This course has been updated! We now recommend you take the API Design in Node.js, v4 course.

Check out a free preview of the full API Design in Node.js (using Express & Mongo) course:
The "Using JWT" Lesson is part of the full, API Design in Node.js (using Express & Mongo) course featured in this preview video. Here's what you'd learn in this lesson:

Scott shares a brief code snippet demonstrating how to work with JWT. A token is generated by hashing some identifying user data with a secret key. During subsequent requests the server will use the same secret to verify the request’s token is valid.

Get Unlimited Access Now

Transcript from the "Using JWT" Lesson

>> [MUSIC]

>> Speaker 1: So here's a basic example of some arbitrary code. This is not the actual code that you'll be doing. It's just how it may look like in JavaScript. Say we have this user object. Let me bump the font up. There we go. Say we have this user. Whoa, where'd it go?

[00:00:21] There we go. Say we have these user objects, and all it has is an ID, underscore ID. So it's like we have a Mongo. It's got an underscore ID, that's it, nothing else on it. What we can do is, let's say we have some library called JWT, and it has a sign method on it.

[00:00:33] What we can do is we can pass it the object, and then we can pass it a secret. In this case, the secret is just a string that I made. Shhhh, it's a secret. All right, and what that's going to do is spit out a token. It's like, cool, here you go.

[00:00:46] Here's a token. It's just a hash, using, I think it's a SHA-256, what is it? Yeah, using a SHA-256, it's just gonna spit back that token, which is some long, crazy string, right? So, the bigger the payload, the bigger the string. So, if there was more than just an ID on here, let's say I wanted to sign the entire user document.

[00:01:09] Let's say this was Facebook and we grabbed the entire user object and we signed it. That string would be a couple kilobytes and then you're passing that across the wire all the time, so you probably don't wanna do that, all right? So, you wanna just sign as little as you need.

[00:01:25] You don't need to sign the entire user. But just enough, I would say enough to identify who the request is coming from, which ID is perfect for that. If you have an ID, you can identify anybody. So that's why I put the ID. So that's gonna spit out a token.

>> Speaker 1: And then later on in the future, when that user who he gave the token to, was like okay now can I update my profile now? Here's the update, I wanna update my profile, and by the way, here's my token. So what that user would do is that client, they have their token.

[00:01:57] They take it from local storage. They attach it to header. It's usually on authorization head, the field. And then the server will put the secret back in there with the token that this the client gave them. And it'll spit back out the user object, all right? It'll do the inverse

>> Speaker 1: So now we'll get that user object, which is just an object with that ID property on it. Then we'll look in the database for a user with that ID and we'll be like, okay, so yep, the token this verified worked, because if this was a regular string, not a real JSON Web Token, this would break.

[00:02:33] It would throw an error like, this is not even a JSON Web Token, or the secret was wrong, or it just didn't decode properly. Something's wrong. But if it passed and it went through here now what we want to do is let's make sure that this is an actual user.

[00:02:45] Right,cuz then again, we have those edge cases, right? What if the user signed up a month ago and our tokens don't expire for two months. And then during that month and during that time between that month and this request here, we deleted the user or something like that.

[00:03:01] So now if we don't do this check, we're assuming that they're in the database, but they might not be in the database. So it's good to do this check to say, let's make sure this is actually a real user. Or some person could have just got a JSON Web Token from this website and was like, yeah I'm just gonna make a JSON Web Token and I'm gonna send it to your server.

[00:03:20] And that would pass this check, cuz it's a valid JSON Web Token, but it wouldn't have a valid user ID on it that's in our database. All right, so it's another check.
>> Speaker 1: Is everybody following me there? So, if I just pass in a JSON Web Token, the server knows the secret, this should work, but that doesn't mean it's a valid user.

[00:03:47] Yep, Mark?
>> Speaker 2: They're asking, what do you mean by the token is probably on the off-header. Can you clarify probably?
>> Speaker 1: Yeah, I will clarify. So usually what JSON Web Token, let me go look at the spec for it. It's expecting the token to be on the authorization header.

