The latest articles on Forem by NHero (@nhero). https://forem.com/nhero https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2071314%2F43bbd5b4-c0e3-4695-9c9a-c80cf051211d.png https://forem.com/nhero en NHero Sat, 23 May 2026 20:51:54 +0000 https://forem.com/nhero/jwt-auth-in-express-with-ts-5egk https://forem.com/nhero/jwt-auth-in-express-with-ts-5egk <h2> ⚡ Quick Architecture Cheat Sheet (For Fast Revision) </h2> <p>If you are using this post to refresh your memory, here is the core token blueprint:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Token Type</th> <th>Stored In</th> <th>Lifetime (Recommended)</th> <th>Primary Purpose</th> </tr> </thead> <tbody> <tr> <td><strong>Access Token</strong></td> <td>HTTP-Only Cookie / Auth Header</td> <td>15 Minutes</td> <td>Authenticating short-lived protected route requests</td> </tr> <tr> <td><strong>Refresh Token</strong></td> <td>Database &amp; HTTP-Only Cookie</td> <td>7 to 10 Days</td> <td>Requesting a brand new Access Token when it expires</td> </tr> </tbody> </table></div> <h3> The Token Lifecycle Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Client] -------------- 1. Send Login Credentials ---------------&gt; [Backend] [Client] &lt;-------- 2. Set Access &amp; Refresh Cookies --------------- [Backend] (Saves Refresh Token to DB) [Client] -------- 3. Access Protected Route (With Cookie) --------&gt; [verifyJWT Middleware] -&gt; [Granted] </code></pre> </div> <h2> Project Setup &amp; Prerequisites </h2> <h3> 📂 Project Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>└── src/ ├── @types/ ├── controllers/ ├── middlewares/ ├── models/ ├── routes/ ├── utils/ ├── app.ts └── index.ts </code></pre> </div> <h3> 📥 Install Required Packages </h3> <p>Run the following commands to install the necessary production and development dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>jsonwebtoken bcrypt mongoose cookie-parser npm <span class="nb">install</span> <span class="nt">-D</span> @types/jsonwebtoken @types/bcrypt </code></pre> </div> <h3> 🌐 Environment Variables </h3> <p>Create a <code>.env</code> file in your root directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ACCESS_TOKEN_SECRET=your_super_secret_access_key ACCESS_TOKEN_EXPIRY=15m REFRESH_TOKEN_SECRET=your_super_secret_refresh_key REFRESH_TOKEN_EXPIRY=7d </code></pre> </div> <h2> Step 1: Standardizing Global API Responses </h2> <p>Before touching authentication, we build reusable helper classes. This keeps frontend handling much cleaner since every response follows the same structure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">ApiError</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{</span> <span class="nl">statusCode</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">errors</span><span class="p">:</span> <span class="kr">any</span><span class="p">[];</span> <span class="nl">stack</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">;</span> <span class="nl">success</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span> <span class="nx">statusCode</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">message</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Something went wrong</span><span class="dl">"</span><span class="p">,</span> <span class="nx">errors</span> <span class="o">=</span> <span class="p">[],</span> <span class="nx">stack</span> <span class="o">=</span> <span class="dl">""</span> <span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">statusCode</span> <span class="o">=</span> <span class="nx">statusCode</span> <span class="k">this</span><span class="p">.</span><span class="nx">data</span> <span class="o">=</span> <span class="kc">null</span> <span class="k">this</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">message</span> <span class="k">this</span><span class="p">.</span><span class="nx">success</span> <span class="o">=</span> <span class="kc">false</span> <span class="k">this</span><span class="p">.</span><span class="nx">errors</span> <span class="o">=</span> <span class="nx">errors</span> <span class="k">if </span><span class="p">(</span><span class="nx">stack</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">stack</span> <span class="o">=</span> <span class="nx">stack</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nb">Error</span><span class="p">.</span><span class="nf">captureStackTrace</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="kd">constructor</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">class</span> <span class="nc">ApiResponse</span> <span class="p">{</span> <span class="nl">statusCode</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">;</span> <span class="nl">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">success</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span> <span class="nx">statusCode</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">data</span><span class="p">:</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">message</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Success</span><span class="dl">"</span> <span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">statusCode</span> <span class="o">=</span> <span class="nx">statusCode</span> <span class="k">this</span><span class="p">.</span><span class="nx">data</span> <span class="o">=</span> <span class="nx">data</span> <span class="k">this</span><span class="p">.</span><span class="nx">message</span> <span class="o">=</span> <span class="nx">message</span> <span class="k">this</span><span class="p">.</span><span class="nx">success</span> <span class="o">=</span> <span class="nx">statusCode</span> <span class="o">&lt;</span> <span class="mi">400</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>💡 <strong>Why use this pattern?</strong><br> Instead of manually typing <code>return res.status(200).json({ success: true, data })</code> in dozens of locations, these utility classes enforce structural consistency across your entire backend footprint.</p> </blockquote> <h2> Step 2: Designing the Data Layer (The User Model) </h2> <p>Instead of hashing passwords manually inside controllers every time, we move the logic into the schema itself using pre-save hooks and custom schema methods.