I'm building my first API using expressjs and mongodb. I am stuck on the tokens portion of the api. I see stuff online telling me to use JWT's and keep them in http only cookies to prevent malicious activity. this is my login controller. The code is sound and will return the user information when they log in.
/**
* @desc login a user
* @route POST api/user/login
* @access public
*/
const loginUser = async (req, res) => {
const { email, password } = req.body;
//error handling to avoid null values where values are mandatory
if (!email || !password) {
res.status(400).send({ error: "All fields are required" });
}
const user = await User.findOne({ email });
//compare password
if (user && (await bcrypt.compare(password, user.password))) {
const AccessToken = jwt.sign(
{
user: {
username: user.username,
email: user.email,
id: user.id,
},
},
process.env.ACCESS_TOKEN_SECRET,
{ expiresIn: "1h" }
);
res.cookie("AccessToken", AccessToken, {
httpOnly: true,
maxAge: 3600000, // 1 hour in milliseconds
// maxAge: 36, // 1 hour in milliseconds
});
const RefreshToken = jwt.sign(
{
user: {
username: user.username,
email: user.email,
id: user.id,
},
},
process.env.REFRESH_TOKEN_SECRET,
{ expiresIn: "1h" }
);
res.cookie("RefreshToken", RefreshToken, {
httpOnly: true,
maxAge: 86400000, // 1 day in milliseconds
});
res.status(200).send({
user: { id: user.id, email: user.email, username: user.username },
});
} else {
res.status(401).send({ error: "Email or password is incorrect" });
}
};
this is my middleware for validating the access token before accessing authorized routes. It works just find.
const jwt = require("jsonwebtoken");
const validateToken = async (req, res, next) => {
console.log("validating...");
token = req.cookies.AccessToken;
jwt.verify(
token,
process.env.ACCESS_TOKEN_SECRET,
(err, decodedInfomation) => {
if (err) {
res.status(401).send({ error: "Authentication is not valid" });
} else {
console.log("valid");
req.user = decodedInfomation;
next();
}
}
);
if (!token) {
res
.status(401)
.send({ error: "User not authenticated or token is missing" });
}
};
module.exports = validateToken;
This is my code for validating the refresh token
const jwt = require("jsonwebtoken");
const validateRefreshToken = async (req, res, next) => {
const refreshToken = req.cookies.RefreshToken;
jwt.verify(
refreshToken,
process.env.REFRESH_TOKEN_SECRET,
(err, decodedInfomation) => {
if (err) {
return res.status(403).send({ error: "Invalid refresh token" });
}
req.user = decodedInfomation;
next();
}
);
if (!refreshToken) {
res
.status(401)
.send({ error: "User not authenticated or token is missing" });
}
};
module.exports = validateRefreshToken;
This is my code for the controller that generates a new access token
/**
* @desc generate a new access token
* @route POST api/token/refresh
* @access private
*/
const generateToken = (req, res) => {
console.log(req.user);
if (!req.user) {
res.status(403).send({ error: "User information was not provided" });
}
try {
// Generate a new access token
const AccessToken = jwt.sign(
{
user: {
id: req.user.id,
username: req.user.username,
email: req.user.email,
},
},
process.env.ACCESS_TOKEN_SECRET,
{ expiresIn: "1h" } // Access token expires in 1 hour
);
res.cookie("AccessToken", AccessToken, {
httpOnly: true,
maxAge: 3600000, // 1 hour in milliseconds
});
res.status(200).send({
user: {
id: req.user.user.id,
email: req.user.user.email,
username: req.user.user.username,
},
});
} catch (err) {
console.log(err);
res.status(500).send({ error: err.message });
}
};
module.exports = { generateToken };
This is when I get lost. It will generate a new token but when I check the logged in user information it is {}. Can someone please explain,
- Am I following the correct procedure
- If I am how can I fix this
- If not, please explain how I should modify my code