[00:04:08] So usually when you send it from the client, whether that client is a iOS app, a web app, a TV, a smart watch. Right, if you're going to do HTTP request, it's assuming that the token string is gonna be on the authorization header property. You can also, I'm not sure if this is part of the spec or not, but it might be, you can also put it on the query string with the name of access_token.

[00:04:33] And that can also be the token as well. But usually it's looking for the authorization header. Yes.
>> Speaker 3: So when you do verifying could user end up being undefined or will it always have some value if it's a valid token or if it's a JSON Web Token?
>> Speaker 1: Well now, so this has to be a valid web token, right?

[00:04:56] And it has to have been signed with the same secret, right? So let's say somehow some person got hold of your secret. So they knew what your secret was. So they went on this website with your secret, they typed it in down here, all right?
>> Speaker 2: Yeah.
>> Speaker 1: It's like, cool.

[00:05:13] I'm going to make a new secret here.
>> Speaker 1: How do you make a new secret here? Hey. And then I'm just gonna grab this token and go to your database, do a request. What's gonna happen now is, this will work. So, it's like, cool, that's a valid JSON Web Token.

[00:05:32] And it decoded properly because it was signed with the same secret. So it came back. It was great. If it was signed with a different secret, it wouldn't work. Right, but it was signed with the same secret, so it is the same, so then it'll spit back that object, which in this case, is this object right here.

[00:05:49] For this object, first of all it doesn't have an ID property on it, but let's say it did. Lets put a ID property on it.
>> Speaker 1: Now we have an ID. We put a ID property on this thing.
>> Speaker 2: Do you have to put quotes around ID?
>> Speaker 1: Yeah, probably, yep.

>> Speaker 1: All right, single quotes here.
>> Speaker 1: There we go. So, now I put a ID property on it. But that's not a real ID in my database. Right, so that passed all this. Had the same secret, it's a valid token, spit back an object. It even had an underscore ID property on it that I can check here.

[00:06:30] But my database doesn't know what that user is, so it's just like, nope, nevermind. It's like the equivalent of trying to log into a website with a email that isn't registered. All right, it's just like, we just don't have that email. There's no email that exists, so, you can't even sign in.

[00:06:46] That's what you're trying to do here. It's like you're trying to sign in with an ID that doesn't exist. It's like, you can't. We don't have that ID. Everything else was great except for the ID.
>> Speaker 2: So, in our code we would wrap that JWT verify into tricatch or something?

>> Speaker 1: Yeah-
>> Speaker 2: It wouldn't go down to the find by ID if it failed.
>> Speaker 1: Exactly so you would do a tricatch there. But we are going to use libraries to abstract all that away so we don't have to.
>> Speaker 2: Okay.
>> Speaker 1: Yeah. Yep, Mark.
>> Speaker 2: How do you expire the tokens?

[00:07:13] Do you just include a timestamp in the object you're assigning?
>> Speaker 1: Good question. So tokens can be expired, and that depends on the library you're using. We're gonna get into that, because we're gonna do that in R Code, but depending on what lab we're using, in this case, we'll be using JSON Web Tokens.

[00:07:28] You can just pass in an object that has a property on it that says expires in minutes or expires in seconds, and pass in a number, and that's when it'll expire. So, it's pretty simple just pass in an options thing that tells you.
>> Speaker 2: And then they're wondering if JWT is included in Node, or do you have to-

>> Speaker 1: It is not included in Node. We have to npm install it. It is not a default thing. And there is like tons of JSON Web Token libraries out there. Again, this website right here, if you scroll down. For any language that you possibly might use, it'll tell you the library that you should use and what security issues that library may or may have.

[00:08:08] It'll go into the algorithm specs on that library. If you're into that stuff, it'll tell you all the stuff. So for the one, that we'll be using is JSON Web Tokens. They'll tell you how to install it too. It's like, okay, this is how you install it as well.

[00:08:21] This is a really good resource for JSON Web Tokens. They've got like every single library you can think of down here.