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">Schema</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">HydratedDocument</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">mongoose</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwt</span><span class="p">,</span> <span class="p">{</span> <span class="kd">type</span> <span class="nx">Secret</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">SignOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">bcrypt</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">IUser</span> <span class="p">{</span> <span class="nl">username</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">fullName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">avatarUrl</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">refreshToken</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">generateAccessToken</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">generateRefreshToken</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">isPasswordCorrect</span><span class="p">:</span> <span class="p">(</span><span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">IUserDocument</span> <span class="o">=</span> <span class="nx">HydratedDocument</span><span class="o">&lt;</span><span class="nx">IUser</span><span class="o">&gt;</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Schema</span><span class="o">&lt;</span><span class="nx">IUser</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">lowercase</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">fullName</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">avatarUrl</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span> <span class="p">},</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Automatic Password Hashing Hook</span> <span class="nx">userSchema</span><span class="p">.</span><span class="nf">pre</span><span class="p">(</span><span class="dl">"</span><span class="s2">save</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">next</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nf">isModified</span><span class="p">(</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">))</span> <span class="k">return</span> <span class="nf">next</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="c1">// Secure Password Comparison Method</span> <span class="nx">userSchema</span><span class="p">.</span><span class="nx">methods</span><span class="p">.</span><span class="nx">isPasswordCorrect</span> <span class="o">=</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// Access Token Generator</span> <span class="nx">userSchema</span><span class="p">.</span><span class="nx">methods</span><span class="p">.</span><span class="nx">generateAccessToken</span> <span class="o">=</span> <span class="nf">function </span><span class="p">():</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">fullName</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">fullName</span><span class="p">,</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ACCESS_TOKEN_SECRET</span> <span class="k">as</span> <span class="nx">Secret</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ACCESS_TOKEN_EXPIRY</span><span class="p">,</span> <span class="p">}</span> <span class="k">as</span> <span class="nx">SignOptions</span> <span class="p">);</span> <span class="p">};</span> <span class="c1">// Refresh Token Generator</span> <span class="nx">userSchema</span><span class="p">.</span><span class="nx">methods</span><span class="p">.</span><span class="nx">generateRefreshToken</span> <span class="o">=</span> <span class="nf">function </span><span class="p">():</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_TOKEN_SECRET</span> <span class="k">as</span> <span class="nx">Secret</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_TOKEN_EXPIRY</span><span class="p">,</span> <span class="p">}</span> <span class="k">as</span> <span class="nx">SignOptions</span> <span class="p">);</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">User</span> <span class="o">=</span> <span class="nx">model</span><span class="o">&lt;</span><span class="nx">IUser</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">"</span><span class="s2">User</span><span class="dl">"</span><span class="p">,</span> <span class="nx">userSchema</span><span class="p">);</span> </code></pre> </div> <blockquote> <p>🧠 <strong>Revision Insight: Why handle Hashing &amp; Token generation in the Model?</strong></p> <ul> <li><p><strong>Automatic Hashing:</strong> The <code>pre("save")</code> hook ensures you can never accidentally save a plaintext password to your database.</p></li> <li><p><strong>Encapsulation:</strong> Controllers don't need to know how JWTs are signed or how passwords are encrypted. They simply call <code>user.generateAccessToken()</code>.</p></li> </ul> </blockquote> <h2> Step 3: Centralizing Token Orchestration </h2> <p>Instead of issuing and saving tokens inside our login controller, we create an independent utility helper. This utility issues the pairs and commits the refresh token to the database.</p> <p><code>src/utils/generateTokens.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Types</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">mongoose</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../models/User.model.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ApiError</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./ApiError.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">generateTokens</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">userId</span><span class="p">:</span> <span class="nx">Types</span><span class="p">.</span><span class="nx">ObjectId</span> <span class="o">|</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">accessToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">refreshToken</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">404</span><span class="p">,</span> <span class="dl">"</span><span class="s2">User not found</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nf">generateAccessToken</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nf">generateRefreshToken</span><span class="p">();</span> <span class="c1">// Store the refresh token in the database to manage active sessions</span> <span class="nx">user</span><span class="p">.</span><span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">refreshToken</span><span class="p">;</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">save</span><span class="p">({</span> <span class="na">validateBeforeSave</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Error while generating authentication tokens</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <blockquote> <p>🔒 <strong>Security Checkpoint: Why save the Refresh Token to the database?