Module 1: JWT Fundamentals & Architecture - The Theoretical Backbone

• What is JWT? Explanation of JSON Web Tokens as an open, industry-standard RFC 7519 method for representing claims securely between two parties.

• Structure (Header, Payload, Signature): 1 1. github.com

  github.com

  • Header: Contains metadata about the token, typically the type of the token (JWT) and the signing algorithm (e.g., HS256, RS256).
  • Payload: Contains the claims, which are statements about an entity (usually the user) and additional data. Claims are categorized as registered, public, and private.
  • Signature: Ensures the integrity of the token and verifies that it hasn't been tampered with. It's calculated by taking the encoded header, the encoded payload, a secret (for symmetric) or a private key (for asymmetric), the specified algorithm, and signing it.

• Symmetric vs Asymmetric Signing:

  • HS256 (HMAC with SHA-256): Uses a single secret key for both signing and verification. Simpler to implement but less secure if the secret is compromised.
  • RS256 (RSA Signature with SHA-256): Uses a public/private key pair. The server signs the token with its private key, and anyone with the public key can verify the token's authenticity. More secure for distributed systems.

• Use Cases of JWT:

  • Authentication: The most common use case, where the server verifies the user's credentials and issues a JWT. Subsequent requests are authenticated by the presence and validity of the JWT.
  • Authorization: JWTs can also carry information about the user's roles and permissions, allowing the server to determine what resources the user is authorized to access.

• Comparison with Sessions and Cookies:

  • Sessions: Server-side storage of user session data, typically identified by a session ID stored in a cookie. Stateful.
  • Cookies: Small pieces of data stored in the user's browser, often used to manage sessions.
  • JWT: Client-side storage of user information in a signed token. Stateless on the server (though refresh tokens might introduce state).

• Common Mistakes:

  • Misunderstanding the purpose of JWT (it's primarily for authentication and securely transmitting information, not for storing large amounts of sensitive data).
  • Choosing the wrong signing algorithm for the use case.
  • Not properly securing the secret key or private key.

• Enterprise Best Practices:

  • Using RS256 for production environments where security is paramount.
  • Keeping the payload as small as possible.
  • Setting appropriate expiration times for tokens.

• Hands-on: Explore the structure of a JWT using online decoders (e.g., jwt.io). Generate simple JWTs with different payloads and signing algorithms to observe the structure.

Module 2: Setting Up JWT in Node.js (Express) - Practical Implementation

• Signing and Verifying JWTs: Using the jsonwebtoken library in Node.js.JavaScript

  // Installation: npm install jsonwebtoken
  const jwt = require('jsonwebtoken');
  const secretKey = 'your-secret-key'; // In production, use a strong, environment-variable-based secret
  
  // Signing a JWT
  const userPayload = { userId: 123, username: 'testuser' };
  const accessToken = jwt.sign(userPayload, secretKey, { expiresIn: '1h' });
  console.log('Generated Access Token:', accessToken);
  
  // Verifying a JWT
  jwt.verify(accessToken, secretKey, (err, decoded) => {
    if (err) {
      console.error('Token verification failed:', err);
    } else {
      console.log('Decoded Token:', decoded);
    }
  });
  

• Creating a Secure Login Route: Implementing a route (e.g., /login) that accepts user credentials, authenticates them (e.g., against a database), and returns a JWT upon successful authentication.JavaScript

  const express = require('express');
  const bcrypt = require('bcrypt');
  const jwt = require('jsonwebtoken');
  const app = express();
  const users = [{ id: 1, username: 'testuser', password: await bcrypt.hash('password123', 10) }]; // In real app, fetch from DB
  
  app.post('/login', async (req, res) => {
    const { username, password } = req.body;
    const user = users.find(u => u.username === username);
    if (!user || !(await bcrypt.compare(password, user.password))) {
      return res.status(401).json({ message: 'Invalid credentials' });
    }
    const accessToken = jwt.sign({ userId: user.id, username: user.username }, 'your-secret-key', { expiresIn: '1h' });
    res.json({ accessToken });
  });
  

• Protecting Routes using Middleware (Auth Guards): Creating middleware to verify the JWT in the Authorization header of incoming requests and allow access to protected routes only if the token is valid.JavaScript

  const authenticateToken = (req, res, next) => {
    const authHeader = req.headers['authorization'];
    const token = authHeader && authHeader.split(' ')[1];
    if (token == null) return res.sendStatus(401);
    jwt.verify(token, 'your-secret-key', (err, user) => {
      if (err) return res.sendStatus(403);
      req.user = user;
      next();
    });
  };
  
  app.get('/protected', authenticateToken, (req, res) => {
    res.json({ message: 'This route is protected', user: req.user });
  });
  

• Handling Token Expiration and Renewal: Implementing logic to handle expired tokens (typically returning a 401 Unauthorized error) and setting up a mechanism for token renewal (often using refresh tokens, covered in the next module).

• Common Mistakes:

  • Exposing the secret key in the codebase.
  • Not validating the token on every protected route.
  • Setting excessively long expiration times for access tokens.

• Enterprise Best Practices:

  • Using environment variables to store sensitive information like the secret key.
  • Implementing robust error handling for token verification.
  • Considering using a library like express-jwt for simplified JWT authentication in Express.

• Hands-on: Set up a basic Express.js application with a login route that issues a JWT and a protected route that requires a valid JWT for access. Test this using Postman.

Module 3: Access Token vs Refresh Token Architecture - Enhancing Security and User Experience

• Short-lived Access Token, Long-lived Refresh Token Flow: Explanation of why short-lived access tokens improve security and how long-lived refresh tokens allow users to stay logged in without frequent re-authentication.