JWT Authentication Tutorial - Node.js
Рет қаралды 1,051,834
Күн бұрынJSON web tokens are one of the more popular ways to secure applications, especially in micro-services, but JWT is much more complex than a simple session based user authentication. In this video I will be breaking down exactly how to set up authentication with JWT and how to ensure the authentication is secure. I will also be showing how to setup refresh tokens with JWT so that your application is even more resilient and secure. Lastly, I will show how to invalidate refresh tokens which is the ultimate last step in securing an application.
📚 Materials/References:
User Authentication Video: • Build Node.js User Aut...
JWT Explained Video: • What Is JWT and Why Sh...
GitHub Code: github.com/Web...
🧠 Concepts Covered:
- Creating Node.js authentication middleware
- Using refresh tokens with JWT
- Authenticating users with JWT
- Invalidating refresh tokens to log users out
- How to use JWT securely
🌎 Find Me Here:
My Courses: courses.webdev...
Patreon: / webdevsimplified
Twitter: / devsimplified
Discord: / discord
GitHub: github.com/Web...
CodePen: codepen.io/Web...
#JWT #WDS #Authentication
@aram5642 3 жыл бұрын
The single tutorial a dev should ever watch to get their heads wrapped around auth. Great pace and flow, pure English, pleasure to watch and listen to!
@SuperRockthing 5 жыл бұрын
I discovered your channel 30 minutes ago and I have already subscribed. Your way of explaining things with minimum jargon and straight forward approach is so refreshing.Keep up the good work!
@WebDevSimplified 5 жыл бұрын
Thank you so much! My goal with the channel is to teach the most amount of content in the least amount of time, since time is the most valuable resource we have.
@serkanakman9945 4 жыл бұрын
@@WebDevSimplified that is what makes you and your channel great!
@phani123d 4 жыл бұрын
@@WebDevSimplified great
@raymondyoo5461 3 жыл бұрын
totally agree :)
@mosesegboh Жыл бұрын
True. He is one of the best ones.
@tinnyw2 3 жыл бұрын
Kyle has an amazing talent for teaching and this demystifies a lot of how to implement JWTs on the server end. If I may, one caveat I would add is adding access and refresh tokens in the body payload may be prone to being stolen in an XSS attack and depending on how secure you would like to make your site you might want to instead store them on http-only & secure cookies with a samesite set to at least lax so they're not read by Javascript and easily stolen. Again, this tutorial is on point on so many levels and amazing!
@3042640426 2 жыл бұрын
Do you have any solution for that? Thx
@AlanJoelSchneider Ай бұрын
@@3042640426 Store tokens in cookies with http-only, secure and same-site
@ROCKEFELLAPRODUCTIONS 4 жыл бұрын
You nailed these tutorials! I actually understand what you are explaining. You don't dilute it with unnecessary lingo in an attempt to sound smart. Thank you!
@ocoocososococosooooosoococoso 3 жыл бұрын
I'm from South Korea, Kyle explains in a concise and straight plus simple easy way which makes me understand way better than Udemy courses.
@chaop4o878 4 жыл бұрын
I am so close to start crying of joy. I just spent so long trying to figure this out and then I found this video. Thank you so much. Honestly, you make my favourite tutorials.
@RasmusSchultz Жыл бұрын
If you're building your own authentication system, it's a really good idea to include a flag in your payloads, to indicate whether that token was generated by authenticating with user credentials, or by using a refresh token. You can use this flag to authorize sensitive operations, such as changing your password or making payments - so if the user didn't log in recently, you can prompt them to log in again for sensitive operations. I would say this is a must for most applications.
@abdulazeez.98 Жыл бұрын
I’ve encountered this in some websites. Nice to know how it was implemented.
@duythinh252 Жыл бұрын
What a great information right there! Thank you for sharing. I immediately recognize the use of the flag in payload when I changing my facebook password for example, it requests me to re-enter my password again for authenticating with user credential
@aynuayex Жыл бұрын
ya.we love to see how we can implement that.
