Node Auth Tutorial (JWT) #10 - JSON Web Tokens (theory)

Net Ninja · Beginner ·🔧 Backend Engineering ·5y ago

Key Takeaways

Explains the theory of JSON Web Tokens for user authentication in Node.js applications

Full Transcript

so imagine that we want to log into our application from the browser well first of all the user logs in via a web form from our website which sends a request to the server with their credentials an email and a password the server then checks those credentials the email and password against those stored in a database for that user now if they are correct the server then creates a json web token for the user and it sends it to the browser where it can be stored in a cookie the json web token contains encoded data about that user to identify them so for as long as they have this token in the cookie then they are considered logged in and authenticated so now the user has this json web token stored in a cookie in their browser now remember cookies are sent to the server by the browser for every request they make eg for new pages on the website so when the server gets that token from the cookie in the request it can verify it and decode it to identify the user now if it is verified to be a valid token the user can be seen as logged in by the server and the server can then decide to show the user protected data or pages which require the user to be authenticated if the token is missing or not valid the use is not authenticated and the server can send back some kind of error or direct them to the login page or something now this process is a little bit more complex under the hood but we're going to look at each stage in detail as we create the authentication process and like i mentioned in the last video there is a pitfall to watch out for when using jwt's inside cookies for authentication it does potentially open up your site to cross-site request forgery attacks now that basically means that a malicious site can take a user's authentication cookie and then make requests to our server posing as that user now if our server exposes state changing end points then this is a security risk because it means that the malicious site can then manipulate your user data and potentially access more of it now in our case we won't be exposing any state changing endpoints that require authentication so there is minimal risk for us but for larger more complex websites with state changing end points you will want to negate that security risk as best as possible so i'll leave a link below with more information about that which i highly suggest that you read for now let's talk a little bit more about how these json web tokens are created and verified okay then so i'm on the jwt website which is jwt dot io and this is a really nice place to see how tokens are made as well as for debugging tokens as well so if we scroll down here right here we can see a json web token which is basically an encoded long string of characters made up of three parts you see we've got three different colours right the red the purple and the blue and they correspond to these three different parts which are the decoded versions of those three strings so the first one the red part that is the token header which is a bit like metadata for the token now the second part is the payload and that is data that is encoded into the jwt now this could be a user id to identify the user so that when it's decoded on the server we know which user is going to be logged in now it's important that no sensitive data is put inside this payload in case a token is intercepted by somebody because it can be decoded by anyone that knows how now the last part is the thing that kind of ties everything together and we're going to talk about this a little bit more in a minute that is a signature and that is used to verify the token on the server now notice this if i change something over here for example in the payload then all of this changes on the left as well so changing the data embedded inside of this changes the resulting encoded token so this token this is the thing that is created on a server and then sent to the browser and potentially stored in a cookie so now what i'd like to do is explain how this kind of works under the hood and explain what this signature is for right here okay then so we know the three different parts that jwt is made up from the headers the payload and the signature but why do we need all of those three parts and how do they all work together to authenticate and verify users well first of all the headers are needed because they tell the server what type of signature is being used it contains metadata about the token the payload is needed because when it's decoded it's going to help us identify the user on the server and it will contain something like the user id now the signature is the thing that ties everything together and it makes the jwt secure and it makes sure that tokens are not tampered with on the client it's a bit like a stamp of authenticity from the server now the way they all work together is like this when our server is creating the jwt after a user successfully logs in or signs up then it creates the header part and the payload part first and encodes them both then to sign the token or to add the signature it takes both of those two parts and it hashes them together with something called a secret which is a secure secret string stored on the server now this secret must remain a secret because it's the key to unlocking the jwt and the only way to verify a token so you would never publish the secret to any kind of public repository where anyone could see it so when those three things are hashed together it creates the token signature now the token signature is then added to the end of the jwt after the other two parts and it can be sent to the browser so the actual hashed resulting token would look something like this so our jwt is then added into a cookie and sent and stored in a browser so for any subsequent request to the server the token is then received by the server inside that cookie the server can then verify this token on every request by looking at the header and the payload and hashing them with the secret which remember is stored on the server if the hashed value of those two things with the secret matches the signature which remember is also the hashed value of those two parts and the secret it knows then that it's valid and the jwt has not been tampered with on the client if the jwt had been tampered with on the client for example the data in the payload modified then those two parts either the header or the payload would have been changed right the encoded parts and when they're hashed together with the secret they would not match whatever the token signature is and therefore we would say hey no you're not logged in you're not authenticated anymore so this whole process of signing and verifying jwts might sound a little bit complicated but with the help of the json web token package that we're going to install soon it's actually really really easy to implement so anyway that's a bird's eye view of the authentication process that we'll be using with jwts and we'll start that process in the next video

