After initial user authentication. JWTs can be used for verification at REST API endpoints. In this tutorial, you will learn how to issue access and refresh tokens (JWTs), and also the recommended way to issue these tokens for security concerns. There will also be suggestions for storing these tokens in your frontend apps. If you are just starting out with Node.js and Express, I suggest you start at the beginning of the Node.js for Beginners tutorial series here: kzbin.info/aero/PL0Zuz27SZ-6PFkIxaJ6Xx_X46avTM1aYw

i have never thought about "whitelist" as something racist

So this is how a senior dev works and explains things. Simply amazing. Thank you for these videos.

I've been following your tutorials on Node, Express, and working my way to Mongo for my project this week. I've told my professor about how helpful your videos are and I've been spreading the word to my classmates. I'm surprised you don't have more views on these tutorials. Thank you for your help!

For anyone who doesn't know, if you add secure: true in cookie options, you could only receive cookies on the login route, and in postman couldn't even receive cookies. So test before you add that option.

This is masterpiece! 😍 I've thanked on all videos of you I've watched in the comments, and I will do it again on this one because you deserve it. Please keep creating content, I'm seriously worried you might lose interest in it at some point and we lose more content created by you, because you're so good.

Dave in the timeframe 34:00 you are checking the founduser name with the decoded username. I feel it is unnecessary because the cookie contains digital signature which can be regenerated by using the header, payload and secret key present only in the server. The verify method would fails if the cookie signature and generated signature doesn't match. what do you mean by tampering.

be very careful when testing this specific implementation with nodemon vs a normal server. nodemon restarts after any file changes, including changes to models\users.json. This allows each function to get the updated state of refresh token. If you run this without nodemon, your refresh and logout functions will reference old versions of the users.json data that do not include the refresh token from the auth. This causes some unwanted behavior that took me quite a while to catch. As always, thanks @DaveGrayTeachescode for another great and comprehensive lesson

Dude, this is by far the best tutorial series I have seen. Unparalleled quality. Thankyou!

Hi Dave, this is by far far one of the best JWT Authentication videos that I have seen on KZbin. I was wondering if you have created a frontend for this project. I am interested to know how one would incorporate the refresh route for a seamless experience if for example, I was on a user page that expired how would I refresh the token and regain access to my session without leaving the page? - many thanks

Would love to see an updated version with Typescript and maybe with a relational database. These videos are literally the best.

21:19 why you set req.user ? In verifyJWT we are just verifying the access token . If it verified then move forward or else error occur. So for what you set req.user to decoded.UserInfo.username?

Hi Dave, Thanks again for sharing this high quality content. Your explanations are excellent.

I just wanted to say I appreciate you and what you do. Your videos are well explained, very thorough, but also digestible. Some instructors get a bit too technical, or lack enough technicality to fully understand what is happening. Yours are right in the pocket. Thank you, kind sir. You have provided a lot of clarification for me.

I usually stay away from tutorials but the content you post is insanely good, I have actually learnt a lot from your channel. Since I discovered it my skills with javascript have improved a lot. Thank you so much

hey dave this series is really helpful. the way you split things into routers and middleware has been eye-opening. so simple

Hy Dave, I'm stuck in verifyJWT controller, I'm not getting authHeader from the req.headers['authorization']. Any help would be much appreciated please

HI Dave, I'm getting status 401 when I try to generate refresh token after generating access token. I tried to console.log('request', req.cookies) and it shows [Object: null prototype] {} in terminal.

I will never understand how people can program code and have it messy like this

Firstly, congratulations on your clear, detailed and brilliantly explained tutorials. You have rare communications skills. I am working with Node.js Express and MySQL. I have come across express-session and express-mysql-session that store user credentials server side rather than in the users browser as with JWT. Could you develop tutorials on these packages please?

Thanks Dave, you’re an awesome teacher. Keep it coming please!

hello, when my token is generated and put in cookie, this one is not recovered when I do a refresh which means that I am blocked at this stage... can you help me?

kzbin.info/www/bejne/nJLZm3ZserB5ndk I can't get why we even need to check whether jwt exist in cookies and if not it will spit 401 error in handleRefreshToken function. The main role of refresh token is that once access token is expired, users will be issued new access token with using refresh token. Therefore, it sounds much reasonable to me that we are going to check if there is access token in cookies, and if not, it will go ahead and check if there is refresh token affiliated with the given authentication information of user, NOT spitting 401 error. Of course, if there is no refresh token too then we will need to cast 401 error.

