After initial user authentication. JWTs can be used for verification at REST API endpoints. In this tutorial, you will learn how to issue access and refresh tokens (JWTs), and also the recommended way to issue these tokens for security concerns. There will also be suggestions for storing these tokens in your frontend apps. If you are just starting out with Node.js and Express, I suggest you start at the beginning of the Node.js for Beginners tutorial series here: kzfaq.info/sun/PL0Zuz27SZ-6PFkIxaJ6Xx_X46avTM1aYw

So this is how a senior dev works and explains things. Simply amazing. Thank you for these videos.

be very careful when testing this specific implementation with nodemon vs a normal server. nodemon restarts after any file changes, including changes to models\users.json. This allows each function to get the updated state of refresh token. If you run this without nodemon, your refresh and logout functions will reference old versions of the users.json data that do not include the refresh token from the auth. This causes some unwanted behavior that took me quite a while to catch. As always, thanks @DaveGrayTeachescode for another great and comprehensive lesson

I've been following your tutorials on Node, Express, and working my way to Mongo for my project this week. I've told my professor about how helpful your videos are and I've been spreading the word to my classmates. I'm surprised you don't have more views on these tutorials. Thank you for your help!

Dude, this is by far the best tutorial series I have seen. Unparalleled quality. Thankyou!

I just wanted to say I appreciate you and what you do. Your videos are well explained, very thorough, but also digestible. Some instructors get a bit too technical, or lack enough technicality to fully understand what is happening. Yours are right in the pocket. Thank you, kind sir. You have provided a lot of clarification for me.

I usually stay away from tutorials but the content you post is insanely good, I have actually learnt a lot from your channel. Since I discovered it my skills with javascript have improved a lot. Thank you so much

This is masterpiece! 😍 I've thanked on all videos of you I've watched in the comments, and I will do it again on this one because you deserve it. Please keep creating content, I'm seriously worried you might lose interest in it at some point and we lose more content created by you, because you're so good.

hey dave this series is really helpful. the way you split things into routers and middleware has been eye-opening. so simple

For anyone who doesn't know, if you add secure: true in cookie options, you could only receive cookies on the login route, and in postman couldn't even receive cookies. So test before you add that option.

Would love to see an updated version with Typescript and maybe with a relational database. These videos are literally the best.

I watched many ttorials about jwt because I worked with fullstack php many years and I dont understand rest api so good and This tutorial is where really I did understan about refreshtoken. Thanks

dave calling out whitelist was the perfect endcap to this great video. dave, my man, youve done it again... another fantastic video

probably the most detailed series on the youtube, although really wish you used ts

Hi Dave, Thanks again for sharing this high quality content. Your explanations are excellent.

Thank you Dave. I read through all the comments and your responses to the questions asked which adds more to what has been learned in the video. Thanks again.

Thanks Dave, you’re an awesome teacher. Keep it coming please!

Thank you for nodejs playlist, Your clear explanations and practical examples made the learning process engaging and effective.

Hi Dave, this is by far far one of the best JWT Authentication videos that I have seen on KZfaq. I was wondering if you have created a frontend for this project. I am interested to know how one would incorporate the refresh route for a seamless experience if for example, I was on a user page that expired how would I refresh the token and regain access to my session without leaving the page? - many thanks

Dave in the timeframe 34:00 you are checking the founduser name with the decoded username. I feel it is unnecessary because the cookie contains digital signature which can be regenerated by using the header, payload and secret key present only in the server. The verify method would fails if the cookie signature and generated signature doesn't match. what do you mean by tampering.

Thanks so much, I just finished your node js course so I was going back to some concepts, I don’t thank you enough

This is a very valuable video for me. I've been trying to understand how the aT and rT works. Thanks very much

thanks for putting up these videos dave. hopefully the playlist will be a library for node videos that i can come back to if i need a refresher

I'm a bit late to this back end party, everything works accept I had to use Postman for the refresh and logout routes. Thanks Dave. 🌮🌮🌮

When I test the refresh route at 38:45 I'm getting a 401 unauthorized response with no cookies available. I've followed along with the first 40 minutes of this tutorial line by line from scratch several times and the refresh route keeps failing. So I also cloned the repo, installed packages, created the .env file, and I still get stuck testing the refresh route with a 401. Dave is the GOAT of youtube coding tutorials, but this one makes me want to run into traffic. I've sunk in far too many hours on this. MOVING ON.

21:19 why you set req.user ? In verifyJWT we are just verifying the access token . If it verified then move forward or else error occur. So for what you set req.user to decoded.UserInfo.username?

Firstly, congratulations on your clear, detailed and brilliantly explained tutorials. You have rare communications skills. I am working with Node.js Express and MySQL. I have come across express-session and express-mysql-session that store user credentials server side rather than in the users browser as with JWT. Could you develop tutorials on these packages please?

