Learn JWT in 10 Minutes with Express, Node, and Cookie Parser

00:00

hey everyone i hope you guys are having

00:01

a great day welcome back to another

00:02

webdav junkie video and so in this video

00:04

i want to give you a five minute

00:05

overview

00:06

of how you can use jwt with an example

00:09

of using a node in express

00:11

but you can take these ideas and apply

00:12

to whatever language you want like

00:14

python and django php and laravel but

00:16

let's just dive into it to save some

00:18

time

00:18

right here i have a server.js file which

00:20

is hosting in express application

00:23

and the main thing i want to talk about

00:24

in this app is we have a url

00:27

called slash login and we also have a

00:28

url called slash add

00:30

but these are the main things we're

00:31

going to focus on but just to kind of

00:33

make sure you're not in the dark we do

00:34

have two static files that are hosted we

00:36

have an index file

00:38

that is located here that has a form and

00:40

a login button

00:41

and then we have a welcome page which

00:42

also has a button that just makes

00:44

a really basic request to the ad page

00:46

and then finally we have a cookie parser

00:48

set up

00:49

so that we can take the jwt and put it

00:51

in the user's cookie so we have a login

00:53

form here and we are going to hit that

00:54

login endpoint so i do have a

00:56

test username typed in and a password

00:58

typed in and so when i click on login i

01:00

want to show you what kind of happens

01:01

so it's going to hit this express

01:03

service and it's going to go to this

01:04

login route okay so inside of my routes

01:07

folder i have a login

01:08

file and let me just walk you through

01:10

this code real quick we are basically

01:12

including a json web

01:13

token package or library which allows us

01:16

to sign and verify jwt tokens and

01:19

this is the end point that we're hitting

01:21

and to kind of walk you through this

01:22

really quick

01:23

we grab the username and password that

01:24

came over the payload

01:26

we checked in the database for that user

01:28

based on the email they provided or

01:30

username they provided

01:31

and then we verify is the password

01:34

that's stored in the database

01:35

matching the one that the user sent in

01:37

in the login page if it's not we just go

01:39

ahead and throw an error back

01:40

but the important part of this whole

01:42

endpoint is the

01:44

signing process so we have a jwp.sine

01:47

function call here

01:49

and we are taking that user object that

01:50

we got back from the database

01:53

and we are just signing it okay so what

01:54

that means is it takes an object

01:56

and it basically will look at

02:00

the payload and it'll create a hash and

02:02

put it

02:03

as a signature at the end of the jwt and

02:05

we'll we'll talk about this at near the

02:06

end of the video of how a jwp is

02:08

composed but a second important part to

02:10

point out is that we have to provide a

02:13

secret here so you notice here we have

02:14

processing be my secret

02:16

so when i host my server this is

02:18

actually set to

02:20

i think hello so let me refresh this

02:22

yeah so this is an environment variable

02:24

that i set to hello here

02:25

and that is what we're using to sign our

02:27

jwt this is important because

02:29

this prevents anyone else out there from

02:31

just creating jwts

02:33

and hitting your server to try to access

02:35

it right they have to know the exact

02:36

same password that your server used

02:39

in order to create a jwt token to uh

02:42

hit your endpoint and then the third

02:43

thing that's really important to talk

02:44

about is

02:45

the expires in property here so usually

02:48

jwt tokens

02:50

have an expiration date and the shorter

02:51

they are the

02:53

more secure the safer i'm just going to

02:55

do one hour here to kind of show you but

02:57

typically you want to do like 15 minutes

02:59

10 minutes 30 minutes

03:02

um and so we create this token and that

03:04

is what we can use as kind of like the

03:06

key

03:06

that the user can use to hit our

03:08

endpoints and we can verify that hey is

03:10

this user actually the correct user uh

03:12

so after we have the token

03:13

we are going to set a cookie on the

03:16

response header so that the browser can

03:18

actually say hey

03:19