</strong><br> Storing refresh tokens statefully allows the backend to force a hard logout, instantly invalidate stolen sessions, and roll out security practices like refresh token rotation.</p> </blockquote> <h2> Step 4: Coding the Authentication Controllers </h2> <p>Now we implement our core application logic: User Registration, Login, and Session Management.</p> <h3> Shared Cookie Parameters </h3> <p>To guard against client-side script token theft, we enforce strict browser settings via cookie options:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">cookieOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Prevents XSS script execution from reading the token</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Forces HTTPS connections in production</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">strict</span><span class="dl">"</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="c1">// Suppresses CSRF attacks across origins</span> <span class="p">};</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="kd">type</span> <span class="nx">Request</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../models/User.model.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ApiError</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/ApiError.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ApiResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/ApiResponse.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateTokens</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/generateTokens.js</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// 1. REGISTER USER</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">registerUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">fullName</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">([</span><span class="nx">fullName</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">].</span><span class="nf">some</span><span class="p">((</span><span class="nx">field</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">field</span><span class="p">?.</span><span class="nf">trim</span><span class="p">()</span> <span class="o">===</span> <span class="dl">""</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">"</span><span class="s2">All registration fields are required</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">userExists</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">$or</span><span class="p">:</span> <span class="p">[{</span> <span class="nx">username</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}]</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">userExists</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">409</span><span class="p">,</span> <span class="dl">"</span><span class="s2">A user with this username or email already exists</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">fullName</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">username</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">(),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">createdUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">-password -refreshToken</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">createdUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Something went wrong while creating the user account</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">).</span><span class="nf">json</span><span class="p">(</span> <span class="k">new</span> <span class="nc">ApiResponse</span><span class="p">(</span><span class="mi">201</span><span class="p">,</span> <span class="nx">createdUser</span><span class="p">,</span> <span class="dl">"</span><span class="s2">User registered successfully</span><span class="dl">"</span><span class="p">)</span> <span class="p">);</span> <span class="p">};</span> <span class="c1">// 2. LOGIN USER</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">loginUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">username</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Username or email is required</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Password field is required</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">$or</span><span class="p">:</span> <span class="p">[{</span> <span class="nx">username</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}]</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">404</span><span class="p">,</span> <span class="dl">"</span><span class="s2">User account does not exist</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">isPassValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">isPasswordCorrect</span><span class="p">(</span><span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isPassValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Invalid user credentials</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">fullName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">fullName</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">avatarUrl</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">avatarUrl</span><span class="p">,</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="k">new</span> <span class="nc">ApiResponse</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nx">userData</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">User logged in successfully</span><span class="dl">"</span><span class="p">)</span> <span class="p">);</span> <span class="p">};</span> <span class="c1">// 3. REFRESH ACCESS TOKEN</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">refreshAccessToken</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">incomingRefreshToken</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nx">refreshToken</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">incomingRefreshToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Refresh token is missing</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decodedToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">incomingRefreshToken</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_TOKEN_SECRET</span><span class="o">!</span><span class="p">)</span> <span class="k">as</span> <span class="kr">any</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">decodedToken</span><span class="p">?.</span><span class="nx">_id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Invalid refresh token: User context not found</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">refreshToken</span> <span class="o">!