Original Description

hey gang, in this node authentication tutorial we'll talk a little bit more about JSON web tokens (JWTs) and how we can use them to authenticate users. Read about CSRF - https://owasp.org/www-community/attacks/csrf 🐱‍👤🐱‍👤 JOIN THE GANG - https://www.youtube.com/channel/UCW5YeuERMmlnqo4oq8vwUpg/join ---------------------------------------- 🐱‍💻 🐱‍💻 My Udemy Courses: + Modern JavaScript - https://www.thenetninja.co.uk/udemy/modern-javascript + Vue JS & Firebase - http://www.thenetninja.co.uk/udemy/vue-and-firebase + D3.js & Firebase - https://www.thenetninja.co.uk/udemy/d3-and-firebase 🐱‍💻 🐱‍💻 Course Files: + https://github.com/iamshaunjp/node-express-jwt-auth 🐱‍💻 🐱‍💻 Other Related Free Courses & Links: + Node.js Cash Course - https://www.youtube.com/watch?v=zb3Qk8SG5Ms&list=PL4cUxeGkcC9jsz4LDYc6kv3ymONOKxwBU + Get VS Code - https://code.visualstudio.com/ + JWT Debugger - https://jwt.io/ 🐱‍💻 🐱‍💻 Social Links: Facebook - https://www.facebook.com/thenetninjauk Twitter - https://twitter.com/thenetninjauk Instagram - https://www.instagram.com/thenetninja/
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Net Ninja · Net Ninja · 0 of 60

