Authenticate Users With JWT for Access to Protected Resources

Share this video with your friends

Send Tweet

In this lesson, we build a simple API with two endpoints, one public and one secure. Using JWT and validating with the signature, we ensure that the user is authorized and has access to a protected resource before serving it.

ajando
ajando
~ 6 years ago

Oh, boy I hate 'courses' like this, SOO, we are jumping from lession 6 to do some cors changes, to lession 5, then back to lession 2 code example to do this video. What a mess of a cours.

ajando
ajando
~ 6 years ago

...

Andrew Thompson
Andrew Thompson
~ 6 years ago

This is super helpful. I've been looking for a good resource on JWT since I got hungup on a Prisma project. Thanks!

Todd
Todd
~ 6 years ago

I believe there is a step that is missing. When getting a valid JWT from https://jwt.io, you need to update the secret key to match the secret key in your code, in this example, "mysupersecretkey".

You can update the secret key on https://jwt.io in the last section of "Decoded" where it says "Verify Signature". There is a text input to enter your secret key. After updated your key, the encoded JWT will update automatically. Copy and paste this key into Postman to fix the "invalid signature" error.

DL
DL
~ 6 years ago

Not sure what Postman version the course instructor is using, but mine do not have 'Bearer' as an option in the Authorization tab. I had to add it manually by going to the 'Headers' tab and adding a header with the key as 'Authorization' and value as 'Bearer JWT_TOKEN_STRING'

Philip Cox
Philip Cox
~ 6 years ago

This course is pretty disorganized, it's definitely not the same quality that I normally experience with Egghead. For it to be better, the videos need to be ordered better, and as mentioned it feels like bits are missing, it is hard to follow along when the code from lesson to lesson does not match up. Also, this is a very technical subject and there is not enough information to really feel confident I can integrate this into my own project and be confident I have a secure auth system. It's a shame because this is an intersting subject.

If the intention of the video was to offer a brief overview of auth and then advocate AuthO, this should be mentioned.

jpbamberg1993
jpbamberg1993
~ 6 years ago

THANK YOU @Todd!!

I believe there is a step that is missing. When getting a valid JWT from https://jwt.io, you need to update the secret key to match the secret key in your code, in this example, "mysupersecretkey".

You can update the secret key on https://jwt.io in the last section of "Decoded" where it says "Verify Signature". There is a text input to enter your secret key. After updated your key, the encoded JWT will update automatically. Copy and paste this key into Postman to fix the "invalid signature" error.

Ankur  Zilpelwar
Ankur Zilpelwar
~ 6 years ago

Thanks, @Todd

I believe there is a step that is missing. When getting a valid JWT from https://jwt.io, you need to update the secret key to match the secret key in your code, in this example, "mysupersecretkey".

You can update the secret key on https://jwt.io in the last section of "Decoded" where it says "Verify Signature". There is a text input to enter your secret key. After updated your key, the encoded JWT will update automatically. Copy and paste this key into Postman to fix the "invalid signature" error.

Tyler
Tyler
~ 5 years ago

I hit a wall in this course at this video. Spending a lot of time trying to make up for knowledge gaps and inconsistencies in the lessons code. Philips comment sums it up well.

Sascha Metz
Sascha Metz
~ 4 years ago

If someone is running into a "algorithms should be set" error, just add the algorithms array to the jwtCheck definition like so:

const jwtCheck = expressjwt({ secret: "mysupersecretkey", algorithms: ["HS256"], })

Tom Odell
Tom Odell
~ 3 years ago

Just to expand on the comment above, if you do run into an "algorithms should be set" error, there's a change between the version of jwt-express used in this video and the current one (version 6 at time of writing). You can either run "npm install express-jwt@5.3.3" to install the latest version of version 5.x.x, or you can add the algorithm as an option in the expressjwt constructor (more info here https://stackoverflow.com/questions/62665636/if-options-algorithms-throw-new-erroralgorithms-should-be-set-error-alg)

Anatta
Anatta
~ 3 years ago

I'm getting an error while running this file: expressjwt is not a function can someone please help me out?

~ 3 years ago

@anatta with new version of expressjwt there is no default export so use it like that

const { expressjwt } = require('express-jwt');
...
const jwtCheck = expressjwt({
  secret: 'secret',
  algorithms: ["HS256"],
});

Argument alghoritms is required