Forem: Shaik Ahmad Nawaz The latest articles on Forem by Shaik Ahmad Nawaz (@shaikahmadnawaz). https://forem.com/shaikahmadnawaz https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F801031%2F43bb5fbc-cb67-4a23-9b0f-3423aba1ba35.png Forem: Shaik Ahmad Nawaz https://forem.com/shaikahmadnawaz en How I Troubleshoot Kubernetes in Production Shaik Ahmad Nawaz Sun, 19 Apr 2026 06:30:28 +0000 https://forem.com/shaikahmadnawaz/how-i-troubleshoot-kubernetes-in-production-16co https://forem.com/shaikahmadnawaz/how-i-troubleshoot-kubernetes-in-production-16co <p>Kubernetes failures are rarely random. Most incidents repeat a small set of patterns - image pull issues, crash loops, pending pods, DNS failures, or network path problems.</p> <p>I used to jump between logs, dashboards, and guesses. Over time, I adopted a repeatable sequence that consistently shortens time-to-recovery. This post shares that sequence and the scenario patterns I've documented while troubleshooting Kubernetes workloads.</p> <h2> My Baseline Troubleshooting Flow </h2> <p>Before I try anything else, I run through this exact sequence:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1) Find failing workloads fast</span> kubectl get pods <span class="nt">-A</span> <span class="c"># 2) Inspect one failing pod deeply</span> kubectl describe pod &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; <span class="c"># 3) Check current and previous container logs</span> kubectl logs &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; kubectl logs &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; <span class="nt">--previous</span> <span class="c"># 4) Confirm resource pressure and scheduling context</span> kubectl top nodes kubectl top pods <span class="nt">-n</span> &lt;ns&gt; <span class="c"># 5) Check related events chronologically</span> kubectl get events <span class="nt">-n</span> &lt;ns&gt; <span class="nt">--sort-by</span><span class="o">=</span>.metadata.creationTimestamp </code></pre> </div> <p>I follow this order deliberately. In Kubernetes, the fastest clue is often not the application log. It is the event stream, the restart reason, or the scheduler telling me exactly why the pod never became healthy.</p> <h2> How I Classify Failures </h2> <p>Once I see a failing pod, I classify it immediately. The classification decides everything - which commands I run next, who I involve, and what the fix path looks like.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl describe pod &lt;pod&gt; -n &lt;ns&gt; | +--&gt; ImagePullBackOff ----&gt; Check image/tag/secret | +--&gt; CrashLoopBackOff ---&gt; Check --previous logs/probes/OOM | +--&gt; Pending -----------&gt; Check scheduler events/PVC/quota | +--&gt; 502/503 -----------&gt; Check ingress -&gt; service -&gt; endpoints | +--&gt; DNS errors --------&gt; Check DNS resolution and CoreDNS health </code></pre> </div> <p>Each of these has a distinct diagnosis path. Treating them all as "pod is broken" wastes time.</p> <h2> Scenario 1: <code>ImagePullBackOff</code> </h2> <p><strong>Symptoms</strong><br><br> Pod stuck in <code>ImagePullBackOff</code>. Events show an auth error or image-not-found.</p> <p><strong>Diagnosis</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe pod &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; kubectl get secret <span class="nt">-n</span> &lt;ns&gt; </code></pre> </div> <p>I look at the events section first. It usually says one of three things - the image tag doesn't exist, the registry credentials are wrong, or the pull secret is missing from the namespace entirely.</p> <p><strong>Common root causes</strong></p> <ul> <li>Wrong image tag - someone pushed to <code>latest</code> but the deployment references a specific tag that was never built</li> <li>Registry credentials expired or were rotated without updating the cluster secret</li> <li>Pull secret exists in one namespace but wasn't copied to the namespace where the pod is running</li> </ul> <p><strong>Recovery</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">set </span>image deployment/&lt;deploy&gt; &lt;container&gt;<span class="o">=</span>&lt;registry&gt;/&lt;image&gt;:&lt;tag&gt; <span class="nt">-n</span> &lt;ns&gt; kubectl rollout status deployment/&lt;deploy&gt; <span class="nt">-n</span> &lt;ns&gt; </code></pre> </div> <p><strong>Prevention</strong></p> <ul> <li>Pin and validate image tags in CI - don't rely on <code>latest</code> </li> <li>Add pre-deploy registry access checks to your pipeline</li> </ul> <h2> Scenario 2: <code>CrashLoopBackOff</code> </h2> <p><strong>Symptoms</strong><br><br> Pod keeps restarting. Restart count climbs every few minutes.</p> <p><strong>Diagnosis</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; <span class="nt">--previous</span> kubectl describe pod &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; </code></pre> </div> <p>The <code>--previous</code> flag is critical here. By the time you look at the pod, it might already be on its 10th restart. The current logs show a fresh boot, but the crash reason is in the previous container's output. I've seen people debug CrashLoopBackOff for 30 minutes without ever checking <code>--previous</code>.</p> <p><strong>Common root causes</strong></p> <ul> <li>Missing environment variables or secrets that the app expects at startup</li> <li>Startup command mismatch - the container entrypoint doesn't match what the Dockerfile expects</li> <li>Liveness probe too aggressive - the app needs 30 seconds to boot but the probe starts checking at 10 seconds</li> <li>OOM-kill - the container hits its memory limit and gets killed by the kernel </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe pod &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"OOMKilled|Reason|Exit Code"</span> </code></pre> </div> <p>If the exit code is <code>137</code>, that's OOM. Increase the memory limit or fix the memory leak.</p> <p><strong>Recovery</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout restart deployment/&lt;deploy&gt; <span class="nt">-n</span> &lt;ns&gt; </code></pre> </div> <p>But only after you've fixed the underlying issue. Restarting a CrashLooping pod without fixing the cause just resets the backoff timer.</p> <p><strong>Prevention</strong></p> <ul> <li>Add startup probes in addition to liveness probes for slow-booting apps</li> <li>Keep probes environment-aware - staging and production might need different thresholds</li> </ul> <h2> Scenario 3: Pod Stuck in <code>Pending</code> </h2> <p><strong>Symptoms</strong><br><br> Pod never gets scheduled. It stays in <code>Pending</code> with no container starts.