Chapter 6: API Authentication
Chapter 6 of 14
Chapter 6: API Authentication
6.1 Authentication Methods
Different authentication methods suit different use cases.
API Keys:
// Simple API key authentication
function apiKeyAuth(req, res, next) {
const apiKey = req.headers['x-api-key'];
if (!apiKey || apiKey !== process.env.API_KEY) {
return res.status(401).json({ error: 'Invalid API key' });
}
next();
}
app.use('/api', apiKeyAuth);JWT Tokens:
// JWT authentication
const jwt = require('jsonwebtoken');
function authenticateToken(req, res, next) {
const authHeader = req.headers['authorization'];
const token = authHeader && authHeader.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'Token required' });
}
jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
if (err) return res.status(403).json({ error: 'Invalid token' });
req.user = user;
next();
});
}OAuth 2.0:
// OAuth 2.0 flow
// 1. Client requests authorization
// 2. User authorizes
// 3. Server returns authorization code
// 4. Client exchanges code for access token
// 5. Client uses access token for API calls
const oauth2 = require('simple-oauth2');
const client = oauth2.create({
client: {
id: process.env.CLIENT_ID,
secret: process.env.CLIENT_SECRET
},
auth: {
tokenHost: 'https://authorization-server.com'
}
});
// Get authorization URL
const authorizationUri = client.authorizationCode.authorizeURL({
redirect_uri: 'http://localhost:3000/callback',
scope: 'read write'
});6.2 Token Refresh
// Refresh token endpoint
app.post('/api/refresh', async (req, res) => {
const { refreshToken } = req.body;
try {
const decoded = jwt.verify(refreshToken, process.env.REFRESH_SECRET);
const newAccessToken = jwt.sign(
{ userId: decoded.userId },
process.env.JWT_SECRET,
{ expiresIn: '15m' }
);
res.json({ token: newAccessToken });
} catch (error) {
res.status(403).json({ error: 'Invalid refresh token' });
}
});