Where does the Token come from in a real app to check for authentication?

Question

I am studying Node.js currently from Udemy courses and the instructor would teach us how to set up JWT to have user authentication in our web app. We would set up the the logic behind the verification and use POSTMAN to send the token signed token so our app would check if it is the correct user.

The thing is no one has taught how this works in a real app because in the course we always add in the Bearer token manually into our POSTMAN app. In a real app, how is the Bearer token created for me to check if the user is authetnicated?

Sorry, if this question doesnt make sense. Im new and am struggling to explain the problem.

Answer 1

Just to be clear, you say that you "setup up JWT to have user authentication in our web app", keep in mind JWT isn't necessarily used for Authentication, but rather for Authorization. People typically like to use them together, but there's a defined distinction between the two.

With that cleared, let's say you login to a forums. In the login page you send your user/password to the webserver, the webserver Authenticates your credentials and then returns back a JWT to you, the client. Your web browser will store the token as a cookie or in local storage and then you can use the JWT to securely hash the data you are sending to ensure integrity for Authorization. Keep in mind, this is not a form of encryption (but you can encrypt them), JWT is meant to validate that the client is who they say they are by holding the hash signature in the token. This protects against Man in the Middle attacks, or anything else trying to tamper with your data before it is sent to the server. Since JWT validates authorization, it's convenient for Single Sign On across numerous web pages, meaning that since you have a JWT token, you can access any forum thread without having to re-authenticate your credentials. In order you practically use this, when you write your client side webpage, whenever it makes a request, typically you put the Bearer token in the Authorization header which should look like the following

Authorization: Bearer <token>

So in client side JavaScript code, let's say you send a jQuery Ajax request for the comments of the Thread in the forum page you just visited. You already logged in and you have our Bearer token. In the Ajax request you would add your token as so:

$.ajax({
     url: "http://localhost/thread",
     headers: {"Authorization": "Bearer ${jwtToken}", //which should be fetched from from the cookie
     type: "GET",
     success: function(comments) { 
        //populate thread with comments
     }
});

Your webserver should take that Http request, verify the authorization token and then send back the comments. If the authorization token is not verified, then the integrity of the request is compromised and your server should just ignore the request.

Check out the documentation for more details and how they are used: https://jwt.io/introduction/