i have a cookie i need to set in my

03:21

browser and keep track of it

03:23

and then later on the browser will send

03:25

that cookie when it does for

03:26

future requests uh some things i want to

03:28

point out here is it's

03:30

usually most safe to use an http only

03:32

cookie

03:33

there's also some other flags that you

03:34

can look into if you want to make this

03:36

more secure

03:37

but i'm not going to do that in this

03:38

example and then we redirect them to a

03:40

welcome page so let's just go back here

03:41

and click that login button

03:43

the first thing i want to show you is we

03:45

hit that login endpoint here

03:47

and we are doing a post request to that

03:48

endpoint but the important part is that

03:51

the response comes back

03:53

with a set cookie in the header right so

03:55

this is that token that we're talking

03:57

about

03:58

and the server told our browser that we

04:00

need to set that cookie

04:01

so to further exemplify that let's click

04:03

on this application tab

04:04

and let's go down here to storage where

04:06

it says cookies

04:07

and click on our url so you'll notice

04:09

that the cookie is actually set

04:11

with this token keyword and we have the

04:14

cookie or we have the jwt token here

04:16

right we're going to talk about the

04:17

token

04:17

uh in just a bit like what this actually

04:19

is because it looks like a

04:20

random jumble of characters but just

04:24

know that whenever we make a

04:25

future request that token is going to be

04:28

put

04:28

onto a header so let's further check

04:31

this out we have a button here on the

04:32

welcome page which just does a post

04:34

request to that slash

04:35

add in point okay so before i click it

04:39

let's go back to our server notice that

04:41

we have an ad in point

04:43

but the main difference with this route

04:44

is that we do have some middleware set

04:46

up to make sure that the cookie is

04:47

provided so

04:48

this is like a secured route we don't

04:50

want anyone just hitting this endpoint

04:52

we want someone who is authenticated

04:54

and we want to maybe check their user id

04:56

to do some logic

04:57

so before we do the logic we're going to

05:00

use this middleware function to

05:02

basically take the token out of the

05:03

cookie

05:04

and verify it all right so here we are

05:07

saying get the token

05:08

based on that token key that we talked

05:10

about here

05:12

get the token out of the cookie and then

05:14

we verify it okay so this is

05:16

a library function call we can do

05:19

basically passes a token

05:21

then we also pass it that secret key

05:22

that we talked about earlier

05:24

that we used for signing the token and

05:27

if the token that came in

05:28

has the exact same key in the signature

05:31

as the one that is set here then this

05:34

will just work it'll return the

05:36

decoded token to us which happens to be

05:38

that user that we sign here

05:41

and then we can access things that we

05:42

put on that right so for example the

05:44

user id

05:45

but in this middleware i'm just going to

05:47

set it on my request and call next which

05:49

will allow us to go to the next step

05:52

in the route endpoint which happens to

05:54

be this ad route

05:56

which will just basically redirect us to

05:57

a welcome page

05:59

so let me just go ahead and click that

06:00

and show you

06:03

so notice here it did a request to the

06:05

add page again that

06:07

that cookie was set in the header here

06:09

we have that cookie here

06:10

and the server basically took that

06:12

cookie verified it

06:14

and called the next um step in the

06:16

process which is redirect to welcome

06:18

and notice that we also got a request to

06:20

welcome because our browser was

06:21

redirected to it let's talk about the

06:24

other scenario where the token is

06:25

invalid or the token was expired okay so

06:28

let's go back

06:29

to our login and let's make this expire

06:31

after one second

06:32

so now if i were to go back and kind of

06:35

clear out my

06:35

cookie here and go back to the login

06:38

page

06:39

if i were to type in that same stuff so

06:42

notice that when i log in we still get

06:44

that cookie but

06:46

now since it expires after one second if

06:49

i make this request here it's actually

06:50

going to take this

06:51

else path which is going to clear the

06:53