</p> <p><strong>Diagnosis</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe pod &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; kubectl get nodes kubectl get pvc <span class="nt">-n</span> &lt;ns&gt; </code></pre> </div> <p>I don't treat <code>Pending</code> as one failure class. It is usually one of three things - scheduler capacity, placement policy, or storage readiness. That classification matters because each one belongs to a different owner and fix path.</p> <p><strong>Common root causes</strong></p> <ul> <li>Not enough CPU or memory available on any node - the pod's resource requests exceed what the cluster can offer</li> <li>Node taints or affinity rules preventing scheduling - the pod has constraints that no current node satisfies</li> <li>PVC is stuck in <code>Pending</code> - the storage class doesn't exist, the volume can't be provisioned, or the PVC is bound to a zone where no node lives</li> </ul> <p><strong>Recovery</strong></p> <ul> <li>Adjust resource requests and limits to match what the cluster can actually provide</li> <li>Scale the node pool or add nodes</li> <li>Fix the PVC - check storage class, provisioner, and zone alignment</li> </ul> <p><strong>Prevention</strong></p> <ul> <li>Capacity planning and quota reviews before traffic spikes</li> <li>Alert on unschedulable pods - don't wait for users to report it</li> </ul> <h2> Scenario 4: Ingress Returns 502 While Pods Look Fine </h2> <p><strong>Symptoms</strong><br><br> Pods are <code>Running</code>. The app works perfectly with <code>kubectl port-forward</code>. But the ingress or external gateway returns <code>502</code> or <code>503</code>.</p> <p>This is the most confusing failure I've debugged - everything looks healthy inside the cluster, but users can't reach the app.</p> <p><strong>Diagnosis</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc <span class="nt">-n</span> &lt;ns&gt; kubectl get endpoints &lt;svc&gt; <span class="nt">-n</span> &lt;ns&gt; kubectl describe ingress &lt;ingress&gt; <span class="nt">-n</span> &lt;ns&gt; kubectl logs <span class="nt">-n</span> &lt;ingress-ns&gt; deploy/&lt;ingress-controller&gt; </code></pre> </div> <p>The key check is <code>kubectl get endpoints</code>. If the endpoints list is empty, the service selector doesn't match any running pod labels. The ingress is trying to route traffic to a service that has no backends.</p> <p><strong>Common root causes</strong></p> <ul> <li>Wrong service selector - the label in the service doesn't match the label on the pod</li> <li>Wrong target port - the service points to port <code>80</code> but the container listens on <code>8000</code> </li> <li>Readiness probe failures - pods are running but not ready, so they don't appear in the endpoints list</li> <li>Ingress backend path or host mismatch - the ingress rule expects <code>/api</code> but the app serves at <code>/</code> </li> </ul> <p><strong>Recovery</strong></p> <ul> <li>Fix the service selector or port mapping</li> <li>Correct the ingress backend rule</li> <li>Wait for endpoints to populate, then verify with <code>curl</code> </li> </ul> <p><strong>Prevention</strong></p> <ul> <li>Add smoke tests that validate the full ingress → service → pod path after every deployment</li> <li>Keep labels and port mappings under manifest lint or policy checks</li> </ul> <h2> Scenario 5: Cluster DNS Failure </h2> <p><strong>Symptoms</strong><br><br> App logs show hostname resolution errors. Pods are running, but internal or external dependency calls fail with DNS errors.</p> <p><strong>Diagnosis</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-it</span> &lt;pod&gt; <span class="nt">-n</span> &lt;ns&gt; <span class="nt">--</span> nslookup kubernetes.default.svc.cluster.local kubectl get deploy <span class="nt">-n</span> kube-system coredns kubectl get pods <span class="nt">-n</span> kube-system <span class="nt">-l</span> <span class="s1">'k8s-app in (kube-dns,coredns)'</span> kubectl logs <span class="nt">-n</span> kube-system deploy/coredns <span class="nt">--tail</span><span class="o">=</span>200 </code></pre> </div> <p>If the <code>nslookup</code> from inside the pod fails, the problem is CoreDNS, not the application. I've seen entire clusters go down because CoreDNS pods were OOM-killed or stuck in a crash loop - and every service-to-service call broke simultaneously.</p> <p><strong>Recovery</strong></p> <ul> <li>Restart unhealthy CoreDNS pods</li> <li>Fix bad CoreDNS ConfigMap or upstream resolver issues</li> <li>In AKS, <code>kubectl rollout restart deployment coredns -n kube-system</code> has fixed this for me multiple times</li> </ul> <p><strong>Prevention</strong></p> <ul> <li>Alert on CoreDNS restart spikes and resolution error rate</li> <li>Treat cluster DNS as a production dependency, not a background detail</li> </ul> <h2> Production Trade-offs </h2> <p>Every troubleshooting decision has trade-offs. Here are the ones I think about most:</p> <p><strong>Fast restarts vs preserving crash context</strong><br><br> Restarting quickly recovers service, but if you restart before reading <code>--previous</code> logs and events, you lose the crash evidence. I always capture the context first, then restart.</p> <p><strong>Tight probes vs startup tolerance</strong><br><br> Aggressive liveness probes detect failures fast, but they can create restart storms during cold starts or deployments. I use startup probes with generous initial delays for apps that take time to boot.</p> <p><strong>Higher resource requests vs cost efficiency</strong><br><br> Requesting more CPU and memory improves scheduling stability, but increases cluster cost and reduces bin-packing efficiency. I size requests based on actual p99 usage, not peak theoretical load.</p> <h2> Common Mistakes </h2> <ul> <li> <strong>Restarting deployments before reading events</strong> - The event stream often contains the exact failure reason. Read it first.</li> <li> <strong>Only checking current logs, not <code>--previous</code></strong> - The current container just booted. The crash happened in the previous one.</li> <li> <strong>Ignoring probe configuration during triage</strong> - A misconfigured liveness probe looks like an app crash. Check probe settings before blaming the code.</li> <li> <strong>Using broad emergency permissions and forgetting rollback</strong> - Granting cluster-admin to debug is fine in an emergency. Not revoking it afterwards is a security debt.