← Previous Next →
1 Regular Expressions (RegEx) Tutorial #14 - Matching a Username
Regular Expressions (RegEx) Tutorial #14 - Matching a Username
Net Ninja
2 Regular Expressions (RegEx) Tutorial #15 - Email RegEx Pattern
Regular Expressions (RegEx) Tutorial #15 - Email RegEx Pattern
Net Ninja
3 Regular Expressions (RegEx) Tutorial #16 - Finishing Touches
Regular Expressions (RegEx) Tutorial #16 - Finishing Touches
Net Ninja
4 GraphQL Tutorial #1 - Introduction to GraphQL
GraphQL Tutorial #1 - Introduction to GraphQL
Net Ninja
5 GraphQL Tutorial #2 - A Birdseye View of GraphQL
GraphQL Tutorial #2 - A Birdseye View of GraphQL
Net Ninja
6 GraphQL Tutorial #3 - Project (stack) Overview
GraphQL Tutorial #3 - Project (stack) Overview
Net Ninja
7 GraphQL Tutorial #4 - Making Queries (front-end preview)
GraphQL Tutorial #4 - Making Queries (front-end preview)
Net Ninja
8 GraphQL Tutorial #5 - Express App Setup
GraphQL Tutorial #5 - Express App Setup
Net Ninja
9 GraphQL Tutorial #6 - Setting up GraphQL
GraphQL Tutorial #6 - Setting up GraphQL
Net Ninja
10 GraphQL Tutorial #7 - GraphQL Schema
GraphQL Tutorial #7 - GraphQL Schema
Net Ninja
11 GraphQL Tutorial #8 - Root Query
GraphQL Tutorial #8 - Root Query
Net Ninja
12 GraphQL Tutorial #9 - The Resolve Function
GraphQL Tutorial #9 - The Resolve Function
Net Ninja
13 GraphQL Tutorial #10 - Testing Queries in Graphiql
GraphQL Tutorial #10 - Testing Queries in Graphiql
Net Ninja
14 GraphQL Tutorial #11 - GraphQL ID Type
GraphQL Tutorial #11 - GraphQL ID Type
Net Ninja
15 GraphQL Tutorial #12 - Author Type
GraphQL Tutorial #12 - Author Type
Net Ninja
16 GraphQL Tutorial #13 - Type Relations
GraphQL Tutorial #13 - Type Relations
Net Ninja
17 GraphQL Tutorial #14 - GraphQL Lists
GraphQL Tutorial #14 - GraphQL Lists
Net Ninja
18 GraphQL Tutorial #15 - More on Root Queries
GraphQL Tutorial #15 - More on Root Queries
Net Ninja
19 GraphQL Tutorial #16 - Connecting to mLab
GraphQL Tutorial #16 - Connecting to mLab
Net Ninja
20 GraphQL Tutorial #17 - Mongoose Models
GraphQL Tutorial #17 - Mongoose Models
Net Ninja
21 GraphQL Tutorial #18 - Mutations
GraphQL Tutorial #18 - Mutations
Net Ninja
22 GraphQL Tutorial #19 - More on Mutations
GraphQL Tutorial #19 - More on Mutations
Net Ninja
23 GraphQL Tutorial #20 - Updating the Resolve Functions
GraphQL Tutorial #20 - Updating the Resolve Functions
Net Ninja
24 GraphQL Tutorial #21 - GraphQL NonNull
GraphQL Tutorial #21 - GraphQL NonNull
Net Ninja
25 GraphQL Tutorial #22 - Adding a Front-end
GraphQL Tutorial #22 - Adding a Front-end
Net Ninja
26 GraphQL Tutorial #23 - Create React App
GraphQL Tutorial #23 - Create React App
Net Ninja
27 GraphQL Tutorial #24 - Book List Component
GraphQL Tutorial #24 - Book List Component
Net Ninja
28 GraphQL Tutorial #25 - Apollo Client Setup
GraphQL Tutorial #25 - Apollo Client Setup
Net Ninja
29 GraphQL Tutorial #26 - Making Queries from React
GraphQL Tutorial #26 - Making Queries from React
Net Ninja
30 GraphQL Tutorial #27 - Rendering Data in a Component
GraphQL Tutorial #27 - Rendering Data in a Component
Net Ninja
31 GraphQL Tutorial #28 - Add Book Component
GraphQL Tutorial #28 - Add Book Component
Net Ninja
32 GraphQL Tutorial #29 - External Query File
GraphQL Tutorial #29 - External Query File
Net Ninja
33 GraphQL Tutorial #30 - Updating Component State
GraphQL Tutorial #30 - Updating Component State
Net Ninja
34 GraphQL Tutorial #31 - Composing Queries
GraphQL Tutorial #31 - Composing Queries
Net Ninja
35 GraphQL Tutorial #32 - query variables
GraphQL Tutorial #32 - query variables
Net Ninja
36 GraphQL Tutorial #33 - Re-fetching Queries
GraphQL Tutorial #33 - Re-fetching Queries
Net Ninja
37 GraphQL Tutorial #34 - Book Details Component
GraphQL Tutorial #34 - Book Details Component