What confuses me most is how to store and work with the refresh tokens in my database (Postgres). My plan is to allow multi-login from different devices for the same user, so my idea is to create a refresh token for each device the user tries to log in with. Each refresh token belongs to a unique device, so I don't care which user belongs to it. That's why my plan is to create a refresh token table with no user references. When a user logs out, I simply remove the respective refresh token from the database and don't care if they are still logged in on other devices. Interesting notes/tips: 1) If a user deleted their cookie, you would end up with "dead tokens" that never get removed from the database. That only applies to multi-login and shouldn't really be a problem though. 2) Deleting all refresh tokens from the database forces all users to relog-in. Same when you change the refresh token secret. Don't do that, unless you have a good reason. 3) Hashing the refresh tokens before storing them in your database improves security. Similarly how you'd store passwords hashed and not in plaintext. 4) bcrypt stores the salt in the generated hash, so you don't need to store salts in your database. 5) You can check if a refresh token expired by catching "TokenExpiredError". Since it's a valid token (just expired), you can safely call jwt.decode(...) to get the username and other information. Not sure where I would need that, but maybe that helps some of you. Edit: Okay, I just realised that when you compare your refresh token with the database (refresh token hash), you run into the problem of not knowing which salt to use for hashing. You either use the same salt all the time, which makes hashing irrelevant, or you store a user reference for each refresh token hash so you know which entries to look at. Then check each hashed refresh token against the provided refresh token and see if one of them matches... Something feels wrong with that approach though, so for the time being, I'll just save the refresh tokens in plaintext. Edit2: Another reason to store the user id with the refrehs token is that when they change their password, we need to invalidate all existing refresh tokens for that user. Otherwise they stay logged in from their other devices as if they never changed their password. It can also be useful to know all user's refresh tokens if you implement some kind of "logout from all devices" functionality. Generally, you need to store the user id if you want to be able to improve security. Without user id, you'd need to decode all refresh tokens and check the user, which is extremely inefficient.

watched from start of the playlist till this video awesome detailed tutorial, thank you very much

Thanks for your videos... I learned a lot from your videos. My thunder client didnt work as per your video. After logging in and getting the access token and the refresh token cookie. when i tried to do the /refresh, the cookie wasn't send together. I got empty cookie. When i use postman, its the same case but i can manually add the refresh token cookie into the request and it works. REALLY appreciate your video, one of the best video out there.

Thanks teacher Dave for making this api totorial availabe,

Hi Dave. Thank you very much. This series have helped me so much.

Wow. Excellent video. Great job. Thanks a lot for doing these tutorials.

Again great video. Thank you very much Dave.

You are awesome. Great videos with a rich content.

i have never thought about "whitelist" as something racist

It was a great video, thanks Dave !

HI Dave, I'm getting status 401 when I try to generate refresh token after generating access token. I tried to console.log('request', req.cookies) and it shows [Object: null prototype] {} in terminal.

Great Explanation 😊

Thanks a lot. You are gifted for teaching.

Wow, very well explained, thank you!

What a great tutorial. Thank you. I learned a lot

quick question at 45:38 what would happen if the person being iterated through in the database doesnt have a refresh token yet? would the person be filtered through anyway?

Hy Dave, I'm stuck in verifyJWT controller, I'm not getting authHeader from the req.headers['authorization']. Any help would be much appreciated please

Hey Dave! Thank you very much .

Thanks a lot for your videos! It is really helpful!

Thank you so much!

You are the best

thanks for the tut, quite a good teaching style

Sir your courses are the best

Just to be clear if the backend and frontend are on the same domain we don't need to set the "Same Site: none".

hello, when my token is generated and put in cookie, this one is not recovered when I do a refresh which means that I am blocked at this stage... can you help me?

Thank you very much. 39:16 - I wonder why the refresh doesn't work for me, no matter what. When I call the refresh router with GET - The console logs the same cookie again and again (it doesn't change like in your code) And instead of Status: 200 OK, I get - Status: 403 Forbidden. Furthermore, I did look very very careful for a long long time that our codes are similar. (When I copied your folder and ran your completed code from scratch than it is immediately failed with MODULE_NOT_FOUND message)

This is great! Thank you so much!

you are on god mode, sir !!

Thank you very much, Dave

Excellent content, u are very much unique in teaching different scenarios and I’m so impressed , your channel teaches real-time scenarios, create a Udemy courses will be great 👍 , one question can you do a oauth authentication on node, and when do frontend should call refresh token api

Thank you so much for your videos

Great video as always, one question: why we are not saving Access Token in HTTP only Cookie too? then we don't need to attach it to header in front-end. I'm just curious. is there any security reason? becuase it will make it a lot easier for front-end

Big Thanks!!

whats the voice change at 36:50 got me shooked

This is an awesome video Dave. Many thanks to you! I do have a question as well, what if we want to make the API accessible to the public and also enable validation through cookies? The CORS gets in the way

Sir, you are one of the best on the planet. Could you please make a project video on complete MERN stack and posssibly GraphQL ? Thank you

hi dave i am getting this warning "this attemp to set a cookie via set cookie was blocked by user preferance" in incognito mode how can i handle this?? if not handle it will be be fail in incognito mode

Thank you for the excellent video. I have two questions please: 1- Can we depend only on refresh token without the need of generating the access token? 2- Can we depend only on a session token (without the need of jwt) ?

Awesome content!

