node.js - Authentication in expressJS app -

i want implement authentication using jwt in expressjs app.
have learned jwt concept after googling web sites not able implement jwt using expressjs.
not getting exact example jwt in expressjs.
have read read-me note of express-jwt node module issue how generate jwt , how verify received jwt each request.
exact process :

1. generate jwt
2. decode jwt
3. verify jwt
   
   also, meant secret in following example :

var jwt = require('express-jwt');  app.get('/protected',     jwt({         secret: 'shhhhhhared-secret'     }),     function(req, res) {         if (!req.user.admin) return res.send(401);         res.send(200);     }); 

you'll need use package jsonwebtoken. express-jwt package helps protect portions of api when you're using expressjs framework.

the secret like password. encodes payload sensitive information can passed around in jwt without being manipulated. gives certainty authentication mechanism hasn't been altered, , therefore server can trust user.

note: in cases you'll see jwt's encoded rs256 algorithm. require public/private key pair provided verify , decode jwt.

generate

the sign() function in jsonwebtoken. if use jwt-simple package you'll use encode().

you can sign jwt secret, you'll have use same secret use verify().

assume have following json object want make jwt:

var json = { user: 'jdoe',     firstname: 'john',     lastname: 'doe',     id: 1 };  var token = jwt.sign(json, 'supersecretsquirrel'); 

your signed/encoded token like:

eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyj1c2vyijoiamrvzsisimzpcnn0tmftzsi6ikpvag4ilcjsyxn0tmftzsi6ikrvzsisimlkijoxlcjpyxqioje0mzi3nju3nzj9.4mowmfrkiennaktrddkj-bzzqas8_b0es3nj5qveu9q 

you can verify @ jwt.io (make sure provide secret given here).

verify , decode

the verify() function asynchronously. object returns in callback decoded jwt. in order verify jwt, need pass secret function.

assuming secret of 'supersecretsquirrel' shown above:

var jwt = require('jsonwebtoken');  jwt.verify(token, 'supersecretsquirrel', function (err, decoded) {     if (err)         console.error(err);      // show decoded jwt     console.log(decoded); }); 

the decoded token show as:

{ user: 'jdoe', firstname: 'john', lastname: 'doe', id: 1, iat: 1432765772 } 

where iat in token registered claim means 'issued at'.

now let's refer example (i left out function , replaced secret):

var expressjwt = require('express-jwt'); // assume app = express();  app.get('/protected',     expressjwt({         secret: 'supersecretsquirrel'     }),      ... ); 

what allow access path /protected if have json web token signed secret 'supersecretsquirrel'. if have token secret doesn't match, you'll unauthorizederror, , you'll want throw http 401.