cookie for us automatically

06:54

and redirect us back to the login page

06:57

let's just go ahead and click that and

06:58

you'll notice that the cookie

07:00

is removed from the cookie section here

07:03

we don't know

07:04

we don't ever have a token and we are

07:06

back at the login page so that is my

07:08

like

07:09

um invalidation logic setup uh and i

07:11

think that's about it so let's change

07:13

the

07:13

the expires back to an hour the last

07:15

thing i want to show you all though

07:16

which is kind of important is like what

07:18

is a jwt token like what is it made up

07:20

of

07:21

so what i'm going to do here is i'm

07:22

going to make another token

07:24

let's just go ahead and grab that jwt

07:26

token and i want to paste it into a

07:27

website

07:28

called jwt dot io alright so if you go

07:31

to jwt io

07:33

and go to this debugger section you can

07:34

actually paste in your token and what

07:36

this does is it's going to

07:37

split apart your token into the various

07:39

parts and kind of show you what it's

07:41

made up of so

07:42

every token usually has a header section

07:44

which is this red section

07:45

it has your payload or your body which

07:48

is the purple section

07:49

and then it has a signature okay so this

07:51

signature

07:52

is created using that secret key that we

07:55

set in our server

07:57

and then also with the header and the

07:59

payload so basically takes the header

08:00

and the payload

08:01

and the secret creates a hash and it

08:04

puts that at the end of your jwt token

08:06

again this allows us to basically verify

08:09

that any token that comes to our server

08:11

has the exact same hash that we expect

08:13

because we are the ones who know

08:15

how to sign and verify tokens with that

08:19

secret key

08:20

what you can do here is if you were to

08:21

paste in some random stuff like

08:23

i'll just type in some random characters

08:24

and paste our existing token

08:26

notice down here it says invalid

08:28

signature

08:29

but if i were to put hello

08:33

and replace our signature notice that it

08:35

says signature verified so this is

08:37

basically the same steps our server

08:38

server's taking it's just using this

08:40

secret string of hello

08:42

and making sure that this is token was

08:44

actually issued by myself

08:46

by my own processes and if it wasn't we

08:49

can just throw an exception

08:50

you can also do some different stuff

08:51

here like i could change the user id to

08:53

one

08:56

and notice that the key will change a

08:58

little bit

08:59

let's say you were to change the user id

09:00

to one but you didn't have the correct

09:02

secret

09:02

like this if i were to take this token

09:05

and just go to my application and paste

09:07

it in

09:08

notice that when i click on my make a

09:11

request button

09:12

it's actually going to log me out and

09:14

redirect me to the login page because

09:16

again

09:16

that token was bad right someone just

09:19

tried to hack

09:20

or spoof a token to our system and

09:22

basically our application logged you out

09:25

now the very last tidbit of information

09:27

i want to talk about with the token

09:29

is that the body and the header are

09:30

basically just base 64 encoded

09:33

strings okay so if you go to a base 64

09:34

decoder and paste it in and click decode

09:38

you'll notice that you just get back a

09:40

json object here okay so there's nothing

09:42

really like confusing or special about

09:44

these two

09:44

and you can see that they kind of

09:46

decoded them for us over here

09:48

it's mainly the signature over here

09:49

which is just a hash um which

09:52

that's for another lesson but go read up

09:53

on what hashes is um just so we can use

09:56

that to verify our token on the server

09:58

all right so that basically wraps up my

10:00

quick overview of jwt

10:01

with node in express if you have any

10:04

questions be sure to leave a comment

10:05

below maybe i can come back and answer

10:07

them

10:07

give me a thumbs up if you enjoyed

10:09

watching this video and like always if

10:10

you're new to this channel be sure to

10:11

click the subscribe button

10:12

because i'm gonna have videos like this

10:14

in the future that should hopefully help

10:15

you become

10:15

a better web developer all right thank

10:17

you so much for watching have a good day