Welcome everyone to our third tutorial for aspiring Node.js developers! In this edition we'll discuss the process of building a secure API using Express.js.

Building a secure API is essential for protecting sensitive data and ensuring that only authorized users have access to your resources. Let's discuss how to create a secure API using Express.js and JWT (JSON Web Tokens). Whether you're new to Express.js or looking to implement API authentication, this guide will help you create a token-based authentication system step by step.

We'll start by setting up an Express.js project, and we'll move on to creating basic routes, handling requests and response objects in Express, understanding and using middleware in Express, implementing token-based authentication using JWT, and we'll then wrap things up by learning how to secure API endpoints with authentication. By the end of this tutorial, you'll have a solid foundation for building and securing APIs in real-world applications.

With all that being said, let's get started!

1. Setting Up Your Express.js Project

To begin, you need to have Node.js and npm installed. Node.js is crucial for running JavaScript server-side, while npm is the package manager used to install libraries like Express.js.


Initialize the Node.js project

First, create a folder for your project and initialize it with npm:

This command sets up a default package.json file for your project. Next, install Express.js, which we’ll use to build the API:

Set up a basic Express.js server

Now, create a file named app.js and write the following code to initialize a basic Express server:

This server listens on port 3000. You can run the server using:

Visit http://localhost:3000 to see the server in action.

2. Creating API Routes in Express.js

To build a RESTful API in Express, we’ll need to create routes to handle GET and POST requests. Routes allow us to define how the API responds to client requests.


Create a GET route

Let’s start by creating a route to fetch a list of albums:

When a GET request is made to /albums, the server responds with a list of albums in JSON format.


Create a POST route

Next, create a POST route to add a new album:

The POST request sends data in the request body, and the server responds with the newly added album.

3. Understanding Middleware in Express.js

In Express.js, middleware functions are used to process requests before they reach the final route handler. This allows you to manage requests and add functionality such as logging, authentication, and error handling.

Logging middleware

Here’s a simple middleware function to log incoming requests:

This logs every incoming request with the HTTP method and the requested URL. Middleware is essential when building scalable APIs in Express.js.

4. Implementing JWT-Based Authentication in Express.js

To secure your API, we will implement JWT (JSON Web Token) authentication. Token-based authentication is a widely used method in modern web development for protecting API endpoints.

Install the JWT library

First, install the jsonwebtoken package:

Create a login route to generate tokens

We’ll simulate a login process where a user is authenticated and a JWT token is issued:

This route verifies the user credentials and returns a JWT token valid for 1 hour if successful.

Create middleware to verify JWT tokens

To secure routes, we need middleware that verifies the token provided in the request headers:

This middleware checks if a token is present and valid before allowing the user to access protected routes.

Protect the routes

Let’s apply the token verification middleware to the /albums route:

Now, only authenticated users with a valid token can access this route.

5. Testing Your Secure API

You can use Postman or cURL to test your API. Here’s how to test it:

  1. Login to get a token
    • Send a POST request to /login with valid credentials.
    • You’ll receive a JWT token in the response.

  2. Access protected routes
    • Send a GET request to /albums without the token. You should get a 403 Forbidden response.
    • Include the token in the Authorization header and try again:
      Authorization: Bearer <your_token>.
      This time, you’ll receive the album data.

6. Conclusion: Building and Securing APIs with Express.js

You should now have a basic understanding of how to create API routes, use middleware, and implement token-based authentication to secure your endpoints.

Some of the most important points we've discussed include:

  • Setting up a basic Express.js server
  • Creating routes for GET and POST requests
  • Implementing JWT-based authentication
  • Protecting API routes using middleware

Building a RESTful API with Express.js is a crucial skill for any web developer, and adding authentication takes it a step further and ensures that only authorized users can access your resources. Moving forward you can further expand your API by integrating a database, handling role-based permissions, or adding more sophisticated security measures.

Let us know your thoughts on this article! If you encounter any difficulties don't hesitate to reach out.