==</span> <span class="nx">incomingRefreshToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Refresh token has expired or been revoked</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="nx">newRefreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">newRefreshToken</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="k">new</span> <span class="nc">ApiResponse</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="nx">newRefreshToken</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">Access token refreshed successfully</span><span class="dl">"</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="na">err</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="nx">err</span><span class="p">?.</span><span class="nx">message</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">Invalid refresh token signature</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// 4. LOGOUT USER</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">logoutUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">_id</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Authenticated user context required for logout</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Clear the database reference token completely</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findByIdAndUpdate</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="p">{</span> <span class="na">$unset</span><span class="p">:</span> <span class="p">{</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="p">.</span><span class="nf">clearCookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">)</span> <span class="p">.</span><span class="nf">clearCookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="k">new</span> <span class="nc">ApiResponse</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{},</span> <span class="dl">"</span><span class="s2">User logged out successfully</span><span class="dl">"</span><span class="p">));</span> <span class="p">};</span> </code></pre> </div> <h2> Step 5: Building the Gatekeeper (Auth Middleware) </h2> <p>Any resource route requiring active authentication runs through this middleware. It validates the incoming token and attaches the complete user details to the Request lifecycle object.</p> <p><code>src/middlewares/auth.middleware.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="kd">type</span> <span class="nx">NextFunction</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Request</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../models/User.model.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ApiError</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/ApiError.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwt</span><span class="p">,</span> <span class="p">{</span> <span class="kd">type</span> <span class="nx">JwtPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">verifyJWT</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">_</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">?.</span><span class="nx">accessToken</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nf">header</span><span class="p">(</span><span class="dl">"</span><span class="s2">Authorization</span><span class="dl">"</span><span class="p">)?.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">"</span><span class="s2">Bearer </span><span class="dl">"</span><span class="p">,</span> <span class="dl">""</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">accessToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Authentication required: Access token missing</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">decodedToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">accessToken</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ACCESS_TOKEN_SECRET</span><span class="o">!</span><span class="p">)</span> <span class="k">as</span> <span class="nx">JwtPayload</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">decodedToken</span><span class="p">.</span><span class="nx">_id</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">-password -refreshToken</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Authentication failed: Revoked user authorization</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="na">error</span><span class="p">:</span> <span class="kr">any</span><span class="p">)</span> <span class="p">{</span> <span class="nf">next</span><span class="p">(</span><span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="nx">error</span><span class="p">?.</span><span class="nx">message</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">Invalid or expired access token</span><span class="dl">"</span><span class="p">));</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <blockquote> <p>🔒 <strong>Security Checkpoint: Why verify against the Database?</strong><br> A standalone JWT verification can successfully pass if it hasn't expired yet—even if the user was deleted, banned, or had their account deactivated 2 minutes ago. Checking the database explicitly stops these zombie sessions instantly.</p> </blockquote> <h2> Step 6: Setting Up Express Auth Routes </h2> <p>Now, let's assemble our system components within our routing configurations. By chaining our controllers, we inject our <code>verifyJWT</code> gatekeeper directly in front of endpoints that demand active session contexts (like <code>/logout</code>).</p> <p><code>src/routes/auth.routes.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Router</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">loginUser</span><span class="p">,</span> <span class="nx">logoutUser</span><span class="p">,</span> <span class="nx">registerUser</span><span class="p">,</span> <span class="nx">refreshAccessToken</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../controllers/auth.controller.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">verifyJWT</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../middlewares/auth.middleware.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nc">Router</span><span class="p">();</span> <span class="c1">// Public Routes</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/register</span><span class="dl">"</span><span class="p">).</span><span class="nf">post</span><span class="p">(</span><span class="nx">registerUser</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">).</span><span class="nf">post</span><span class="p">(</span><span class="nx">loginUser</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/refresh-token</span><span class="dl">"</span><span class="p">).