What is JSON Web Token and How Does It Help to Keep Secure NodeJS?

In the realm of modern web development, the need for secure and efficient data exchange between clients and servers is paramount. One powerful tool that has gained significant popularity in this context is the JSON Web Token, or JWT. In this article, we will delve into the intricacies of JWTs, their structure, and the myriad ways in which they have revolutionized authentication and data sharing in web applications.

Understanding JSON Web Tokens

JSON Web Token (JWT) is a compact, self-contained JSON-based open standard for creating access tokens that assert some number of claims. JWT claims can be typically used to pass identity of authenticated users between an identity provider and a service provider, or any other type of claims as required by business processes.

It's a string comprised of three distinct parts: the header, the payload, and the signature. These parts are base64-encoded and concatenated with periods, forming a single string. The resulting JWT is often used for authentication and data exchange between a client and a server.

JWT relies on other JSON-based standards: JWS (JSON Web Signature) and JWE (JSON Web Encryption).

It's a way of encrypting a value, in turn creating a unique token that users use as an identifier. This token verifies your identity. It can authenticate who you are, and authorize various resources you have access to.

JWT Structure

1. Header: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
2. Payload: The payload, often referred to as the claims, contains the data that's encoded within the token. There are three types of claims:
   
   • Registered Claims: These are predefined claims like "iss" (issuer), "exp" (expiration time), and "sub" (subject).
   • Public Claims: These are user-defined claims that aren't registered, but should be defined in the JWT standard to avoid collisions.
   • Private Claims: These are custom claims created for sharing information between parties.
3. Signature: The signature is generated by taking the encoded header and payload, along with a secret key, and then applying a signing algorithm. The signature is used to verify that the sender of the JWT is who it says it is and to ensure the message wasn't changed along the way.

Key Aspects of JWTs in Node.js Security

1. Authentication

JWTs are commonly used for user authentication. Once a user logs in, a JWT is generated and sent to the client. The client includes the JWT in subsequent requests, allowing the server to verify the user's identity without the need to store session data on the server.

2. Statelessness

Node.js applications, especially those built with frameworks like Express, benefit from the statelessness of JWTs. They don't rely on server-side sessions, reducing the server's resource load and improving scalability.

3. Authorization

JWTs can include user roles and permissions in the payload. This allows Node.js applications to control access to specific routes or resources based on the user's role.

4. Data Integrity

The signature in a JWT ensures that the token hasn't been tampered with. If the token is altered in any way, the signature will no longer match, and the server will reject it.

5. Expiration

JWTs can have an expiration time, known as the "exp" claim. This provides an additional layer of security, preventing token misuse.

Implementing JWTs in Node.js

To implement JWTs in your Node.js application, follow these steps:

1. Token Generation

When a user logs in or performs some action that requires a token, create a JWT. Include user information and any necessary claims in the payload.

2. Token Storage

Store the token on the client side, typically in a secure HTTP-only cookie or local storage.

3. Token Verification

For protected routes or actions, the server should verify the token's signature and expiration. The secret key used for signing must be kept secure.

4. Middleware

Implement middleware in your Node.js application to check the token and authorize or reject requests based on the token's validity.

How Does It Work?

A JWT is an encoded string of characters which is safe to send between two computers if they both have HTTPS. The token represents a value that is accessible only by the computer that has access to the secret key with which it was encrypted.

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally, instead of the traditional approach of creating a session in the server and returning a cookie.

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema.

A stateless authentication mechanism as the user state is never saved in server memory.

The server's protected routes will check for a valid JWT in the Authorization header, and if it is present, the user will be allowed to access protected resources.

For instance, a user wants to sign in to their account. They send a request with the required credentials such as email and password to the server. The server checks to see if the credentials are valid. If they are, the server creates a token using the desired payload and a secret key. This string of characters that results from the encryption is called a token. Then the server sends it back to the client. The client, in turn, saves the token to use it in every other request the user will send. The practice of adding a token to the request headers is a way of authorizing the user to access resources.

Check our NodeJS Authentication Application for the implementation of JWT.

Advantages of JWT

1. Compact

JWT is compact, which means it can be sent along with HTTP request either as a body or as a header attribute.

2. Security

There is no need to worry about cross-site request forgery (CSRF) attacks.

3. Stateless/self-contained

The token contains all the information to identify the user, which eliminates the need for the session state. If using a load balancer, we can pass the user to any server, instead of being bound to the same server we logged in on. This also enhances performance, since there is no server-side lookup for deserialization on each request

4. Reusability

You can have many separate servers that run on multiple platforms and domains and reuse the same token for authenticating the user. It is easy to build an application that shares permissions with another application.

When use JSON Web Tokens?

Some scenarios where JSON Web Tokens are used for:

To authorization

This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign-On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.

To information exchange

JWTs are a good way of securely transmitting information between parties. Because JWTs can be signed - for example, using public/private key pairs - you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

Benefits and Challenges

Benefits:

• Security: JWTs can be signed, and optionally encrypted, to ensure data integrity and confidentiality.
• Stateless: As JWTs contain all the necessary information, there's no need to store user sessions on the server.
• Compact and Efficient: Their small size makes them ideal for mobile and single-page applications.
• Standardized: JWTs are based on a widely accepted standard, making them interoperable across different systems.

Challenges:

• Security: While they are secure when used correctly, misconfigured JWTs can lead to security vulnerabilities.
• Size Limitation: The compactness of JWTs can be a limitation if you need to store a large amount of data in the token.