</li> <li> <strong>Assuming <code>Running</code> means healthy</strong> - A pod can be <code>Running</code> but fail every readiness check. <code>Running</code> means the container started. It doesn't mean it's serving traffic.</li> </ul> <h2> Key Takeaways </h2> <ul> <li> <strong>Use a fixed sequence</strong> - <code>get pods</code> → <code>describe</code> → <code>logs --previous</code> → <code>top</code> → <code>events</code>. Every time.</li> <li> <strong>Classify the failure first</strong> - ImagePullBackOff, CrashLoopBackOff, Pending, 502, and DNS are different problems with different fix paths.</li> <li> <strong>Events tell you more than logs</strong> - The scheduler, kubelet, and controller manager write events before the app even starts.</li> <li> <strong>Keep recovery actions reversible</strong> - Restart before reinstall. Rollback before rewrite.</li> <li> <strong>Turn repeated incidents into platform safeguards</strong> - If the same failure happens twice, automate the detection or prevention.</li> </ul> <p><em>This is the workflow I use for every Kubernetes incident. The scenarios change, but the sequence stays the same.</em></p> kubernetes devops sre troubleshooting Simplified Security with Access and Refresh Tokens in Node.js Shaik Ahmad Nawaz Fri, 22 Dec 2023 14:01:02 +0000 https://forem.com/shaikahmadnawaz/simplified-security-with-access-and-refresh-tokens-in-nodejs-4aac https://forem.com/shaikahmadnawaz/simplified-security-with-access-and-refresh-tokens-in-nodejs-4aac <p>Hey there! Ever wondered how websites keep your information safe when you log in? That's where access and refresh tokens come into play. They're like secret keys that make sure only you get into your account, and they even have a cool way of staying active without bothering you.</p> <p>In this blog, we're going to make sense of these tokens, and we'll do it using Node.js. No need for complicated jargon; we'll keep it simple and fun. Ready to dive into the world of secure logins and keys? Let's get started!</p> <h3> <strong>Requirements for this Guide</strong> </h3> <p>To smoothly navigate through this walkthrough, you'll need:</p> <ol> <li><p>Basic Node.js and Express.js Knowledge</p></li> <li><p>Basic Knowledge of Mongoose ODM and MongoDB</p></li> <li><p>Basic Knowledge of JSON Web Tokens (JWT)</p></li> </ol> <h3> <strong>Understanding Access and Refresh Tokens</strong> </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh9isv8a5vskxr8ythhnd.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh9isv8a5vskxr8ythhnd.jpeg" width="800" height="504"></a></p> <p><strong>Image source:</strong> <a href="https://medium.com/@bakhtmunir/refresh-token-in-angular-e212c2adaa77" rel="noopener noreferrer">https://medium.com/@bakhtmunir/refresh-token-in-angular-e212c2adaa77</a></p> <p>Now, let's demystify the concepts of access tokens and refresh tokens in a way that's easy to grasp. Imagine a scenario where you don't want to repeatedly enter your email and password every time you access something that's yours. This is where access and refresh tokens come into play.</p> <p><strong>Access Token:</strong></p> <ul> <li>Think of the access token as a short-lived pass, like a ticket to a concert. It grants you access to your resources, but it doesn't last forever, maybe just for a day. After that day, you'd typically need to refresh the access token by logging in again.</li> </ul> <p><strong>Refresh Token:</strong></p> <ul> <li><p>Now, for big organizations like Google, they've got a clever trick. They use a refresh token, which acts like a backstage pass that lasts longer (maybe 2 hours or 1 hour). This token is also stored in a database, like a secret key.</p></li> <li><p>If your access token expires, and you try to access something, you'll get a message saying it's expired. Instead of bothering you to log in again, the system can quietly send a request with your refresh token to get a new access token. It's like saying, "Hey, my backstage pass is still valid, can I get a new ticket?"</p></li> <li><p>In the backend, it checks if the refresh token you sent matches the one it has. If they match, it's like reopening your session. It's a bit like logging in again, but behind the scenes. The system then sends you a new access token, like a refreshed ticket.</p></li> </ul> <p><strong>Why Refresh Tokens Matter:</strong></p> <ul> <li><p>This dance of tokens is handy because, on the frontend, if there's a 401 error (meaning your access is expired), instead of asking you to log in again, a bit of code can quietly request a refresh using the refresh token.</p></li> <li><p>You don't need to keep entering your credentials. The refresh token does the job behind the scenes, ensuring a smooth and uninterrupted user experience.</p></li> </ul> <p>So, in a nutshell, access tokens and refresh tokens work together to keep your digital experience seamless, avoiding the hassle of constant logins. Now, armed with this understanding, you're well-prepared for discussions, even in interviews. Access token, refresh token, it's all about making your online interactions smoother.</p> <p><strong>Exact Definitions:</strong></p> <p><strong>Access Token:</strong> Access tokens are used to authenticate API requests to access protected resources. They are small pieces of code that contain a large amount of data, such as information about the user, permissions, groups, and timeframes. Access tokens are usually short-lived tokens that expire after a short period of time.</p> <p><strong>Refresh Token:</strong> Refresh tokens are long-lived tokens that are used to obtain new access tokens when the current ones expire. Refresh tokens allow users to get new access tokens without having to log in again.</p> <h3> <strong>Setting Up the Backend</strong> </h3> <p>Certainly! Below is a simple and concise guide for our backend setup:</p> <p><strong>1. Installing Required Packages:</strong></p> <p>Let's set up the project by running <code>npm init -y</code> in the terminal. This initializes a new Node.js project.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxk6mvmjpu82ywz5eutu9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxk6mvmjpu82ywz5eutu9.png" width="800" height="450"></a></p> <p>Now, let's install the necessary libraries with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>express cors mongoose bcrypt jsonwebtoken dotenv cookie-parser </code></pre> </div> <p>Here's what each library does:</p> <ul> <li><p><code>express</code>: The main framework for building the server.