</span><span class="nf">post</span><span class="p">(</span><span class="nx">refreshAccessToken</span><span class="p">);</span> <span class="c1">// Protected Routes (Uses middleware prior to hitting the controller)</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/logout</span><span class="dl">"</span><span class="p">).</span><span class="nf">post</span><span class="p">(</span><span class="nx">verifyJWT</span><span class="p">,</span> <span class="nx">logoutUser</span><span class="p">);</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <blockquote> <p>💡 <strong>Intermediate Tip: Streamlining Bulk Protected Routes</strong><br> If you have dedicated route files where <em>every single endpoint</em> requires authentication (such as <code>user.routes.ts</code> or <code>dashboard.routes.ts</code>), passing <code>verifyJWT</code> individually can lead to repetitive code. Instead, mount the middleware at the root layout of the router:</p> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nc">Router</span><span class="p">();</span> <span class="c1">// Mount globally onto this specific router group instance</span> <span class="nx">router</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">verifyJWT</span><span class="p">);</span> <span class="c1">// Every endpoint listed down below is automatically secured!</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/profile</span><span class="dl">"</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="nx">getUserProfile</span><span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/settings</span><span class="dl">"</span><span class="p">).</span><span class="nf">patch</span><span class="p">(</span><span class="nx">updateSettings</span><span class="p">);</span> </code></pre> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="o">---</span> <span class="err">##</span> <span class="nx">Step</span> <span class="mi">7</span><span class="p">:</span> <span class="nx">Extending</span> <span class="nx">Express</span> <span class="nx">Typing</span> <span class="nx">Configurations</span> <span class="nx">By</span> <span class="k">default</span><span class="p">,</span> <span class="nx">Express</span> <span class="nx">does</span> <span class="nx">not</span> <span class="nx">have</span> <span class="nx">a</span> <span class="s2">`user`</span> <span class="nx">property</span> <span class="nx">inside</span> <span class="nx">its</span> <span class="nb">global</span> <span class="s2">`Request`</span> <span class="nx">object</span><span class="p">.</span> <span class="nx">We</span> <span class="nx">use</span> <span class="nx">declaration</span> <span class="nx">merging</span> <span class="nx">to</span> <span class="nx">inject</span> <span class="nx">our</span> <span class="nx">custom</span> <span class="nx">Mongoose</span> <span class="nx">Document</span> <span class="nx">model</span> <span class="kd">type</span> <span class="nx">safely</span><span class="p">.</span> <span class="s2">`src/@types/express/index.d.ts`</span> </code></pre> </div> <p><br> ts<br> import { type IUserDocument } from "../../models/User.model.js";</p> <p>declare module "express-serve-static-core" {<br> interface Request {<br> user?: IUserDocument;<br> }<br> }</p> <p>export {};<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Make sure your `tsconfig.json` knows where to compile and read your local definitions files: </code></pre> </div> <p><br> json<br> {<br> "compilerOptions": {<br> "moduleResolution": "NodeNext",<br> "typeRoots": [<br> "./node_modules/@types",<br> "./src/@types"<br> ]<br> },<br> "include": [<br> "src/<strong>/*",<br> "src/@types/</strong>/*.d.ts"<br> ]<br> }</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> --- ## Final Checklist When building or updating your authentication service, ensure you check off these steps: * &lt;input type="checkbox" /&gt; Explicitly clear sensitive properties (`-password`, `-refreshToken`) when retrieving items. * &lt;input type="checkbox" /&gt; Passwords are automatically hashed via Mongoose hooks before persisting. * &lt;input type="checkbox" /&gt; Cookies use `httpOnly: true` and strict `sameSite` setups. * &lt;input type="checkbox" /&gt; Database validation is run after clearing the basic cryptographic token checks. Happy coding! 🚀 </code></pre> </div> jsonwebtoken express webdev backend NHero Sat, 23 May 2026 10:29:12 +0000 https://forem.com/nhero/struggled-with-google-oauth-in-express-typescript-i-made-a-step-by-step-guide-using-jwt-auth-b5m https://forem.com/nhero/struggled-with-google-oauth-in-express-typescript-i-made-a-step-by-step-guide-using-jwt-auth-b5m <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/nhero/google-login-in-express-with-passportjs-jwt-1483" class="crayons-story__hidden-navigation-link">Google Login in Express with PassportJS &amp; JWT</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a href="/nhero" class="crayons-avatar crayons-avatar--l "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2071314%2F43bbd5b4-c0e3-4695-9c9a-c80cf051211d.png" alt="nhero profile" class="crayons-avatar__image" width="400" height="300"> </a> </div> <div> <div> <a href="/nhero" class="crayons-story__secondary fw-medium m:hidden"> NHero </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> NHero <div id="story-author-preview-content-3731913" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/nhero" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2071314%2F43bbd5b4-c0e3-4695-9c9a-c80cf051211d.png" class="crayons-avatar__image" alt="" width="400" height="300"> </span> <span class="crayons-link crayons-subtitle-2 mt-5">NHero</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> </div> <a href="https://dev.to/nhero/google-login-in-express-with-passportjs-jwt-1483" class="crayons-story__tertiary fs-xs"><time>May 23</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/nhero/google-login-in-express-with-passportjs-jwt-1483" id="article-link-3731913"> Google Login in Express with PassportJS &amp; JWT </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/webdev"><span class="crayons-tag__prefix">#</span>webdev</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/backend"><span class="crayons-tag__prefix">#</span>backend</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/express"><span class="crayons-tag__prefix">#</span>express</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/passportjs"><span