@shahreazneeloy2119 Жыл бұрын
You have a KZbin channel. Please make a video on this topic
@mohammadalaaelghamry8010 Жыл бұрын
Thanks for the note. it helped me.
@number1neek 3 жыл бұрын
Great video as always! Just wanted point out that what's being covered here is called authorization, not authentication. Authentication is when you confirm a user's identity and authorization is giving that user access to parts of the website
@CodeDreamer68 2 жыл бұрын
Thanks for keeping it simple! You are living up to your name. I watched 5 other jwt videos from well-known vloggers, and was still left confused. This one was spot on. I get it now. Thanks!
@samgram5122 4 жыл бұрын
You blink a lot, but holy crap! You speak so clearly and teach so well without any cuts! AMAZING! Thank you so much!
@aubz9924 4 жыл бұрын
Kyle, it would be amazing if you could make a video on how to handle JWTs on the client-side, particularly in React, in order to close the loop on this topic. As always, awesome video :)
@aspected 4 жыл бұрын
I second this! I think Ben Awad made a video about that but doesn't go into much detail
@robertjif6337 4 жыл бұрын
I want to see this too, wanna know if what I'm implementing is actually correct
@Robd515 4 жыл бұрын
Funny, I'm coming to this video because I know how to implement it with React and not without it. I learned through Brad Travery so you may want to look through his videos.
@doberman7 3 жыл бұрын
@@Robd515 could you share an URL?
@adityanair3566 3 жыл бұрын
@Kyle, please see this comment! Awesome work man, you are giving immense value to society.
@drteeth11 5 жыл бұрын
Yoooo, I just found your channel this week and wanted to let you know I love your content. Super informative, clear explanations, all around great videos. Keep up the good work!
@WebDevSimplified 5 жыл бұрын
Thank you so much! I hope my future videos are just as useful.
@BrunoWinck 5 жыл бұрын
same :) feeling very lucky
@PaweAndruszkow 3 жыл бұрын
this is how code tutorial video should look like! Simply, precize, no overtalking, just exact content we need, very good job!
@AwkworldStudios 4 жыл бұрын
Thanks for making this! Fun fact for anyone else watching: you can configure dotenv from your package.json scripts so that you don't have to write require in every file by using the -r flag and dotenv/config like so: "scripts": { "dev": "nodemon -r dotenv/config index.js" },
@vinaydixit81 4 жыл бұрын
Everything is good. But i would suggest you to be little slow when you do the code.
@majoulwa 4 жыл бұрын
Hi, I would particularly like to praise your clear explanations and your super clear pronunciation. So it is very easy to understand, even for someone like me, who doesn't have a lot of experience in English and who often has trouble following English-language content with a strong accent. Really great!
@XiagraBalls 3 жыл бұрын
Your tutorials are some of the best on YT and I watch a LOT of programming tutorials! 👍🏻👍🏻👍🏻👍🏻👍🏻 🌟🌟🌟🌟🌟
@dheerendrapratapsingh9406 Ай бұрын
I come to your channel to learn one thing and most of the time I learn 2-4 new things for sure.. Thankyou..You are one the best teachers..Love from INDIA..🇮🇳🇮🇳🇮🇳
@ryanlarge6296 Жыл бұрын
Thank you Kyle for another great video!! Especially by making some confusing topics much clearer and understandable in such little time. I think that many of us could benefit a thousand times more from this jwt knowledge if you created a sequel to this video, or even simply a separate video all together explaining how this backend logic is tied in with the front end via a js framework or keeping it simple like ejs or regular html. There is not a whole lot of good quality educational videos or documentation covering how it can all be connected and implemented into a true fullstack application. It took me a very long time to figure out how to serve my front end as well as authenticate users with jwt using ejs. I would love to see a good video on this from you. Thank you again!
@mykolakecha 2 жыл бұрын
This is probably the first time I'm writing a comment to a video. The reason - just wanted to acknowledge the quality of content. Especially how nice & simple everything is explained.
