express_csrf_jwt_study - A study about JWT Authentication along with CSRF prevention on Node.js Express
In this study, CSRF prevention and authentication with JWT are implemented with a simple example regardless of database and front-end implementations. HTTP requests were handled through Postman.
- Sign out function and token invalidation has been added.
nodemon: A tool that helps develop node.js based applications by restarting automatically the application when file changes are detected in the directory.
csurf: A Node.js middleware that is used to prevent CSRF attacks. (Note: Note: This module has been deprecated since September 2022 due to the security vulnerability reports. https://github.com/expressjs/csurf)
dotenv: A module for environmental configuration variables.
express: A backend web application framework for Node.js.
express-session: A session middleware for Express.
jsonwebtoken: An implementation of JWT for Node.js.
node-cache: A simple caching module for Node.js that has set, get and delete methods.
There should be a .env file in ./backend and its variables are;
DOMAIN
PORT
CSRFT_SESSION_SECRET
JWT_SECRET
#jwt and csrf token expires in milliseconds
CSRFT_EXPIRESIN
JWT_EXPIRESIN
JWT_REFRESH_EXPIRESINAuthentication credentials are not required. They were given manually in the code.
const user = {
"_id": "someId123", "email": "test@mail.com"
} // user data is assigned manually for testing.cd backend
npm install
npm run start:dev