Authentication using JWT; Node.js API built with Express.js and Mongoose

In this post, I will discuss the authentication and authorization of my Tour App, as described in the previous video. The app uses JSON Web Tokens (JWT) for stateless authentication. Upon signup or login, user credentials are verified, and a JWT is generated and sent as an HTTP-only cookie. This token is used to authenticate requests and grant access to protected routes.

Passwords are securely hashed using bcrypt before being stored in the database. For password resets, a crypto-generated token is sent to the user’s email, allowing them to reset their password within a limited time frame. Once the password is reset, a new JWT is issued to maintain the user's session.

The protect middleware ensures that routes are only accessible to authenticated users by validating the JWT token in the request headers. Additionally, I’ve implemented role-based access control using the restrictTo middleware to limit access to certain routes based on user roles (e.g., admin,lead-guide, guide, user).

To enhance security, I’ve added middlewares to protect against NoSQL injection attacks by sanitizing inputs and using parameterized queries. Furthermore, I’ve implemented rate-limiting to prevent abuse by limiting the number of requests a user can make in a given time period. This mitigates the risk of brute force attacks and ensures fair usage of the API.

With these security measures in place, the Tour App ensures secure, scalable, and reliable user authentication and authorization.