@juanetehOK Ай бұрын
i was looking for one day some simple explanation like this for jwt usage, thanks a LOT!
@juhandvan 3 жыл бұрын
Kyle is a really good teacher. His tutorials helping me a better developer.
@VishalKumar-dv6qj 2 жыл бұрын
Everything was straight-forward and on-point. One question arises - Why we need to create a refresh token when we can delete the previous access token when user logs out? In that way he will not be able to use that access token forever
@brianchandler3346 3 жыл бұрын
The absolute clearest tutorial I've ever seen on the topic. I wish I had found this earlier.
@STUPIDYOUTUBE_HIDINGMSGS 2 жыл бұрын
This is the cleanest for me: kzbin.info/www/bejne/j6DGg6RjgMqmea8
@divyanshubhatnagar4601 3 жыл бұрын
Have to say this was short and loaded with information. I really liked the part where you also explained the Auth and Resource server. Really appreciate the content :)
@chronosoutoftime6685 3 жыл бұрын
this is a very good starting point, but in my opinion it misses some parts: - first if the client refreshes, since you are not persisting the refresh token anywhere it will need to login again, and this can be fixed by storing it in a httponly cookie which is still vulnerable, - second the client part is completely missing, i know the purpose of this is to keep things simple, but then ppl needs to do real stuff. probably the refresh requests should be sent little before the accesstoken expires. - the array of refresh tokens or the db where you store them, means that we are not differing too much from usual session management which is opinable. Anyway, yours are very great tutorial, i am wondering what tools you use for registering videos
@lordrampenthump422 2 жыл бұрын
Its really hard to explain how valuable this channel is to me. Thank you for existing
@SaadShah1133 3 жыл бұрын
I tried to implement JWT by watching different tutorials but i couldnt understand it, your video was the only video i understood, best node js videos keep it up; great work
@Bruno87198 Жыл бұрын
Exactily what I need! You just got a new subscriber. Simple, direct to the point, no use of database and other things, really direct to the point! Saves a lot of time. Thank you!
@garrafromsand 3 жыл бұрын
Very distinct skill of explanation, could not be more lucid than this, 2 days of here and there in 20 min
@Bananabanananax 2 ай бұрын
11/10 video. I just implemented this for a rock climbing app i'm creating. Tomorrow I will figure out how to manage the keys in my database rather than in the program.
@spetsnaz_2 4 жыл бұрын
Man! every video of yours are most simplified on the web one could ever find.....Great work
@qintotgroup 2 жыл бұрын
Where have you been all my life Bro. --- THANK YOU for making my job eaaaaaaasy.
@debmallyabhattacharya4394 4 жыл бұрын
This lives up to its name. Truly simplified. 💙
@ni_kabiu_john Жыл бұрын
Who said pretty men can't code... man thanks sooooo much for this.. i 'have been afraid of backend dev, but now i learning smoothly..
@PyroManZII 4 жыл бұрын
Your channel is incredible and so informative! I clicked on the video to learn the best way to handle JWTs and in the first couple of minutes I am already learning about all these different things I didn't even know I didn't know. Do you happen to be an educator at all? It seems like you would be a great lecturer or teacher at a Uni or College.
@WebDevSimplified 4 жыл бұрын
Thank you so much! I am not a professional educator. I have been offered a job as a University professor before, but I love teaching online so I turned it down.
@scigama71 3 жыл бұрын
i echo the sentiment that i have learned more with this video then reading books for hours.. Well done :)
@ghilmanfatih9751 3 жыл бұрын
certified beginner-friendly enlighten my noob jwt knowledge in less than an hour
@ozzyfromspace 3 жыл бұрын
This was a highly informative video and I’ve gotta say, I learned a ton watching you code this up! I do have a minor point of contention about the refresh token though.. you created the refresh token without an expiration date, so what’s preventing me from just using that on your 3000 server indefinitely? Hope someone can lend their perspective to this question :) Again Kyle, FABULOUS EXPLANATION! 🥳
@namminb6101 2 жыл бұрын
I think he made a mistake .. if someone gets the refresh token, they can use it to indefinitely generate new access tokens. The issue is not even that, the issue is that the reason we are using refresh token is so we can later invalidate it (allow user to logout and remove the refresh token from database), the issue then comes, if the user logs in again, the same exact refresh token (that the hacker already has) will be created again (since all inputs are the same), and the hacker can now continue generating access tokens, defeating the whole purpose of refresh tokens. I think either an expiry date or some other dynamic value should be added so that we create a new different token when a refresh token is invalidated (deleted from database).