That DB json file took time and complexity more than using an actual mongodb database.

quick question at 45:38 what would happen if the person being iterated through in the database doesnt have a refresh token yet? would the person be filtered through anyway?

Clark Michael Thompson Matthew Hall Daniel

Great video as always, one question: why we are not saving Access Token in HTTP only Cookie too? then we don't need to attach it to header in front-end. I'm just curious. is there any security reason? becuase it will make it a lot easier for front-end

Anderson William Clark George Johnson Linda

What confuses me most is how to store and work with the refresh tokens in my database (Postgres). My plan is to allow multi-login from different devices for the same user, so my idea is to create a refresh token for each device the user tries to log in with. Each refresh token belongs to a unique device, so I don't care which user belongs to it. That's why my plan is to create a refresh token table with no user references. When a user logs out, I simply remove the respective refresh token from the database and don't care if they are still logged in on other devices. Interesting notes/tips: 1) If a user deleted their cookie, you would end up with "dead tokens" that never get removed from the database. That only applies to multi-login and shouldn't really be a problem though. 2) Deleting all refresh tokens from the database forces all users to relog-in. Same when you change the refresh token secret. Don't do that, unless you have a good reason. 3) Hashing the refresh tokens before storing them in your database improves security. Similarly how you'd store passwords hashed and not in plaintext. 4) bcrypt stores the salt in the generated hash, so you don't need to store salts in your database. 5) You can check if a refresh token expired by catching "TokenExpiredError". Since it's a valid token (just expired), you can safely call jwt.decode(...) to get the username and other information. Not sure where I would need that, but maybe that helps some of you. Edit: Okay, I just realised that when you compare your refresh token with the database (refresh token hash), you run into the problem of not knowing which salt to use for hashing. You either use the same salt all the time, which makes hashing irrelevant, or you store a user reference for each refresh token hash so you know which entries to look at. Then check each hashed refresh token against the provided refresh token and see if one of them matches... Something feels wrong with that approach though, so for the time being, I'll just save the refresh tokens in plaintext. Edit2: Another reason to store the user id with the refrehs token is that when they change their password, we need to invalidate all existing refresh tokens for that user. Otherwise they stay logged in from their other devices as if they never changed their password. It can also be useful to know all user's refresh tokens if you implement some kind of "logout from all devices" functionality. Generally, you need to store the user id if you want to be able to improve security. Without user id, you'd need to decode all refresh tokens and check the user, which is extremely inefficient.

hi dave i am getting this warning "this attemp to set a cookie via set cookie was blocked by user preferance" in incognito mode how can i handle this?? if not handle it will be be fail in incognito mode

Thank you very much. 39:16 - I wonder why the refresh doesn't work for me, no matter what. When I call the refresh router with GET - The console logs the same cookie again and again (it doesn't change like in your code) And instead of Status: 200 OK, I get - Status: 403 Forbidden. Furthermore, I did look very very careful for a long long time that our codes are similar. (When I copied your folder and ran your completed code from scratch than it is immediately failed with MODULE_NOT_FOUND message)

I watched many ttorials about jwt because I worked with fullstack php many years and I dont understand rest api so good and This tutorial is where really I did understan about refreshtoken. Thanks

When I try get request for refresh ,I'm getting unauthorized.

HI, thanks for video. Great job. Can you tell us about typescript and prisma? thanks.

Why do you add random access and refresh token in .env file? Or what happens if we set the ACCESS & REFRESH token to "" ?

dave calling out whitelist was the perfect endcap to this great video. dave, my man, youve done it again... another fantastic video

Walker Eric White Karen Miller Linda

Hey, How are you doing? if i access and refreshToken both manage by httpOnly cookie accessToken handle like refresh token if Expire access Token server send a new Access Token, do not want store accessToken on any state is it possible? and what will be better you tutorial example or my concept ? please inform me

What's the purpose of frequently issuing accessToken when we can send accessToken in cookie (http:only) with a defined age and whenever we user want to log out we can clear the cookie from server I mean why to issue refresh token? We can achieve the purpose without it Please explain

That refreshToken thing still confuses me. Lets say realtime, and the access token expires in 15 mins, im an admin and can access all the user information, but when the token expires after 15 mins, it obvi that its gonna be 403 even for the admin. in dev, we could manually send the login creditials again, acquire a new access token, paste it in the bearer section and call for the users info again, it gonna show up eventually. But how will we handle this in real time, how will the access token gonna sit automatically and persist when calling these apis from the front end ?

qq, how can I ensure that I have http cookie on a client?

