done? Well, [LAUGH] that part is done, but you still have to add to Express, and that's the part that you're gonna be doing. They're pretty simple, I'm just using a JSON Web Token package from NPM there's tons of them.
[00:01:36] This one is probably the most popular one, and it just has a sign method that allows me to sign an object with a secret, and I can add an optional expires time when this token is expired. And then the verifyToken does the opposite. Given a token with the same secret that it should have been signed with, I either get a error or the payload that was used to create that token.
[00:01:56] And that's it, it's a in-out operation. User goes in, token comes out, token goes in, user comes out. That's what these two functions are doing.