Authentication in node js REST API using JWT & Passport js

In current article I will discuss node js REST API basic authntication / authorization. Some good npm modules helps us to do it.

jsonwebtoken: Node js wrapper to handle json web tokens 
passport : standard module for authentication / authorization 
passport-jwt for JWT based passport based authorization
passport-local for Password based passport based authentication

So first install it in your express based App

$ npm install jsonwebtoken passport passport-jwt passport-local

Also install bcrypt for password hashing / comparing.

First we should have our model ready ( I am using mongoose base models ). let called models/user.js

var mongoose = require('mongoose');
const bcrypt = require('bcrypt');
var UserSchema = new mongoose.Schema({
  firstName: { type: String },
  lastName: { type: String },
  email: { type: String },
  password: { type: String }
UserSchema.pre('save', function (next) {
  var user = this;
  bcrypt.hash(user.password, 10, function (err, hashedPassword){
    if (err) {
      return next(err);
    user.password = hashedPassword;

UserSchema.methods.comparePassword = function (password, callback) {, this.password, function (err, isMatch) {
    if (err) {
      return callback(err);
    callback(null, isMatch);

mongoose.model('User', UserSchema);
module.exports = mongoose.model('User');

We have a pre save hook in user model, So when saving password into mongo db, Password bcrypt hashed automatically. Also their are comparePassword method, which we will use for password comparing during authentication.

Now we create a library file for handling passport js specific handling. Let us create services/passport.js

const passport = require('passport');
const localStrategy = require('passport-local').Strategy;
const userModel = require('../models/user');

passport.use('local', new localStrategy({
  usernameField: 'email',
  passwordField: 'password'
}, function(email, password, callback) {
  return userModel.findOne({email: email}).then(user => {
    if(!user) {
      return callback(true, false, {msg: 'Incorrect email'})

    return user.comparePassword(password, function (err, isMatch) {
      if (isMatch && !err) {
        return callback(false, user, {msg: 'Success'})
      } else {
        return callback(true, false, {msg: 'Authentication failed. Wrong password.'});

In above file we defined two passport strategy, One local strategy for password authentication other jwt strategy for token authorization. In first function we first check email & then check password using model’s comparePasword call.

Let see how our express controller handle authentication request. lets called controllers/auth.js

var jwt = require('jsonwebtoken');
var passport = require('passport');
var User = require('../models/user');'/signIn', function (req, res, next) {
  passport.authenticate('local', {session: false}, (err, user, info) => {
    if (err && !user) {
      res.status(401).send({success: false, msg: 'Login Failed'}); 
    } else {
      req.login(user, {session: false}, function(err) {
        if(err) {
          res.status(401).send({success: false, msg: err}); 
        } else {
          var token = jwt.sign({ id:, email:, fullName: user.firstName + ' ' + user.lastName }, config.jwt.secret, {
            expiresIn: 86400 // expires in 24 hours
          return res.json({success: true, token: token}); 

Here we are using passport authentication with local strategy to login user. After successfully login, Code generate a JWT Token as our api session token using sign method and send along with response.

Now next part is authorization. Add following code into passport.js for authorization method.

const jwt = require('jsonwebtoken');
const passportJWT = require('passport-jwt');
const extractJwt = passportJWT.ExtractJwt;
const jwtStrategy = require('passport-jwt').Strategy;
const jwtSecret = 'SOMETOKEN';

passport.use('jwt', new jwtStrategy({
 jwtFromRequest: extractJwt.fromAuthHeaderAsBearerToken(),
 secretOrKey: jwtSecret
}, function(jwtPayload, callback) {
 return userModel.findById(
 .then(user => {
   return callback(null, user)
 .catch(err => {
   return callback(err);


This function uses JWT’s fromAuthHeaderAsBearerToken to get token from authorization header from rest request.
Request header must be like that for proper authorization

authorization: Bearer TOKEN

It will be used as middleware in our app.js. So let change our controller invokeĀ  from

app.use('/users', require('./controllers/UserController'));


const passport = require('passport');
app.use('/users', passport.authenticate('jwt', {session: false}), require('./controllers/UserController'));

This middleware invoke our jwtStrategy and verify token from http authentcation header. So all requests who do not have header / wrong format of header / wrong data in token will be discarded as unauthenticated requests.