Authentication and Authorization in Node.js and Express: Securing Your RESTful API


In the world of web development, security is paramount. In this article, we’ll explore the crucial topics of authentication and authorization in the context of Node.js and Express. By the end of this guide, you’ll have a solid understanding of implementing user authentication and protecting your RESTful API with access control.

Installing Dependencies:

To implement authentication and authorization, we’ll use the popular bcrypt library for password hashing and jsonwebtoken for token-based authentication. Install these packages:

npm install bcrypt jsonwebtoken

Setting Up User Authentication:

User Model and Registration Endpoint:

Modify your app.js to include user registration functionality:

// app.js
const express = require('express');
const mongoose = require('mongoose');
const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');
const app = express();
const PORT = 3000;

mongoose.connect('mongodb://localhost/mydatabase', { useNewUrlParser: true, useUnifiedTopology: true });

const userSchema = new mongoose.Schema({
  username: String,
  password: String,

const User = mongoose.model('User', userSchema);

app.use(express.json());'/register', async (req, res) => {
  const { username, password } = req.body;

  // Hash the password
  const hashedPassword = await bcrypt.hash(password, 10);

  // Create a new user
  const newUser = new User({
    password: hashedPassword,

  // Save the user to the database
  try {
    res.status(201).json({ message: 'User registered successfully' });
  } catch (error) {
    res.status(500).json({ error: 'Internal Server Error' });

app.listen(PORT, () => {
  console.log(`Server is running on http://localhost:${PORT}`);

This code adds a registration endpoint that accepts a username and password, hashes the password, and stores the user in the database.

User Login and Token Generation:

Implement a login endpoint to authenticate users and generate a JSON Web Token (JWT) for authorization:

// app.js
// ... (previous code)'/login', async (req, res) => {
  const { username, password } = req.body;

  // Find the user in the database
  const user = await User.findOne({ username });

  if (user) {
    // Compare the provided password with the hashed password
    const passwordMatch = await, user.password);

    if (passwordMatch) {
      // Generate a JWT
      const token = jwt.sign({ userId: user._id }, 'secret_key', { expiresIn: '1h' });

      res.json({ token });
    } else {
      res.status(401).json({ error: 'Invalid credentials' });
  } else {
    res.status(401).json({ error: 'Invalid credentials' });

// ... (rest of the code)

Here, upon successful login, a JWT is generated and returned to the client.

Implementing Authorization Middleware:

Now, create a middleware function to authenticate and authorize incoming requests:

// app.js
// ... (previous code)

const authenticateToken = (req, res, next) => {
  const token = req.headers.authorization && req.headers.authorization.split(' ')[1];

  if (!token) {
    return res.status(401).json({ error: 'Unauthorized' });

  jwt.verify(token, 'secret_key', (err, user) => {
    if (err) {
      return res.status(403).json({ error: 'Forbidden' });

    req.user = user;

app.get('/secure-data', authenticateToken, (req, res) => {
  res.json({ message: 'This is secure data!' });

// ... (rest of the code)

In this example, the authenticateToken middleware verifies the JWT in the request header. If the token is valid, the request continues to the secure endpoint; otherwise, it returns an unauthorized or forbidden response.


You’ve now learned how to implement user authentication and authorization in a Node.js and Express application. These security measures are essential for protecting sensitive data and controlling access to your API. As you continue to develop your applications, consider refining your authentication flow, exploring OAuth and other authentication providers, and implementing role-based access control for more sophisticated applications. Stay tuned for more articles as we dive deeper into Node.js development. Happy coding!