class="crayons-tag__prefix">#</span>passportjs</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/nhero/google-login-in-express-with-passportjs-jwt-1483" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/exploding-head-daceb38d627e6ae9b730f36a1e390fca556a4289d5a41abb2c35068ad3e2c4b5.svg" width="24" height="24"> </span> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/multi-unicorn-b44d6f8c23cdd00964192bedc38af3e82463978aa611b4365bd33a0f1f4f3e97.svg" width="24" height="24"> </span> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="24" height="24"> </span> </span> <span class="aggregate_reactions_counter">5<span class="hidden s:inline"> reactions</span></span> </div> </a> <a href="https://dev.to/nhero/google-login-in-express-with-passportjs-jwt-1483#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments <span class="hidden s:inline">Add Comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 3 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> backend node tutorial typescript NHero Sat, 23 May 2026 10:12:28 +0000 https://forem.com/nhero/google-login-in-express-with-passportjs-jwt-1483 https://forem.com/nhero/google-login-in-express-with-passportjs-jwt-1483 <h2> ⚡ Quick OAuth + JWT Architecture (For Fast Revision) </h2> <p>When handling social logins while maintaining a stateless JWT ecosystem, follow this flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[User] --- 1. GET /auth/google ---&gt; [Passport Engine] ---&gt; (Redirects to Google Sign-In) [User] &lt;--- 2. Grants Permission -- [Google Server] [Backend Callback] &lt;-- 3. Code/Profile Handshake &lt;-- [Google Server] (Verifies &amp; Upserts User Profile) [User] &lt;--- 4. Sets Secure Access &amp; Refresh Cookies --- [Backend Controller] (Generates Custom JWTs) </code></pre> </div> <h3> Core Strategy Rules </h3> <ul> <li><p><strong>No Server-Side Sessions:</strong> We explicitly disable <code>passport</code> session serialization (<code>session: false</code>) because our app uses stateless JWT tokens.</p></li> <li><p><strong>User Accounts Linking:</strong> If a user registers normally with an email address and later hits the "Sign In with Google" button, we automatically link the identity by pinning the <code>googleId</code> onto the pre-existing document profile.</p></li> </ul> <h2> Prerequisites &amp; Dependencies </h2> <h3> 📂 Project Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>└── src/ ├── config/ ├── controllers/ ├── middlewares/ ├── models/ ├── routes/ ├── utils/ ├── app.ts └── index.ts ├── .env </code></pre> </div> <h3> 📥 Install Required Packages </h3> <p>Execute the following installation string to fetch Passport.js, the Google OAuth2.0 strategy token extensions, and their respective type-hint definitions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>passport passport-google-oauth20 jsonwebtoken cookie-parser bcrypt mongoose npm <span class="nb">install</span> <span class="nt">-D</span> @types/passport-google-oauth20 </code></pre> </div> <h2> Step 1: Cloud Console Configurations </h2> <p>Before writing software, you need application credentials from the Google Cloud Dashboard.</p> <ol> <li><p>Navigate to the <a href="https://console.cloud.google.com/" rel="noopener noreferrer"><strong>Google Cloud Console</strong></a>.</p></li> <li><p><strong>Create a New Project</strong> using the project selection drop-down layout.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1db9fbw85hpodenwwqij.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1db9fbw85hpodenwwqij.png" alt="create a new project" width="708" height="569"></a></p></li> <li><p>Configure your <strong>OAuth Consent Screen</strong> and designate the publishing status as <em>External</em>.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8gaicr56cw4q3544hr86.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8gaicr56cw4q3544hr86.png" alt="Configure OAuth Consent Screen" width="800" height="341"></a></p></li> <li><p>Head to the <strong>Clients</strong> page, choose <strong>Create Clients</strong>, and click <strong>OAuth Client ID</strong>.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpcbyuoxkt1jsurtbz7e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpcbyuoxkt1jsurtbz7e.png" alt="go to clients" width="431" height="588"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdqe2wk67t3obj6avclkh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdqe2wk67t3obj6avclkh.png" alt="create oauth2.0 client" width="652" height="440"></a></p></li> <li><p>Set the application type to <em>Web Application</em> and add your explicit callback mapping:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6vlpn8yym5c5xm4l07dv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6vlpn8yym5c5xm4l07dv.png" alt="create oauth2.0 client" width="679" height="949"></a></p></li> </ol> <ul> <li> <strong>Authorized Redirect URIs:</strong> <code>http://localhost:3000/api/v1/auth/google/callback</code> </li> </ul> <ol> <li>Save your changes and copy your <strong>Client ID</strong> and <strong>Client Secret</strong> tokens. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgddvpqsxlml4ag84wnfg.png" alt="copy credentials" width="620" height="785"> </li> </ol> <h3> 🌐 Environment Setup </h3> <p>Append these key-value configurations to your root <code>.env</code> file environment block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GOOGLE_CLIENT_ID=your_google_client_id_here GOOGLE_CLIENT_SECRET=your_google_client_secret_here GOOGLE_CALLBACK_URL=http://localhost:3000/api/v1/auth/google/callback </code></pre> </div> <h2> Step 2: Adapting the Database Schema </h2> <p>To support alternative OAuth logins alongside traditional password profiles, update your Mongoose Model configuration.</p> <blockquote> <p>🔒 <strong>Critical Security Rule</strong><br> When integrating third-party OAuth provider chains, you <strong>must make your schema's <code>password</code> string optional</strong> (<code>required: false</code>). This allows users who signed up with Google to create accounts without passwords.</p> </blockquote> <p>Make sure these key fields are mapped out in your user schema definitions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">userSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Schema</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="c1">// Make password optional for OAuth registrations!</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="na">avatarUrl</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span> <span class="p">},</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span> <span class="p">},</span> <span class="na">googleId</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span> <span class="p">}</span> <span class="c1">// Keeps track of mapped Google profiles</span> <span class="p">});</span> </code></pre> </div> <p>To maintain security, place an evaluation guard inside your traditional login controllers so social-only accounts cannot be hijacked through brute-force attempts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ApiError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">"</span><span class="s2">This account was registered via Google Sign-In. Please log in using Google.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: Architecting the Passport Strategy </h2> <p>Now we configure Passport to handle Google authentication.</p> <p>Here we:</p> <ul> <li>receive the Google profile</li> <li>check if the user already exists</li> <li>create a new account if needed</li> <li>link existing accounts using email </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">passport</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">passport</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Strategy</span> <span class="k">as</span> <span class="nx">GoogleStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">passport-google-oauth20</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../models/User.model.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateUsername</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/usernameGen.js</span><span class="dl">"</span><span class="p">;</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="k">new</span> <span class="nc">GoogleStrategy</span><span class="p">(</span> <span class="p">{</span> <span class="na">clientID</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CLIENT_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">callbackURL</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GOOGLE_CALLBACK_URL</span><span class="p">,</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">_accessToken</span><span class="p">,</span> <span class="nx">_refreshToken</span><span class="p">,</span> <span class="nx">profile</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">emails</span><span class="p">?.[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">value</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Google account profile must yield a primary email address</span><span class="dl">"</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// Look for an existing account matching either the googleId OR the email address</span> <span class="kd">let</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">$or</span><span class="p">:</span> <span class="p">[{</span> <span class="na">googleId</span><span class="p">:</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}],</span> <span class="p">});</span> <span class="c1">// Case 1: Account exists but lacks a googleId link (First-time social login for an existing user)</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">googleId</span><span class="p">)</span> <span class="p">{</span> <span class="nx">user</span><span class="p">.</span><span class="nx">googleId</span> <span class="o">=</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">id</span><span class="p">;</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">save</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// Case 2: No account exists under this email - Create a brand new user profile</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">uniqueUsername</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateUsername</span><span class="p">(</span><span class="nx">profile</span><span class="p">.</span><span class="nx">displayName</span><span class="p">);</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">uniqueUsername</span><span class="p">,</span> <span class="na">fullName</span><span class="p">:</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">displayName</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="na">googleId</span><span class="p">:</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">avatarUrl</span><span class="p">:</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">photos</span><span class="p">?.[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">value</span> <span class="o">||</span> <span class="dl">""</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Remove sensitive fields before returning the user</span> <span class="kd">const</span> <span class="nx">sanitizedUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">-password -refreshToken -googleId</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">sanitizedUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">User not found after creation</span><span class="dl">"</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">sanitizedUser</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">done</span><span class="p">(</span><span class="nx">error</span> <span class="k">as</span> <span class="nb">Error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">);</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">passport</span><span class="p">;</span> </code></pre> </div> <h3> Dynamic Namespace Deduplication Utility </h3> <p>When creating users via OAuth, Google provides full display names, which aren't guaranteed to be unique, so we generate a fallback username if needed.:</p> <p><code>src/utils/usernameGen.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../models/User.model.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">generateUsername</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span> <span class="nx">displayName</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cleaned</span> <span class="o">=</span> <span class="nx">displayName</span> <span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[^</span><span class="sr">a-z0-9</span><span class="se">]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">""</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">baseUsername</span> <span class="o">=</span> <span class="nx">cleaned</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">?</span> <span class="nx">cleaned</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">15</span><span class="p">)</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">username</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">exists</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">exists</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">suffix</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span> <span class="mi">1000</span> <span class="o">+</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="mi">9000</span> <span class="p">);</span> <span class="nx">username</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">baseUsername</span><span class="p">}${</span><span class="nx">suffix</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">exists</span> <span class="o">=</span> <span class="o">!!