That refreshToken thing still confuses me. Lets say realtime, and the access token expires in 15 mins, im an admin and can access all the user information, but when the token expires after 15 mins, it obvi that its gonna be 403 even for the admin. in dev, we could manually send the login creditials again, acquire a new access token, paste it in the bearer section and call for the users info again, it gonna show up eventually. But how will we handle this in real time, how will the access token gonna sit automatically and persist when calling these apis from the front end ?

That DB json file took time and complexity more than using an actual mongodb database.

Hey Dave, Thank you for putting this video with great explanation 👌 I have a question, why did you put `req.user = decoded.username` (21:30)? Since we are not using the username from the request in employeesController functions, should we put decoded username in the request? Please let me know if I am missing something

Why do we need access token? Can't we use the refresh token itself? I did not understand that at all. Isn't it enough if we extend the validity period of the refresh token and send it in the header of every request and check it in the backend?

when we send a get/post request to the protected API we need to set the bearer access token in the cookie so it will be stored in the cookies and vulnerable to XSS or crsf attacks or not like that? what we gained by sending it from the login/refresh API using JSON and storing it in the memory then if we send it back using an authorization bearer token to the API? I'm confused!

HI, thanks for video. Great job. Can you tell us about typescript and prisma? thanks.

Great explanation Dave ..complete this series? ??

Hi Dave, I have a question, why do I have to save the token to database? How is that helpful? because you are clearing it from the database, when you created the logout middleware. We can just clear the cookies using the clearCookies as you have done and again we are resetting it to empty string. And is this how authentication done in micro service applications? Or do we pass the token in authorization header in order to access the protected routes? PS - Thanks for making these authentication and authorization series. Loving it. 😍😍.

Really great work keep going forward… but if did this with sequelize it’s going to be marvelous… please make lessons on api with sequelize

Amazing tutorial

Good, gooood.

43:31 If there's no JWT cookie during logout, shouldn't we send one of 400 codes? Like 401- Unauthorized?

What's the purpose of frequently issuing accessToken when we can send accessToken in cookie (http:only) with a defined age and whenever we user want to log out we can clear the cookie from server I mean why to issue refresh token? We can achieve the purpose without it Please explain

Why do you add random access and refresh token in .env file? Or what happens if we set the ACCESS & REFRESH token to "" ?

excellent job sir.

Help me understand something. Say I authorize by hitting the auth endpoint, get a jwt and a refresh token, and the jwt from auth gets stored in memory in my app. Later, I request a protected endpoint, say a list of employees. I send the api request to get the employees, and that endpoint determines I am expired and therefore grabs a new auth token, I obviously need to get that new auth token from the response to store in my application. Does that mean that every request to every protected endpoint has to return an auth token, which is either the existing one that hasn't expired, or the one that was created from the refresh token?

I'm getting stocked at the refresh route part....I'm using thunderbolt to send the get request....it doesn't seem to ever resolve and the process keeps loading....and there are no errors thrown

Thank you so much. Do you have a starting point for how I can intercept request/response using fetch rather than axios?

When I try get request for refresh ,I'm getting unauthorized.

Thank you very much for this awesome tutorial, Dave. I have a question though. We only delete refresh token when user logs out. Does that mean "if some bad guy has access to the user's access token, they still can access protected route for a while before it expires"?

You have to delete accessToken also on logout because suppose you have given 5 min expiry to the accessToken and then you logout before expired accessToken but in your tutorial you have delete only refreshToken but accessToken still exists so user can still access APIs before expired accessToken. If I'm wrong please correct me

At 23:00 while trying to test auth route after protecting with token, I'm getting an error. Error: secretOrPrivateKey must have a value at module.exports [as sign] (C:\GemReactDemo\server ode_modules\jsonwebtoken\sign.js:105:20) at handleLogin (C:\GemReactDemo\server\controllers\authController.js:21:33)

thnks for the video Dave, i had a question what if i want to revoke a user from accessing secure resources from API what would i need to do ? just remove that refresh token of user from DB immediately ?

30:00 I don't understand which part in the refresh token allows it to create another access token when it is expired, can anyone explain for me?

Hello, doesn't setting a refresh token cookie violate the REST Stateless principle in this case?

how does the access token in the auth header change when we use the refreshtoken handler?

If I were using MongoDB as my database, would I need to add a refreshToken field in the mongoose schema?

Great tutorial, thanks a lot. I hava just one question, why don't you use Passport JS for authentication? I say that because I saw Passport JS is frecuently used for this

Is there any other video that comes after that? I don't know how to use with front end. 😢

can I ask you how can the frontend gonna know when to call the refresh API .. waiting your answer please

Hello Dave, by the end of the video you showed a frontend app, will you show how to code that in the next videos of this series? Also, are you going to show in the next videos of this series how to use the /refresh route automatically? Because if my understanding is correct, the /refresh route in this video's code will not run automatically, right?

Hello Dave. Is it neccesary to store refresh token in DB? In other tutorial you skipped this step. Thanks in advance for response

Thank you very much again. 59:20 - Is it possible that after the last changes which have been made to the code - The "GET refersh" call is no loger refresh the cookies, and respond only with "401 Unauthorized"..?

Great content