Is it possible to create a JWT authentication or something similar in Node.js without using frameworks?

Question

I'm creating a Website and I've understood that the best authentication is through JWT, but I'm not a fun of frameworks because I like to go deep in the code and understand all the code in my files. Thus I'm asking if someone have done it, or something similar, in pure Node.js and if could give me an explanation of how to do that.

Thanks

Answer 1

Alot of the answers on here are great - JWT tokens are indeed a standard for authentication, especially for OAuth. If you are using either JavaScript or PHP for your application, here is an open-source library I wrote named "QuickJWT" that may solve your basic JWT needs. I've been having problems finding suitable libraries myself to deal with JWT and so I decided to write one that makes encoding, decoding, and validating JWT tokens easier. Usually, there's a lot of code involved, so I made QuickJWT simpler to work with.

There's examples on how to encode a payload and sign it with a secret key. Hope this gives you an idea of how to work with JWT tokens and decode their payloads for details. Take a look at QuickJWT:

https://github.com/dominicklee/Quick-JWT

Answer 2

Depending on your needs, you might use something like this:

export const setJwtToken = (headers, payload) => {

const base64Encode = str => {
    const utf8str = decodeURI(encodeURI(str))
    const b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
    const len = str.length
    let dst = ""
    let i

    for (i = 0; i <= len - 3; i += 3) {
        dst += b64.charAt(utf8str.charCodeAt(i) >>> 2)
        dst += b64.charAt(((utf8str.charCodeAt(i) & 3) << 4) | (utf8str.charCodeAt(i + 1) >>> 4))
        dst += b64.charAt(((utf8str.charCodeAt(i + 1) & 15) << 2) | (utf8str.charCodeAt(i + 2) >>> 6))
        dst += b64.charAt(utf8str.charCodeAt(i + 2) & 63)
    }

    if (len % 3 == 2) {
        dst += b64.charAt(utf8str.charCodeAt(i) >>> 2)
        dst += b64.charAt(((utf8str.charCodeAt(i) & 3) << 4) | (utf8str.charCodeAt(i + 1) >>> 4))
        dst += b64.charAt(((utf8str.charCodeAt(i + 1) & 15) << 2))
    }
    else if (len % 3 == 1) {
        dst += b64.charAt(utf8str.charCodeAt(i) >>> 2)
        dst += b64.charAt(((utf8str.charCodeAt(i) & 3) << 4))
    }

    return dst
}

const headers = JSON.stringify(headers)
const payload = JSON.stringify(payload)
const token = `${base64Encode(headers)}.${base64Encode(payload)}`
console.log(token)
}

Answer 3

Yes, it's of course possible, just consider how frameworks are made. There's no magic involved, just knowledge and a lot of javascript code.

You can find the sources of most frameworks on Github and study them there.

In a first step, you should make yourself familiar with the basics of JWT, e.g. with the help of this introduction and by reading RFC7519.

You'll find out, that a JWT basically consists of base64url encoded JSON objects and a base64url encoded signature.

The simplest signature algorithm is HS256 (HMAC-SHA256).

In the jwt.io debugger window, you see in the right column the pseudo code for creating a JWT signature:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

so basically you need to learn:

• what information goes into the JWT header and payload (i.e. claims)
• how to base64url encode a string or bytearray
• how to create a SHA256 hash
• how to use the hashing algorithm to create a HMAC.

With this, you already have a basic JWT framework that would allow you to create a signed token and verify the signature.

In the next step you can add "features" like

• verification of expiration time
• verification of issuer, audience
• advanced signing algoritms.

You can use the jwt.io debugger to check the if your token can be decoded and verified.