43:31 If there's no JWT cookie during logout, shouldn't we send one of 400 codes? Like 401- Unauthorized?

Hi Dave, I have a question, why do I have to save the token to database? How is that helpful? because you are clearing it from the database, when you created the logout middleware. We can just clear the cookies using the clearCookies as you have done and again we are resetting it to empty string. And is this how authentication done in micro service applications? Or do we pass the token in authorization header in order to access the protected routes? PS - Thanks for making these authentication and authorization series. Loving it. 😍😍.

whats the voice change at 36:50 got me shooked

Help me understand something. Say I authorize by hitting the auth endpoint, get a jwt and a refresh token, and the jwt from auth gets stored in memory in my app. Later, I request a protected endpoint, say a list of employees. I send the api request to get the employees, and that endpoint determines I am expired and therefore grabs a new auth token, I obviously need to get that new auth token from the response to store in my application. Does that mean that every request to every protected endpoint has to return an auth token, which is either the existing one that hasn't expired, or the one that was created from the refresh token?

when we send a get/post request to the protected API we need to set the bearer access token in the cookie so it will be stored in the cookies and vulnerable to XSS or crsf attacks or not like that? what we gained by sending it from the login/refresh API using JSON and storing it in the memory then if we send it back using an authorization bearer token to the API? I'm confused!

if someone got issue at 24:05 and got this error message: Error: secretOrPrivateKey must have a value at at Object.module.exports [as sign] I find on google a fix by adding string 'process.env.ACCESS_TOKEN_SECRET' 'process.env.REFRESH_TOKEN_SECRET'

Thanks for the info, but whitelist is not a racist word. Some programmers know so much about code, and so little about reality

I'm a bit late to this back end party, everything works accept I had to use Postman for the refresh and logout routes. Thanks Dave. 🌮🌮🌮

Thank you for nodejs playlist, Your clear explanations and practical examples made the learning process engaging and effective.

If I were using MongoDB as my database, would I need to add a refreshToken field in the mongoose schema?

Hey Dave, Thank you for putting this video with great explanation 👌 I have a question, why did you put `req.user = decoded.username` (21:30)? Since we are not using the username from the request in employeesController functions, should we put decoded username in the request? Please let me know if I am missing something

secure:true doesnt send cookie to the backend when /refresh is called in my case. Why? and how to fix that?

I'm getting stocked at the refresh route part....I'm using thunderbolt to send the get request....it doesn't seem to ever resolve and the process keeps loading....and there are no errors thrown

Why do we need access token? Can't we use the refresh token itself? I did not understand that at all. Isn't it enough if we extend the validity period of the refresh token and send it in the header of every request and check it in the backend?

You are the best

can I ask you how can the frontend gonna know when to call the refresh API .. waiting your answer please

Hello, doesn't setting a refresh token cookie violate the REST Stateless principle in this case?

Hi Dave, I'm subscribing you from Turkey and really appreciate for your excellent contents. I just want to ask something. When I create the refreshTokenController and add the logic like you did, I'm registering, and having accessToken from /auth route and when I send a request to /refresh route it returns 401 Unauthorized. I thought maybe I missed something you did so I've downloaded the code from your repository. And I'm facing with the same result. What can I do about that? Thanks a lot!

.env - doesn't have quotes

At 23:00 while trying to test auth route after protecting with token, I'm getting an error. Error: secretOrPrivateKey must have a value at module.exports [as sign] (C:\GemReactDemo\server ode_modules\jsonwebtoken\sign.js:105:20) at handleLogin (C:\GemReactDemo\server\controllers\authController.js:21:33)

Thank you so much!

30:00 I don't understand which part in the refresh token allows it to create another access token when it is expired, can anyone explain for me?

Hey Dave, thanks for the great tutorial ! I get an undefined req.headers['authorization'] in the verifyJWT middleware. Any hint ?

You have to delete accessToken also on logout because suppose you have given 5 min expiry to the accessToken and then you logout before expired accessToken but in your tutorial you have delete only refreshToken but accessToken still exists so user can still access APIs before expired accessToken. If I'm wrong please correct me

Is there any other video that comes after that? I don't know how to use with front end. 😢

Just to be clear if the backend and frontend are on the same domain we don't need to set the "Same Site: none".

probably the most detailed series on the youtube, although really wish you used ts

hi dave, i get this error when i try to login: blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. and have the allowedorigins and corsoption my code is similar to yours but its with postgresql, and im using redux on the front end on localhost works fine but on the deployed web page this happens

thnks for the video Dave, i had a question what if i want to revoke a user from accessing secure resources from API what would i need to do ? just remove that refresh token of user from DB immediately ?