</p></li> <li><p><code>cors</code>: Handles cross-origin resource sharing.</p></li> <li><p><code>mongoose</code>: Enables connection to MongoDB.</p></li> <li><p><code>bcrypt</code>: Provides password hashing for security.</p></li> <li><p><code>jsonwebtoken</code>: Supports the creation and verification of JSON web tokens.</p></li> <li><p><code>dotenv</code>: Facilitates the use of environment variables with a <code>.env</code> file.</p></li> <li><p><code>cookie-parser</code>: A tool for handling cookies.</p></li> </ul> <p>Additionally, for a smoother development experience, install <code>nodemon</code> as a devDependency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install nodemon --save-dev </code></pre> </div> <p>Make sure you have a folder that looks like this one:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffzvalam9di906ln26wwa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffzvalam9di906ln26wwa.png" width="800" height="450"></a></p> <p><strong>2. Configuring Express Server:</strong></p> <p>Now, let's configure our Express server in the <code>index.js</code> file. This file acts as the heart of our server, managing requests and connecting to MongoDB. Below is a concise breakdown:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0fstoqjc64a4uksljphu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0fstoqjc64a4uksljphu.png" width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdqemcubm220eik1q68lx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdqemcubm220eik1q68lx.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Importing necessary modules</span> <span class="k">import</span> <span class="nx">express</span><span class="p">,</span> <span class="p">{</span> <span class="nx">urlencoded</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">cors</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">cors</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">cookieParser</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">cookie-parser</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">dotenv</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">dotenv</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">connectDB</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./src/db/db.js</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Configuring environment variables</span> <span class="nx">dotenv</span><span class="p">.</span><span class="nf">config</span><span class="p">({</span> <span class="na">path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">./.env</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// Adding middleware for CORS, JSON parsing, and cookies</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cors</span><span class="p">({</span> <span class="na">origin</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CLIENT_URL</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cookieParser</span><span class="p">());</span> <span class="c1">// Creating a simple route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">Hello World!</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Connecting to MongoDB and starting the server</span> <span class="nf">connectDB</span><span class="p">()</span> <span class="p">.</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">||</span> <span class="mi">8000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Server listening on port </span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="p">})</span> <span class="p">.</span><span class="k">catch</span><span class="p">((</span><span class="nx">error</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">MongoDB connection failed</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><strong>Connecting to MongoDB:</strong></p> <p>Now, let's establish the connection to MongoDB using the <code>connectDB</code> module. This module is responsible for connecting our server to the MongoDB database. Here's the module defined in a concise manner:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnzl3wd7kc44gcryfr3pj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnzl3wd7kc44gcryfr3pj.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">mongoose</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">mongoose</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">connectDB</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MONGODB_URI</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">MongoDB connected</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">connectDB</span><span class="p">;</span> </code></pre> </div> <p><strong>Checking Server Functionality:</strong></p> <p>To ensure our server is up and running, let's execute the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm run dev </code></pre> </div> <p>This command, typically set up in our <code>package.json</code> file uses <code>nodemon</code> to run the server in development mode. It automatically restarts the server when changes are made, making the development process smoother.</p> <p>If all is well, you should see a message in your console indicating that the server is listening on a specific port, for example:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkn94839ujdpp29jwau9f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkn94839ujdpp29jwau9f.png" width="800" height="450"></a></p> <p>Now, open your web browser and go to <a href="http://localhost:8000/" rel="noopener noreferrer"><code>http://localhost:8000/</code></a>. If everything is set up correctly, you should see "Hello World!" displayed in your browser.</p> <p>This quick check ensures that your server is indeed working as expected. If you encounter any issues or if the server doesn't start, review your code and configurations.</p> <h3> <strong>Defining and Implementing User Schema</strong> </h3> <p>Now, let's define and implement the <code>userSchema</code> module. This schema represents the structure of our user data in MongoDB. Here's a concise breakdown:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzf0idk7q2nvp5vs0wfhw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzf0idk7q2nvp5vs0wfhw.png" width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fobijqol2kbf3583p3gbe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fobijqol2kbf3583p3gbe.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">mongoose</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Schema</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">mongoose</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">bcrypt</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userSchema</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Schema</span><span class="p">(</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">password</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">{</span> <span class="na">timestamps</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Middleware to hash the password before saving</span> <span class="nx">userSchema</span><span class="p">.</span><span class="nf">pre</span><span class="p">(</span><span class="dl">"</span><span class="s2">save</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nf">isModified</span><span class="p">(</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">))</span> <span class="k">return</span> <span class="nf">next</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="c1">// Method to check if the entered password is correct</span> <span class="nx">userSchema</span><span class="p">.</span><span class="nx">methods</span><span class="p">.</span><span class="nx">isPasswordCorrect</span> <span class="o">=</span> <span class="k">async</span> <span class="nf">function </span><span class="p">(</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="p">};</span> <span class="c1">// Method to generate an access token</span> <span class="nx">userSchema</span><span class="p">.</span><span class="nx">methods</span><span class="p">.</span><span class="nx">generateAccessToken</span> <span class="o">=</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ACCESS_TOKEN_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15m</span><span class="dl">"</span> <span class="p">}</span> <span class="p">);</span> <span class="p">};</span> <span class="c1">// Method to generate a refresh token</span> <span class="nx">userSchema</span><span class="p">.</span><span class="nx">methods</span><span class="p">.</span><span class="nx">generateRefreshToken</span> <span class="o">=</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">_id</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_TOKEN_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">"</span><span class="s2">15d</span><span class="dl">"</span> <span class="p">}</span> <span class="p">);</span> <span class="p">};</span> <span class="c1">// Creating the User model using the schema</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">User</span> <span class="o">=</span> <span class="nx">mongoose</span><span class="p">.</span><span class="nf">model</span><span class="p">(</span><span class="dl">"</span><span class="s2">User</span><span class="dl">"</span><span class="p">,</span> <span class="nx">userSchema</span><span class="p">);</span> </code></pre> </div> <p>Breaking it down:</p> <p><strong>Note:</strong> Here we store refreshToken in the database.</p> <ul> <li><p>We import <code>mongoose</code> for schema creation, <code>jwt</code> for JSON web token operations, and <code>bcrypt</code> for password hashing.</p></li> <li><p>The <code>userSchema</code> defines the structure of our user data, including email, password and refreshToken, with timestamps for tracking creation and update times.</p></li> <li><p>A middleware (<code>pre</code> hook) is added to hash the password before saving it to the database.</p></li> <li><p>Methods are defined to check if the entered password is correct and to generate access and refresh tokens.</p></li> <li><p>The <code>User</code> model is created using the <code>mongoose.model</code> function.</p></li> </ul> <p><strong>Generating Token Secrets:</strong></p> <p>To enhance security, we can generate token secrets using the following OpenSSL command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>openssl rand -hex 32 </code></pre> </div> <p>Running this command in our terminal generates a random 32-character hexadecimal string, which can be used as a strong secret for token generation.</p> <h3> <strong>Creating the user controller for Register and Login</strong> </h3> <p><strong>Implementing the User Registration Function:</strong></p> <p>In your user controller, we will create the <code>registerUser</code> function. This function takes care of registering new users by validating the provided email and password, checking for existing users, and creating a new user in the database.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdq0xurwyqdkvvi10uvxh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdq0xurwyqdkvvi10uvxh.png" width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frzrczzdvagw6h9ay87pp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frzrczzdvagw6h9ay87pp.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../models/user.model.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">registerUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// Check if email and password are provided</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Email and password required</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Check if the user already exists</span> <span class="kd">const</span> <span class="nx">existedUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="nx">email</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">existedUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">User already exists</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Create a new user in the database</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">});</span> <span class="c1">// Retrieve the created user excluding sensitive information</span> <span class="kd">const</span> <span class="nx">createdUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">-password -refreshToken</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Check if user creation was successful</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">createdUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Something went wrong</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Send a success response with the created user details</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="nx">createdUser</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">User created successfully</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle any errors that occur during the process</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> <span class="k">export</span> <span class="p">{</span> <span class="nx">registerUser</span> <span class="p">};</span> </code></pre> </div> <p><strong>Creating the User Registration Route:</strong></p> <p>Now, let's define a route for the <code>registerUser</code> function. In your <code>user.routes.js</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft3p13d23yjnjrbw90tmk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft3p13d23yjnjrbw90tmk.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Router</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">registerUser</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../controllers/user.controller.js</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/register</span><span class="dl">"</span><span class="p">).</span><span class="nf">post</span><span class="p">(</span><span class="nx">registerUser</span><span class="p">);</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">router</span><span class="p">;</span> </code></pre> </div> <p>Import that the user routes in <code>index.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">userRouter</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./src/routes/user.routes.js</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/v1/users</span><span class="dl">"</span><span class="p">,</span> <span class="nx">userRouter</span><span class="p">);</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwj2wmptz9iismn2azuw2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwj2wmptz9iismn2azuw2.png" width="800" height="450"></a></p> <p><strong>Testing with Postman:</strong></p> <ol> <li><p>Open Postman and create a new request.</p></li> <li><p>Set the request type to <code>POST</code>.</p></li> <li><p>Enter the URL for our register route (<a href="http://localhost:8000/api/v1/register" rel="noopener noreferrer">http://localhost:8000/api/v1/register</a>).</p></li> <li><p>Go to the "Body" tab, select <code>raw</code>, and enter a JSON object with an email and password for testing:</p></li> <li><p>Click "Send."</p></li> <li><p>Check the response in the Postman console. You should receive a status code of <code>201</code> and a JSON response indicating the user was created successfully.</p></li> <li><p>We can also check in the DB, a new user document will be created.</p></li> </ol> <h3> <strong>Generating Access and Refresh Tokens</strong> </h3> <p>We'll create a function <code>generateAccessAndRefreshTokens</code>. This function takes a <code>userId</code> as input, retrieves the user from the database, and generates both access and refresh tokens. Let's break it down:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffjqnuk9nblytdfza61ol.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffjqnuk9nblytdfza61ol.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">generateAccessAndRefreshTokens</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">userId</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Find the user by ID in the database</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="c1">// Generate an access token and a refresh token</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nf">generateAccessToken</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nf">generateRefreshToken</span><span class="p">();</span> <span class="c1">// Save the refresh token to the user in the database</span> <span class="nx">user</span><span class="p">.</span><span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">refreshToken</span><span class="p">;</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">save</span><span class="p">({</span> <span class="na">validateBeforeSave</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="c1">// Return the generated tokens</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle any errors that occur during the process</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>This function is a crucial part of the login process, where successful authentication results in the generation of new tokens for the user. It ensures a smooth and secure flow for handling user sessions in our Node.js application.</p> <p><strong>User Login Functionality:</strong></p> <p>Let's delve into the implementation of the <code>loginUser</code> function. This function handles user login by verifying provided credentials, generating access and refresh tokens upon successful authentication, and setting cookies for secure and seamless session management.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpumr02iucz40ptwmimgs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpumr02iucz40ptwmimgs.png" width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvf0nk6coivnqmzqr1ljr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvf0nk6coivnqmzqr1ljr.png" width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw9z0sxx50rjgnhmzvr61.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw9z0sxx50rjgnhmzvr61.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">loginUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// Validate email and password presence</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Email and password are required</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Find the user by email in the database</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="nx">email</span> <span class="p">});</span> <span class="c1">// Check if the user exists</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">User not found</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Verify the correctness of the provided password</span> <span class="kd">const</span> <span class="nx">isPasswordValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">user</span><span class="p">.</span><span class="nf">isPasswordCorrect</span><span class="p">(</span><span class="nx">password</span><span class="p">);</span> <span class="c1">// Handle incorrect password</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isPasswordValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Incorrect password</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Generate access and refresh tokens</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateAccessAndRefreshTokens</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">);</span> <span class="c1">// Retrieve the logged-in user excluding sensitive information</span> <span class="kd">const</span> <span class="nx">loggedInUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">-password -refreshToken</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Set options for cookies</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Enable in a production environment with HTTPS</span> <span class="p">};</span> <span class="c1">// Set cookies with the generated tokens</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="nx">loggedInUser</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Logged in successfully</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle any errors that occur during the process</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>Let's integrate the <code>loginUser</code> function into the user routes by adding a route for user login in the <code>user.routes.js</code> file. Here's the updated:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fky9f20scf54rzsi4xu0m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fky9f20scf54rzsi4xu0m.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">).</span><span class="nf">post</span><span class="p">(</span><span class="nx">loginUser</span><span class="p">);</span> </code></pre> </div> <p><strong>Testing with Postman:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fouc9rvswejl3ot1yeg56.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fouc9rvswejl3ot1yeg56.png" width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkkf2josimv9d2rmmqerd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkkf2josimv9d2rmmqerd.png" width="800" height="450"></a></p> <p>We can also check in the DB, refreshToken is added:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjg572rc6u0h0an41yja9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjg572rc6u0h0an41yja9.png" width="800" height="450"></a></p> <h3> <strong>Authentication Middleware</strong> </h3> <p>In our Node.js backend, we've set up an important layer of protection known as authentication middleware, specifically <code>verifyJWT</code>. This ensures that only users with proper credentials can access certain parts of our application. Let's break down why we use it and how it keeps our system secure:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fao9kep8j2e8bf2mu391t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fao9kep8j2e8bf2mu391t.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">jsonwebtoken</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../models/user.model.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">verifyJWT</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Look for the token in cookies or headers</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">?.</span><span class="nx">accessToken</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nf">header</span><span class="p">(</span><span class="dl">"</span><span class="s2">Authorization</span><span class="dl">"</span><span class="p">)?.</span><span class="nf">replace</span><span class="p">(</span><span class="dl">"</span><span class="s2">Bearer </span><span class="dl">"</span><span class="p">,</span> <span class="dl">""</span><span class="p">);</span> <span class="c1">// If there's no token, deny access with a 401 Unauthorized status</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Token not found</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Check if the token is valid using a secret key</span> <span class="kd">const</span> <span class="nx">decodedToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ACCESS_TOKEN_SECRET</span><span class="p">);</span> <span class="c1">// Get the user linked to the token</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">decodedToken</span><span class="p">?.</span><span class="nx">_id</span><span class="p">).</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">-password -refreshToken</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// If the user isn't found, deny access with a 404 Not Found status</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">User not found</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Attach user info to the request for further use</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle any errors during token verification with a 500 Internal Server Error status</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p><strong>Why Use Authentication Middleware:</strong></p> <ul> <li><p><strong>Securing Access:</strong> This middleware acts like a guard, ensuring that only users with valid credentials can enter certain parts of our application.</p></li> <li><p><strong>Log Out Security:</strong> When a user logs out, the absence of a valid access token ensures that unauthorized users can't access protected areas.</p></li> <li><p><strong>Token Refresh:</strong> To provide a smooth user experience, the middleware helps refresh access tokens, letting users stay logged in without needing to log in repeatedly.</p></li> </ul> <p><strong>Logging Out Users Securely:</strong></p> <p>When users decide to log out, we want to make sure it's a secure process. The <code>logoutUser</code> function takes care of this, updating the user's information to remove the refresh token. Let's explore how it ensures a safe logout:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3dp8041vks2vdt7euzk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3dp8041vks2vdt7euzk.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">logoutUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Remove the refresh token from the user's information</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findByIdAndUpdate</span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">_id</span><span class="p">,</span> <span class="p">{</span> <span class="na">$set</span><span class="p">:</span> <span class="p">{</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="kc">undefined</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">new</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// Set options for cookies</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Enable in a production environment with HTTPS</span> <span class="p">};</span> <span class="c1">// Clear the access and refresh tokens in cookies</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="dl">""</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">options</span><span class="p">,</span> <span class="na">expires</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="p">})</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="dl">""</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">options</span><span class="p">,</span> <span class="na">expires</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="p">})</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="p">{},</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Logged out successfully</span><span class="dl">"</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <h3> <strong>Refreshing Access Tokens</strong> </h3> <p>To keep the user experience seamless and uninterrupted, we have the <code>refreshAccessToken</code> function. This function is responsible for refreshing the access token using a valid refresh token. Here's how it ensures a smooth token refresh:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb0e05mmhc5voyti48oo0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb0e05mmhc5voyti48oo0.png" width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1zl44adjjlphezthmirk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1zl44adjjlphezthmirk.