HomeExpress.js in 5 DaysDay 3
Day 3 of 5
⏱ ~60 minutes
Express.js in 5 Days — Day 3

Authentication with JWT

Register and login users, hash passwords with bcrypt, issue JWTs, and protect routes with auth middleware.

Password Hashing and JWT

Terminal
npm install bcryptjs jsonwebtoken
routes/auth.js
const bcrypt = require('bcryptjs');
const jwt = require('jsonwebtoken');
const User = require('../models/User');

router.post('/register', async (req, res) => {
  const { name, email, password } = req.body;
  const hash = await bcrypt.hash(password, 12);
  const user = await User.create({ name, email, password: hash });
  const token = jwt.sign({ id: user._id }, process.env.JWT_SECRET, { expiresIn: '7d' });
  res.status(201).json({ token, user: { id: user._id, name, email } });
});

router.post('/login', async (req, res) => {
  const { email, password } = req.body;
  const user = await User.findOne({ email });
  if (!user || !await bcrypt.compare(password, user.password)) {
    return res.status(401).json({ error: 'Invalid credentials' });
  }
  const token = jwt.sign({ id: user._id }, process.env.JWT_SECRET, { expiresIn: '7d' });
  res.json({ token });
});
middleware/auth.js
const jwt = require('jsonwebtoken');
const User = require('../models/User');

module.exports = async (req, res, next) => {
  const authHeader = req.headers.authorization;
  if (!authHeader?.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'No token' });
  }
  try {
    const token = authHeader.split(' ')[1];
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = await User.findById(decoded.id).select('-password');
    next();
  } catch {
    res.status(401).json({ error: 'Invalid token' });
  }
};
Protected route
const auth = require('../middleware/auth');
router.get('/me', auth, (req, res) => res.json(req.user));
📝 Day 3 Exercise
Add Auth to Your API
  1. I
  2. m
  3. p
  4. l
  5. e
  6. m
  7. e
  8. n
  9. t
  11. r
  12. e
  13. g
  14. i
  15. s
  16. t
  17. e
  18. r
  20. a
  21. n
  22. d
  24. l
  25. o
  26. g
  27. i
  28. n
  30. e
  31. n
  32. d
  33. p
  34. o
  35. i
  36. n
  37. t
  38. s
  39. .
  41. H
  42. a
  43. s
  44. h
  46. p
  47. a
  48. s
  49. s
  50. w
  51. o
  52. r
  53. d
  54. s
  56. w
  57. i
  58. t
  59. h
  61. b
  62. c
  63. r
  64. y
  65. p
  66. t
  68. (
  69. c
  70. o
  71. s
  72. t
  74. f
  75. a
  76. c
  77. t
  78. o
  79. r
  81. 1
  82. 2
  83. )
  84. .
  86. I
  87. s
  88. s
  89. u
  90. e
  92. J
  93. W
  94. T
  95. s
  97. w
  98. i
  99. t
  100. h
  102. 7
  103. -
  104. d
  105. a
  106. y
  108. e
  109. x
  110. p
  111. i
  112. r
  113. y
  114. .
  116. W
  117. r
  118. i
  119. t
  120. e
  122. t
  123. h
  124. e
  126. a
  127. u
  128. t
  129. h
  131. m
  132. i
  133. d
  134. d
  135. l
  136. e
  137. w
  138. a
  139. r
  140. e
  141. .
  143. P
  144. r
  145. o
  146. t
  147. e
  148. c
  149. t
  151. a
  153. /
  154. m
  155. e
  157. r
  158. o
  159. u
  160. t
  161. e
  162. .

Day 3 Summary

  • Hash passwords with bcrypt — never store plaintext. Cost factor 10-12 balances security and speed.
  • JWTs: jwt.sign(payload, secret, options) creates. jwt.verify(token, secret) validates.
  • Attach req.user in auth middleware so downstream handlers know who's making the request.
  • Send JWTs in the Authorization: Bearer <token> header. Never in query strings.
← Previous
Day 2: MongoDB and Mongoose
Next →
Day 4: Error Handling and Validation
Finished this lesson?