41:00

Thank you very much again. 59:20 - Is it possible that after the last changes which have been made to the code - The "GET refersh" call is no loger refresh the cookies, and respond only with "401 Unauthorized"..?

When I test the refresh route at 38:45 I'm getting a 401 unauthorized response with no cookies available. I've followed along with the first 40 minutes of this tutorial line by line from scratch several times and the refresh route keeps failing. So I also cloned the repo, installed packages, created the .env file, and I still get stuck testing the refresh route with a 401. Dave is the GOAT of youtube coding tutorials, but this one makes me want to run into traffic. I've sunk in far too many hours on this. MOVING ON.

Please make one video Node JS microservices crash course

how does the access token in the auth header change when we use the refreshtoken handler?

Those JWTs are going to be far to big to be set as a cookie in the browser. >4 kb

Hello Dave. Is it neccesary to store refresh token in DB? In other tutorial you skipped this step. Thanks in advance for response

This is a very valuable video for me. I've been trying to understand how the aT and rT works. Thanks very much

In 38:55 when i hit send for the /refresh route i get a response of "unauthorizd". I tried logging the request.cookies.jwt (in the handleRefreshToken) and its undefined. For some reason the cookie is not automatically sent on the request. Moreover when i use the /auth route i do see the accessToken and the cookie (with the refresh token in it) what could be the problem?

Excellent content, u are very much unique in teaching different scenarios and I’m so impressed , your channel teaches real-time scenarios, create a Udemy courses will be great 👍 , one question can you do a oauth authentication on node, and when do frontend should call refresh token api

Thank you very much. 58:09 - I've checked it : By adding "secure: true" - Refreshing the access token is getting responded with: "401 Unauthorized". Once you delete "secure: true" from authController's res.cookie - Refresh works properly. (And the access token is refreshing with every call to "GET refesh". Do "res.cookie(secure: true)" and refreshing (access token) call- contradict each other?

Hey Dave! How is JWT access token invalidated following user logoff? I can see that refresh token is removed but JWT access token remains valid for some time.

Hi Dave I have did the sam thing but in 39:28 i didnot get any access token,it shows unauthorized,pls help

Good, gooood.

Thanks teacher Dave for making this api totorial availabe,

Great tutorial, thanks a lot. I hava just one question, why don't you use Passport JS for authentication? I say that because I saw Passport JS is frecuently used for this

i have few questions 1 - why did you use req.user = decode.username at 21:24 2- can you provide the front end code please if possible everything else was good but took long to understand

Again great video. Thank you very much Dave.

Weird, got this message: It seems that the size of the like button requested is not available. Please contact KZbin Support for a bigger like button.

Hello, thanks for the video. But i got an issue wiht the cookies generated. I can't retrieve it from the handleRefresh and logout.

Hey Dave, thx for this video, it was very informative. I was having issues w/ the JWT middleware causing CORS issues. Turned out when you call the api from the browser (through a react app, for example), it sends 2 requests: an OPTIONS request, followed by the request your front end asked for (GET, POST, etc). In order to fix it, I added a line at the top of my verifyJWT middleware function that returned next() if the req.method was OPTIONS. If anyone else has this issue, hopefully this comment will help them.

And bro why should we need access token and refresh token ..why don't we use refresh token for the Authorization...

Thanks for your videos... I learned a lot from your videos. My thunder client didnt work as per your video. After logging in and getting the access token and the refresh token cookie. when i tried to do the /refresh, the cookie wasn't send together. I got empty cookie. When i use postman, its the same case but i can manually add the refresh token cookie into the request and it works. REALLY appreciate your video, one of the best video out there.

Excellent tutorial. If you could share the frontend form please.

Great Explanation 😊

Thank you for the excellent video. I have two questions please: 1- Can we depend only on refresh token without the need of generating the access token? 2- Can we depend only on a session token (without the need of jwt) ?

Thank you for the JWT tutorial, it's very helpful!! I have a question. In logoutController.js, res.clearCookie('jwt', {httpOnly: true}) is used twice, for condition "if(!foundUser)" and for no condition. Is it problem if I just delete res.clearCookie('jwt', {httpOnly: true}) for condition "if(!foundUser)" because res.clearCookie('jwt', {httpOnly: true}) is applied anyway?

Great explanation Dave ..complete this series? ??

You are awesome. Great videos with a rich content.

Thank you so much. Do you have a starting point for how I can intercept request/response using fetch rather than axios?