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">refreshAccessToken</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Retrieve the refresh token from cookies or request body</span> <span class="kd">const</span> <span class="nx">incomingRefreshToken</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nx">refreshToken</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">refreshToken</span><span class="p">;</span> <span class="c1">// If no refresh token is present, deny access with a 401 Unauthorized status</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">incomingRefreshToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Refresh token not found</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Verify the incoming refresh token using the secret key</span> <span class="kd">const</span> <span class="nx">decodedToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="nx">incomingRefreshToken</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_TOKEN_SECRET</span> <span class="p">);</span> <span class="c1">// Find the user associated with the refresh token</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">decodedToken</span><span class="p">?.</span><span class="nx">_id</span><span class="p">);</span> <span class="c1">// If the user isn't found, deny access with a 404 Not Found status</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">User not found</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// If the stored refresh token doesn't match the incoming one, deny access</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">?.</span><span class="nx">refreshToken</span> <span class="o">!==</span> <span class="nx">incomingRefreshToken</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Refresh token is incorrect</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Set options for cookies</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Enable in a production environment with HTTPS</span> <span class="p">};</span> <span class="c1">// Generate new access and refresh tokens for the user</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generateAccessAndRefreshTokens</span><span class="p">(</span> <span class="nx">user</span><span class="p">.</span><span class="nx">_id</span> <span class="p">);</span> <span class="c1">// Set the new tokens in cookies</span> <span class="k">return</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">accessToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">"</span><span class="s2">refreshToken</span><span class="dl">"</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">options</span><span class="p">)</span> <span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Access token refreshed</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle any errors during token refresh with a 500 Internal Server Error status</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>When users want to log out, we make sure it's done securely by removing sensitive information. The <code>logoutUser</code> function handles this process, ensuring a clean logout experience.</p> <p>For maintaining uninterrupted user sessions, the <code>refreshAccessToken</code> function comes into play. It checks and verifies a refresh token, then provides the user with fresh access and refresh tokens, ensuring a smooth continuation of their session.</p> <p>Both these functions contribute to a secure and seamless user authentication system, showcasing our commitment to user privacy and a positive user experience.</p> <p><strong>Secured Routes for Logging Out and Token Refresh:</strong></p> <p>In our application, certain routes are secured, requiring users to be authenticated. Here, we define two important secured routes, <code>/logout</code> for securely logging out and <code>/refresh-token</code> for refreshing access tokens. Let's integrate these routes into our application:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzrabxe0lz4vfk0mekwi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzrabxe0lz4vfk0mekwi.png" width="800" height="450"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// secured routesrouter.route("/logout").post(verifyJWT, logoutUser);router.route("/refresh-token").post(refreshAccessToken); </code></pre> </div> <p><strong>Testing with Postman:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnczyhrc0m8ip3k39lqxo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnczyhrc0m8ip3k39lqxo.png" width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5718aomo2835i90omk38.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5718aomo2835i90omk38.png" width="800" height="450"></a></p> <h3> <strong>Conclusion</strong> </h3> <p>As we conclude this journey, we've equipped our Node.js backend with a strong foundation for user authentication.</p> <p>All the code is available in the GitHub repository: <a href="https://github.com/shaikahmadnawaz/access-refresh-tokens-nodejs" rel="noopener noreferrer">https://github.com/shaikahmadnawaz/access-refresh-tokens-nodejs</a></p> <p>I highly recommend watching <a href="https://hashnode.com/@hiteshchoudharylco" rel="noopener noreferrer"><strong>Hitesh Choudhary</strong></a> <strong>'s</strong> insightful video on this topic: <a href="https://youtu.be/L2_gIrDxCes?si=PtUNdWzdEL_S9-RV" rel="noopener noreferrer">https://youtu.be/L2_gIrDxCes?si=PtUNdWzdEL_S9-RV</a>, This article is inspired by this video.</p> <p><strong>🧑💻 My portfolio:</strong> <a href="https://shaikahmadnawaz.vercel.app" rel="noopener noreferrer">https://shaikahmadnawaz.vercel.app</a></p> <p>📱 <strong>Connect on Social Media:</strong></p> <ul> <li><p>LinkedIn: <a href="https://www.linkedin.com/in/shaikahmadnawaz" rel="noopener noreferrer">shaikahmadnawaz</a></p></li> <li><p>Twitter: <a href="https://twitter.com/shaikahmadnawaz" rel="noopener noreferrer">@shaikahmadnawaz</a></p></li> </ul> node webdev accesstoken refreshtoken