# Authentication Example JWT authentication system ## Code Example ```javascript // JWT Authentication System Example const express = require('express'); const bcrypt = require('bcryptjs'); const jwt = require('jsonwebtoken'); const rateLimit = require('express-rate-limit'); const helmet = require('helmet'); const cors = require('cors'); const app = express(); // Middleware app.use(helmet()); app.use(cors()); app.use(express.json()); // Rate limiting for auth endpoints const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5, // limit each IP to 5 requests per windowMs message: 'Too many authentication attempts, please try again later.' }); // In-memory user store (use database in production) const users = []; const refreshTokens = new Set(); // JWT Configuration const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key'; const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET || 'your-refresh-secret'; const JWT_EXPIRES_IN = '15m'; const REFRESH_EXPIRES_IN = '7d'; // Helper functions const generateTokens = (user) => { const payload = { id: user.id, email: user.email, role: user.role }; const accessToken = jwt.sign(payload, JWT_SECRET, { expiresIn: JWT_EXPIRES_IN, issuer: 'your-app', audience: 'your-app-users' }); const refreshToken = jwt.sign({ id: user.id }, JWT_REFRESH_SECRET, { expiresIn: REFRESH_EXPIRES_IN }); return { accessToken, refreshToken }; }; const verifyToken = (token, secret) => { try { return jwt.verify(token, secret); } catch (error) { throw new Error('Invalid token'); } }; // Authentication middleware const authenticateToken = (req, res, next) => { const authHeader = req.headers['authorization']; const token = authHeader && authHeader.split(' ')[1]; if (!token) { return res.status(401).json({ error: 'Access token required' }); } try { const decoded = verifyToken(token, JWT_SECRET); req.user = decoded; next(); } catch (error) { return res.status(403).json({ error: 'Invalid or expired token' }); } }; // Role-based authorization const authorize = (...roles) => { return (req, res, next) => { if (!req.user) { return res.status(401).json({ error: 'Authentication required' }); } if (!roles.includes(req.user.role)) { return res.status(403).json({ error: 'Insufficient permissions' }); } next(); }; }; // Routes // Register app.post('/api/auth/register', authLimiter, async (req, res) => { try { const { email, password, firstName, lastName } = req.body; // Validation if (!email || !password || !firstName || !lastName) { return res.status(400).json({ error: 'All fields are required' }); } if (password.length < 8) { return res.status(400).json({ error: 'Password must be at least 8 characters' }); } // Check if user exists const existingUser = users.find(u => u.email === email); if (existingUser) { return res.status(409).json({ error: 'User already exists' }); } // Hash password const saltRounds = 12; const hashedPassword = await bcrypt.hash(password, saltRounds); // Create user const user = { id: Date.now().toString(), email, password: hashedPassword, firstName, lastName, role: 'user', createdAt: new Date() }; users.push(user); // Generate tokens const { accessToken, refreshToken } = generateTokens(user); refreshTokens.add(refreshToken); res.status(201).json({ message: 'User registered successfully', user: { id: user.id, email: user.email, firstName: user.firstName, lastName: user.lastName, role: user.role }, accessToken, refreshToken }); } catch (error) { res.status(500).json({ error: 'Registration failed' }); } }); // Login app.post('/api/auth/login', authLimiter, async (req, res) => { try { const { email, password } = req.body; if (!email || !password) { return res.status(400).json({ error: 'Email and password are required' }); } // Find user const user = users.find(u => u.email === email); if (!user) { return res.status(401).json({ error: 'Invalid credentials' }); } // Verify password const isValidPassword = await bcrypt.compare(password, user.password); if (!isValidPassword) { return res.status(401).json({ error: 'Invalid credentials' }); } // Generate tokens const { accessToken, refreshToken } = generateTokens(user); refreshTokens.add(refreshToken); res.json({ message: 'Login successful', user: { id: user.id, email: user.email, firstName: user.firstName, lastName: user.lastName, role: user.role }, accessToken, refreshToken }); } catch (error) { res.status(500).json({ error: 'Login failed' }); } }); // Refresh token app.post('/api/auth/refresh', (req, res) => { try { const { refreshToken } = req.body; if (!refreshToken) { return res.status(400).json({ error: 'Refresh token required' }); } if (!refreshTokens.has(refreshToken)) { return res.status(403).json({ error: 'Invalid refresh token' }); } const decoded = verifyToken(refreshToken, JWT_REFRESH_SECRET); const user = users.find(u => u.id === decoded.id); if (!user) { return res.status(403).json({ error: 'User not found' }); } // Generate new tokens const { accessToken, refreshToken: newRefreshToken } = generateTokens(user); // Remove old refresh token and add new one refreshTokens.delete(refreshToken); refreshTokens.add(newRefreshToken); res.json({ accessToken, refreshToken: newRefreshToken }); } catch (error) { res.status(403).json({ error: 'Invalid refresh token' }); } }); // Logout app.post('/api/auth/logout', (req, res) => { const { refreshToken } = req.body; if (refreshToken) { refreshTokens.delete(refreshToken); } res.json({ message: 'Logout successful' }); }); // Protected routes app.get('/api/profile', authenticateToken, (req, res) => { const user = users.find(u => u.id === req.user.id); res.json({ user: { id: user.id, email: user.email, firstName: user.firstName, lastName: user.lastName, role: user.role, createdAt: user.createdAt } }); }); app.get('/api/admin/users', authenticateToken, authorize('admin'), (req, res) => { const userList = users.map(user => ({ id: user.id, email: user.email, firstName: user.firstName, lastName: user.lastName, role: user.role, createdAt: user.createdAt })); res.json({ users: userList }); }); // Change password app.put('/api/auth/change-password', authenticateToken, async (req, res) => { try { const { currentPassword, newPassword } = req.body; const user = users.find(u => u.id === req.user.id); if (!currentPassword || !newPassword) { return res.status(400).json({ error: 'Current and new passwords are required' }); } if (newPassword.length < 8) { return res.status(400).json({ error: 'New password must be at least 8 characters' }); } const isValidPassword = await bcrypt.compare(currentPassword, user.password); if (!isValidPassword) { return res.status(401).json({ error: 'Current password is incorrect' }); } const saltRounds = 12; user.password = await bcrypt.hash(newPassword, saltRounds); res.json({ message: 'Password changed successfully' }); } catch (error) { res.status(500).json({ error: 'Password change failed' }); } }); const PORT = process.env.PORT || 3000; app.listen(PORT, () => { console.log(`Authentication server running on port ${PORT}`); }); ``` ## Files - auth.js - middleware/auth.js - models/User.js - routes/auth.js ## Usage ```bash # Install dependencies npm install # Run the example npm start ```