@zachwhite8054 4 жыл бұрын
Dude you might be my favorite web dev channel at this point. Massive Traversy fan and I also like Academind but damn this stuff is good
@johnnydriesen7575 4 жыл бұрын
Same here :)
@MariaSantos-em5jv 4 жыл бұрын
He explains things very well and at a nice pace.
@farisfajar6982 3 жыл бұрын
Thanks youtube for recommend this channel. I just started to learn programming two weeks ago and find your channel. It is great content for me even i still did not really understand it most of the part so i need to learn a lot from the scratch.
@random2402 Ай бұрын
Thank you bro for this amazing content. Just clean content, no bullshit. Thank you so much.
@natyragashi982 2 жыл бұрын
Thank you man, you are one of the rarest who gives real solutions
@santhanamelumalai8025 3 жыл бұрын
Thanks for the video, I never saw tutorial video without skipping its part, but you broke that with the great way of story telling. Very helpful video.
@raicubogdan8078 Жыл бұрын
i love how effortless and efficient you explain everything. and all the tools you use are really cool and easy to setup. thanks!
@solofaxum 4 жыл бұрын
Bro you are the best. That is all I can say. you simplify the complex. ...keep it up.
@nfkt101 2 жыл бұрын
Express discontinued using body-parser, so anyone watching this video after 2020 they have to install body-parser separately along with express and other modules.
@krunalchauhan5780 3 жыл бұрын
When I feel to buy any paid course then your video motivate me to save my money ❤️
@dericbytes Жыл бұрын
I always pick up something new from your videos. Thanks
@MrVipulLal 7 ай бұрын
Your videos are always brilliant. A big 🙏
@dragmove 4 жыл бұрын
This video is perfect for me to understand a concept of JWT token and refresh token. I really appreciate it. Thanks Kyle. :)
@nithigd1014 3 жыл бұрын
Thank you for explaining complex concepts in very simple and straight forward way I watched many of your videos and I learnt a lot of things that no body could teach in 1 video but you are way of explaination is awesome, you are one of the best teacher in the universe, thank you so much :)
@Tibo437 3 жыл бұрын
Thanks a lot from France for your video, this is so simple doing things with your explainations, please never stop ;)
@denibegaj4564 4 жыл бұрын
Thanks, coming from the world of ASP.NET this was piece of cake. Dudes over there make it look like rocket launching, when it actually is a very simple mechanism.
@eduardotavares76 3 жыл бұрын
The best JWT video ever! You are amazing! Keep doing things like this.
@haha-eg8fj 4 жыл бұрын
That Rest Client plugin is so useful! Works like a charm.
@codeforlife9513 3 жыл бұрын
Kyle your video inspires me to learn more...and makes easy to understand all the aspects. Thank you so much.
@kupaporusku 3 жыл бұрын
Nice, would be great to see it with implementation with frontend for ex. with react
@scu8a 3 жыл бұрын
Thank you for the quality tutorial. You're clear-spoken, and just the right speed for learning. At one point, I thought "This guys IQ must be over 140" - BTW, this is the first video of yours I watched. I found this video when I did a google search for "web token authentication". Again, very nice work.
@avivshvitzky2459 4 жыл бұрын
I still have some stuff that isn't clear to me, but you probably won't see my message, so i'l just say that you are an amazing teacher, you really have a skill in that area!
@WebDevSimplified 4 жыл бұрын
Thanks! I have another video on JWT that explains JWT in depth you may want to checkout.
@avivshvitzky2459 4 жыл бұрын
@@WebDevSimplified I think my biggest question is how the refresh token isnt prone to stealing as the access one
@ConorBailey 3 жыл бұрын
Kyle. Your videos are so helpful. Thanks so much.
@LithiumFireX 2 жыл бұрын
Hello Fireship, I love your 100 seconds videos.
@zeeshannagori007 4 жыл бұрын
Thanks Kyle for the information on this topic. Can you make a video on how to store the JWT on the client-side (best way to store JWT on the client-side) and how to send it back to the server whenever the request is made. Thanks again.
@daniloespinozapino4865 3 жыл бұрын
You did a really good job with this video dude. Simple and clean.
@dddddbbb 4 жыл бұрын
Incase anyone else gets this problem - by default developer powershell seems to go to the folder before your actual project directory. e.g. repos\myproj instead of the repos\myproj\myproj folder. This means unless you change directory before doing all the commands listed in the first couple of minutes it then creates duplicate files in the wrong folder. You will get errors such as missing index.js etc and you will end up with two json files. cd yourprojectnamehere before running these commands will prevent the errors. You may also get an error regarding digitallysigned - fixed by running the following Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
@atsglobalservices6136 Жыл бұрын
God bless you dev. This tutorial was fantastic! I understand what you're saying. You don't dilute it with unnecessary jargon. Thank you very much.
@mayank_upadhyay_19 4 жыл бұрын
Let me tell you that it was complicated, but after watching few times, I got the concept and implementation.
@pranjalsinghkatiyar4972 Жыл бұрын
hey Kyle its good to see such a clear and refined video from backend side ... but could you please make a video explaining how client side uses the Refresh and Access JWT.
@AbhishekKumar-vl3cb 3 жыл бұрын
Have a good day you too...👍🎊 You just SIMPLIFIED my WEB DEV query in few minutes... ❤️🙏
@jungminkim313 2 жыл бұрын
quick tip for people struggling with the request.rest file... there should be no line between the request and the header, but there should be one line between the header and the body. I was confused because I'd never been in a situation where the blank lines really mattered but... it does here.
@ShreeMamadevji Жыл бұрын
Very Good explanation Brother u are looking like Paul Walker of fast and furious
@nabiisakhanov3522 4 жыл бұрын
Darn it Kyle, I get shocked every time I see you fixing mistakes in the code without a delay of thinking. I wonder if you make those typos on purpose to show people a few common ones, or you are just so good at coding you already know what's wrong as soon as you see an error :D
@WebDevSimplified 4 жыл бұрын
Sometimes I make mistakes on purpose but usually it is an honest mistake. Many times I edit out the pause that I take to fix the error though. I generally take a bit of time to find and fix my bugs.
@nabiisakhanov3522 4 жыл бұрын
@@WebDevSimplified oh, I see :) Whatever, your skills are very impressive still, and all the knowledge you share with people for free is just so precious for the webdev community. Personally I am going through my intership right now and it sometimes consumes a lot of time to find a reliable tutorial on some technologies. Your channel provides a big help here :) will consider becoming a patron next month
@WebDevSimplified 4 жыл бұрын
@@nabiisakhanov3522 Thank you so much!
@AndreFreitasTech 2 жыл бұрын
You have won a subscriber! Good content, thank you for sharing!
@vuenice 6 ай бұрын
At 12:10 why checked for null when it is undefined, you could directly check "if(token)", Also in the line above you can directly write const token = authHeader?.split(' ')[1]
@aynuayex Жыл бұрын
great content.since the video is outdated and also you are handling the refresh token manually(u are getting the refresh token through a post request not from the client directly) and does not have expire time,also we like to see how we can implement in react and also with the passport-jwt.we need updated new video on this since you are good at time.ya u deserve 1m subscribers.
@chitrangsharma 3 жыл бұрын
Best programming ASMR channel 💓
@joicyjoy9658 3 жыл бұрын
Kyle.....You are a gem for developers....
@JannisAdmek 3 жыл бұрын
You have such a fantastic way of teaching!
@flippenj1965 3 жыл бұрын
I like your video a lot! A question though, if im not using postman or rest, how do i actually store the token in the auth header? I'm new to programming and I love your vids man! Keep doing what you're doing :)
@BruceArmstrong09121997 4 жыл бұрын
Owow I just realised I clicked like button while watching just like natural action I never like most videos I see in general I must have instinctively like your videos!
@zZMazeZz 2 жыл бұрын
Okay but what do you do with the access token in the response? How do you store it? Obviously your user is not going to be copying and pasting it.
@anamashraf8996 6 ай бұрын
How do we store the refresh token in client side securely?
@viktorlernt6063 2 жыл бұрын
Thanks Kyle, very helpful to learn using JWT with JavaScript!
@Formula7Driver 3 жыл бұрын
Thank you very much for clarification of JWT usage. Just the tiniest of details... It would be perfect if the login request was at the top of the .rest file, just to follow the workflow. Since we have just 15 seconds to copy the token and paste it into the GET request, order of requests inside rest file does matter.
@LoveYourKitties 4 жыл бұрын
Great stuff on JWT! I needed this info for my current project at work, and this came in extremely handy! Subbed!
@bobbyboxer2664 2 жыл бұрын
Awesome video! Thank you for taking the time to do this type of content 🙌🙌
@unsignedchar000 3 жыл бұрын
Great pacing, great delivery. Well done!
@vladstanciu5923 4 жыл бұрын
Really nice video, i just leared all I needed to know about jwt in order to use it in my project. Thanks a lot dude! Really big thumbs up
@abdulkadirguven1173 2 жыл бұрын
Thanks a lot Kyle. Great video as always
@gwulfwud 4 жыл бұрын
Your explanation is so on point! It helped me understand JWT better. Thank you. So are refresh tokens really better stored on a database then or cached in the server?
@bloodyroar123 4 жыл бұрын
Yes. He said " don't use array for production , just store in database or reddis etc...
@antontrofymchuk3428 4 жыл бұрын
It is just awesome. Unbelievable clear and useful explaining. So many thanks to you!
@crazytk16 4 ай бұрын
JUST THE TUTORIAL I NEED IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
@marksiely4747 6 ай бұрын
Very good tutorial, thank you very much! I see you don't use database in your jwt, is it better this way, please explain e why👍
@eneomaos33 Жыл бұрын
You have no idea how long it took to get this working, not your fault lmao. Thank you!
@LuisPerroneF5 4 жыл бұрын
Great video Kyle. Straight to the point! 👍
@ashuthe1 Жыл бұрын
This Person is gem for developers :)
@programer9620 Жыл бұрын
Thanks buddy, as always your videos are very useful & helpful😊
@joicyjoy9658 3 жыл бұрын
From your previous video I understood JWT is used only for Authorization not used for Authentication. Correct me if I am wrong.
@apoorvlele6257 2 жыл бұрын
great video man. you made it so easy to understand
@sahandjavid8755 Жыл бұрын
Great video, thank you. The part that I felt is missing is how expire date is being included in the payload and jwt library is not keep tracking the expirations
@lordknighton 4 жыл бұрын
You should have called this a JWT Master class
Ulbi TV
Рет қаралды 526 М.
حرف إبداعية للمنزل في 5 دقائق
Рет қаралды 34 МЛН
Fabiosa Best Lifehacks
Рет қаралды 5 МЛН
Dan Vega
Рет қаралды 399 М.
Code Realm
Рет қаралды 489 М.
🔴 Let's build a Deliveroo Clone with REACT NATIVE! (Navigation, Redux, Tailwind CSS & Sanity.io, TS)
Sonny Sangha
Рет қаралды 999 М.
Intellipaat
Рет қаралды 470 М.
Intellipaat
Рет қаралды 221 М.