</span><span class="p">(</span><span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">exists</span><span class="p">({</span> <span class="nx">username</span><span class="p">,</span> <span class="p">}));</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">username</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <h2> Step 4: Building the Callback Controller &amp; Routes </h2> <p>Once Passport successfully authenticates the user, control moves to our controller.. Here, we generate our custom app cookies and pass down the response payload.</p> <h3> The Controller Handlers </h3> <p><code>src/controllers/auth.controller.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="kd">type</span> <span class="nx">Request</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">generateTokens</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../utils/generateTokens.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">googleAuthCallback</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Passport injects the sanitized profile info onto the req.user property</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="o">!</span><span class="p">;</span> <span class="c1">// Generate our system's regular custom JWT tokens</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cookieOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">"</span><span class="s2">strict</span><span class="dl">"</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">cookieOptions</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Google authentication handshake completed successfully</span><span class="dl">"</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <h3> Defining Route Registrations </h3> <p><code>src/routes/auth.routes.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Router</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">passport</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">passport</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">googleAuthCallback</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../controllers/auth.controller.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nc">Router</span><span class="p">();</span> <span class="c1">// Route 1: Initial redirect request loop trigger</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/google</span><span class="dl">"</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="dl">"</span><span class="s2">google</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">scope</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">profile</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">],</span> <span class="c1">// Target scope values required from Google Cloud console</span> <span class="na">session</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// Ensures stateless JWT operations</span> <span class="p">})</span> <span class="p">);</span> <span class="c1">// Route 2: Target route intercept landing zone for redirect returns from Google</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/google/callback</span><span class="dl">"</span><span class="p">).</span><span class="nf">get</span><span class="p">(</span> <span class="nx">passport</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="dl">"</span><span class="s2">google</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">failureRedirect</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">,</span> <span class="na">session</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">failureMessage</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Failed to login with Google credentials</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="nx">googleAuthCallback</span> <span class="p">);</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <h2> Step 5: Mounting Initializations </h2> <p>Finally, register and load the Passport setup directly within your core runtime file (<code>app.ts</code>) before mounting your routes.</p> <p><code>src/app.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">cookieParser</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">cookie-parser</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">passport</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./config/passport.js</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Loads strategy definitions</span> <span class="k">import</span> <span class="nx">authRouter</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./routes/auth.routes.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="c1">// Initialize Passport Engine</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">passport</span><span class="p">.</span><span class="nf">initialize</span><span class="p">());</span> <span class="c1">// App Routes</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/v1/auth</span><span class="dl">"</span><span class="p">,</span> <span class="nx">authRouter</span><span class="p">);</span> <span class="k">export</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">};</span> </code></pre> </div> <h2> 🛠️ Diagnostics &amp; Troubleshooting Checkpoints </h2> <blockquote> <p>⚠️ <strong>Common Bug: Redirection URI Mismatch Errors</strong><br> If Google dumps a configuration block error message on your display screen during testing, double-check that your callback strings match exactly across all three of these locations:</p> <ol> <li><p>The Allowed Callback parameter mapped inside your <strong>Cloud Dashboard Console</strong>.</p></li> <li><p>The <code>GOOGLE_CALLBACK_URL</code> literal configuration inside your <code>.env</code> workspace variables.</p></li> <li><p>The <code>callbackURL</code> property parameter initialized inside your Passport strategy constructor instantiation block.</p></li> </ol> </blockquote> <h2> Summary Checklist </h2> <ul> <li><p> Made backend password strings optional (<code>required: false</code>) on database models.</p></li> <li><p> Set <code>session: false</code> across all routing hooks to stay completely stateless.</p></li> <li><p> Bound fallback profile configurations matching <code>profile.emails?.[0]?.value</code> queries.</p></li> <li><p> Handled unique namespace fallback conflicts using clean alphanumeric deduplication utility logic.</p></li> </ul> <p>Happy coding! 🚀</p> webdev backend express passportjs