Net Ninja
38 GraphQL Tutorial #36 - Styling the App
GraphQL Tutorial #36 - Styling the App
Net Ninja
39 GraphQL Tutorial #35 - Making a Single Query
GraphQL Tutorial #35 - Making a Single Query
Net Ninja
40 Build Apps with Vue & Firebase - Udemy Course
Build Apps with Vue & Firebase - Udemy Course
Net Ninja
41 Updated Vue & Firebase Course (Udemy)
Updated Vue & Firebase Course (Udemy)
Net Ninja
42 Vue & Firebase Real-time Chat (Preview) #1 - Intro
Vue & Firebase Real-time Chat (Preview) #1 - Intro
Net Ninja
43 Vue & Firebase Real-time Chat (Preview) #2 - Project Structure
Vue & Firebase Real-time Chat (Preview) #2 - Project Structure
Net Ninja
44 Vue & Firebase Real-time Chat (Preview) #3 - Firestore Setup
Vue & Firebase Real-time Chat (Preview) #3 - Firestore Setup
Net Ninja
45 Vue & Firebase Real-time Chat (Preview) #4 - Welcome Screen
Vue & Firebase Real-time Chat (Preview) #4 - Welcome Screen
Net Ninja
46 Vue & Firebase Real-time Chat (Preview) #5 - Props in Routes
Vue & Firebase Real-time Chat (Preview) #5 - Props in Routes
Net Ninja
47 Vue & Firebase Real-time Chat (Preview) #6 - Route Guards
Vue & Firebase Real-time Chat (Preview) #6 - Route Guards
Net Ninja
48 Vue & Firebase Real-time Chat (Preview) #7 - Chat Window
Vue & Firebase Real-time Chat (Preview) #7 - Chat Window
Net Ninja
49 Vue & Firebase Real-time Chat (Preview) #8 - New Message Component
Vue & Firebase Real-time Chat (Preview) #8 - New Message Component
Net Ninja
50 Object Oriented JavaScript Tutorial #1 - Introduction
Object Oriented JavaScript Tutorial #1 - Introduction
Net Ninja
51 Object Oriented JavaScript Tutorial #2 - Object Literals
Object Oriented JavaScript Tutorial #2 - Object Literals
Net Ninja
52 Object Oriented JavaScript Tutorial #3 - Updating Properties
Object Oriented JavaScript Tutorial #3 - Updating Properties
Net Ninja
53 Object Oriented JavaScript Tutorial #4 - Classes
Object Oriented JavaScript Tutorial #4 - Classes
Net Ninja
54 Object Oriented JavaScript Tutorial #5  - Class Constructors
Object Oriented JavaScript Tutorial #5 - Class Constructors
Net Ninja
55 Object Oriented JavaScript Tutorial #6 - Class Methods
Object Oriented JavaScript Tutorial #6 - Class Methods
Net Ninja
56 Object Oriented JavaScript Tutorial #7 - Method Chaining
Object Oriented JavaScript Tutorial #7 - Method Chaining
Net Ninja
57 Object Oriented JavaScript Tutorial #8 - Class Inheritance
Object Oriented JavaScript Tutorial #8 - Class Inheritance
Net Ninja
58 Object Oriented JavaScript Tutorial #9 - Constructors (under the hood)
Object Oriented JavaScript Tutorial #9 - Constructors (under the hood)
Net Ninja
59 Object Oriented JavaScript Tutorial #10 - Prototype
Object Oriented JavaScript Tutorial #10 - Prototype
Net Ninja
60 Object Oriented JavaScript Tutorial #11 - Prototype Inheritance
Object Oriented JavaScript Tutorial #11 - Prototype Inheritance
Net Ninja

Related Reads

📰
Java: Word to TXT Conversion
Learn to convert Word documents to plain text in Java, a crucial task in software development
Dev.to · Jeremy K.
📰
The New HTTP QUERY Method: How to Use It in Node.js and Express Today
Learn to use the new HTTP QUERY method in Node.js and Express to send requests with a body while keeping data safe
Dev.to · Dev Encyclopedia
📰
2 @Transactional Traps That Catch Even Senior Java Developers in interviews
Learn to avoid common @Transactional traps in Java to improve your coding skills and ace technical interviews
Dev.to · Nikhil Kamani
📰
10th Anniversary of the Excelize Open Source, New ersion 2.11.0 Released
Celebrate the 10th anniversary of Excelize, an open-source library for working with XLSX files, and learn how to use its new version 2.11.0 for improved productivity
Dev.to AI
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →