The article is about interfacing an Angular 8 Project with a secure backend API. The Backend will be running on Node.JS. The security that will underlay the interfacing will be JSON Web Tokens. At the end of the article, you should have learned to; What is JSON Web Tokens? JSON Web Token is an RFC Standard (Request for Comments) . The RFC Standard is a best-practice set of methodologies. It takes in a JSON object and encrypts it using a secret key that you set, HMAC algorithm, or a public/private key pair that can be generated using RSA or ECDSA. For this tutorial, we will be using a secret key. https://tools.ietf.org/html/rfc7519 Why use JSON Web Tokens? It is a secure way to verify the integrity of the exchange of information between the client and the server. We will adapt it for authorisation so that in case of any breach, the token will not verify or expire based on time. Theory in Practice We will be using Angular on the frontend and a Node.JS server on the backend. On the Angular side of things, an interceptor will be created. An interceptor is a service that will break any HTTP Request sent from Angular, clone it and add a token to it before it is finally sent. On the Node.JS side of things, all requests received will first be broken and cloned. The token will be extracted and verified. In case of successful verification, the request will be sent to its handler to send a response and in the case of an unsuccessful verification, all further requests will be canceled and a 401 Unauthorized status will be sent to Angular. In the interceptor of the Angular App, all requests will be checked for a 401 status and upon receiving such a request, the token stored at Angular will be removed and the user will be logged out of all sessions, sending him to the login screen. Let’s create the Angular App: ng angFrontend new Now let’s create our Interceptor: ng generate service AuthInterceptor Now go to src/app/app.module.ts We will be importing the HTTP Module for HTTP Calls and making our interceptor as a provider so it has global access to all HTTP Calls. { BrowserModule } ; { NgModule } ; { AppRoutingModule } ; { AppComponent } ; { HTTP_INTERCEPTORS, HttpClientModule } ; { AuthInterceptorService } ; { HomeComponent } ;

@NgModule({ : [
    AppComponent,
    HomeComponent
  ], : [
    BrowserModule,
    AppRoutingModule,

    HttpClientModule
  ], : [
    { : HTTP_INTERCEPTORS, : AuthInterceptorService, : }
  ], : [AppComponent]
}) { } import from '@angular/platform-browser' import from '@angular/core' import from './app-routing.module' import from './app.component' import from '@angular/common/http' import from './auth-interceptor.service' import from './home/home.component' declarations imports providers provide useClass multi true bootstrap export class AppModule Now let’s open the interceptor service class: Now go to src/app/auth-interceptor.service.ts: { Injectable } ; { HttpEvent, HttpInterceptor, HttpHandler, HttpRequest, HttpErrorResponse } ; { catchError, filter, take, switchMap } ; { Observable, throwError } ;

@Injectable({ : }) {


  intercept(req: HttpRequest<any>, : HttpHandler) { .log( ); token: string = localStorage.getItem( );
    req = req.clone({ : req.headers.set( , + token) });
    req = req.clone({ : req.headers.set( , ) });
    req = req.clone({ : req.headers.set( , ) }); next.handle(req)
        .pipe(
           catchError( { (error && error.status === ) { .log( )
                } err = error.error.message || error.statusText; throwError(error);                    
           })
        );
  }  
} import from '@angular/core' import from '@angular/common/http' import from "rxjs/operators" import from 'rxjs' providedIn 'root' export class AuthInterceptorService implements HttpInterceptor next console "Interception In Progress" //SECTION 1 const 'token' headers 'Authorization' 'Bearer ' headers 'Content-Type' 'application/json' headers 'Accept' 'application/json' return ( ) => error: HttpErrorResponse //401 UNAUTHORIZED - SECTION 2 if 401 console "ERROR 401 UNAUTHORIZED" const return Section 1 As in authentication, the token we get from the server will be stored in the local storage, therefore first we retrieve the token from local storage. Then the httpRequest req is cloned and a header of “Authorisation, Bearer: token” is added to it. This token will be sent in the header of the httpRequest. This method can also be used to standardised all the requests with the Content Type and Accept header injection too. Section 2 In case of an error response or error status such as 401, 402 and so on so forth, the pipe helps to catch the error and further logic to de-authenticate the user due to a bad request (Unauthorised Request) can be implemented here. In the case of other error requests, it simply returns the error in the call to the frontend. Great, now let’s create the Backend. Create a Directory for the Server and type in npm init to initialize it as a node project: mkdir node_server
cd node_server
npm init -y Use the following command to install the required libraries: npm i -S express cors body-parser express-jwt jsonwebtoken Let’s create an app.js in the node_server folder and start coding the backend. Now, this is app.js and the boilerplate code: express       = ( ) bodyParser    = ( ); cors          = ( ); app           = express(); port          = ;

app.use(cors());
app.options( , cors());
app.use(bodyParser.json({ : , : }));
app.use(bodyParser.urlencoded({ : , : }));

app.get( , (req, res) => {
    res.json( );
}); app.listen(port, { .log( + port);
}); const require 'express' const require 'body-parser' const require 'cors' const const 3000 '*' limit '10mb' extended true limit '10mb' extended true '/' "Hello World" /* CODE IN BETWEEN */ /* CODE IN BETWEEN */ /* LISTEN */ ( ) function console "Listening to " Now we need to have a route where the token is generated, usually, in a production app, this route will be where you will be authenticating the user, the login route, once successfully authenticated, you will send the token. secret = ; app.get( , (req, res) => { userData = { : , : } token = jwt.sign(userData, secret, { : })
    res.status( ).json({ : token});
}); //SECRET FOR JSON WEB TOKEN let 'some_secret' /* CREATE TOKEN FOR USE */ '/token/sign' var "name" "Muhammad Bilal" "id" "4321" let expiresIn '15s' 200 "token" So now we have a route, a secret for encoding our data and remember a data object i.e userData. Therefore, once your decode it, you will get back to this object, so storing a password is not a good practice here, maybe just name and id. Now let’s run the application and check token generated: node app.js
Listening to 3000 We will be using postman to test our routes, great tool, I must say. As you can see, we have successfully generated our first web token. To illustrate a use case, we have just created a path1 and I want to secure this endpoint using my JSON Web Token. For this, I am going to use express-jwt. app.get( , (req, res) => {
    res.status( )
        .json({ : , : });
}); '/path1' 200 "success" true "msg" "Secrect Access Granted" Express-JWT in motion. app.use(expressJWT({ : secret})
    .unless(
        { : [ ]}
    )); //ALLOW PATHS WITHOUT TOKEN AUTHENTICATION secret path '/token/sign' To further illustrate the code, it states that only allow these paths to access the endpoint without token authentication. Now in the next step, we will try to access the path without a token sent in the header. As you can see, it didn’t allow us to access the path. It also sent back a 401 Unauthorized, so that’s great. Now let’s test it with the token we obtained from the token/sign route. app.get( , (req, res) => {
    res.status( )
        .json({ : , : });
}); '/path1' 200 "success" true "msg" "Secret Access Granted" As you can see, when adding the Bearer Token, we have successfully gotten access to it. Heading back to angular, I just created a new component home ng generate component home Now this is my home.component.ts file signIn() { .http.get( .API_URL + )
      .subscribe( { .log(res); (res[ ]) {
            localStorage.setItem( , res[ ]);
          }
        },
        (err) => { .log(err);
        }
      );    
  }

  getPath() { .http.get( .API_URL + )    
      .subscribe( { .log(res);
        },
        (err) => { .log(err);
        }
      );       
  } this this '/token/sign' ( ) => res console if 'token' 'token' 'token' console this this '/path1' ( ) => res console console So simply, on the signIn function, I am requesting a token and storing it into localstorage and then on the second function, I am requesting the path. Now when I run the application, this is a response, I am expecting. Now I am going to refresh, so I can lose the localstorage token, and then try to access the path. As you can see, we have successfully gotten a 401 Unauthorized, therefore our application is secured. Conclusion We have successfully secured our service and all communication between the two parties using JSON Web Tokens. This article has helped us in taking an overview of implementing the JWT in both Angular 8 and Node.JS. I hope this contribution will help you in securing your applications and taking a step towards making it production-ready. Github Repo https://github.com/th3n00bc0d3r/Json-Web-Token-Authentication-with-Angular-8-and-Node-JS Previously published at https://soshace.com/json-web-authentication-with-angular-8-and-nodejs/

JSON Web Auth Using Angular 8 and NodeJS

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Desktop Application Development in ElectronJS Using Angular

JavaScript Frameworks for Frontend and Backend Developers [Top Ten Picks]

Angular 8.0 Has Arrived: What to Expect and How to Upgrade?

161 Stories To Learn About Authentication

3 Reasons for B2C Enterprises to Implement Single Sign-on Authentication

4 Dangers of Sticking with Outdated MFA Methods

Desktop Application Development in ElectronJS Using Angular

JavaScript Frameworks for Frontend and Backend Developers [Top Ten Picks]

Angular 8.0 Has Arrived: What to Expect and How to Upgrade?

161 Stories To Learn About Authentication

3 Reasons for B2C Enterprises to Implement Single Sign-on Authentication

4 Dangers of Sticking with Outdated MFA Methods

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps