Skip to content

mudit67/jcoder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
data
data
 
 
frontend
frontend
 
 
keys
keys
 
 
src
src
 
 
.env
.env
 
 
.gitignore
.gitignore
 
 
.nvmrc
.nvmrc
 
 
README.md
README.md
 
 
index.ts
index.ts
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

jcoder - JWT Authentication API

A complete JWT-based authentication system built with TypeScript, Express.js, and SQLite.

Features

Authentication

  • User signup and login with JWT tokens
  • Multiple JWT algorithms support (HMAC: HS256/384/512, RSA: RS256/384/512)
  • Customizable token expiration duration
  • Optional refresh token functionality
  • Secure password hashing with scrypt
  • Protected routes with JWT middleware

JWT Library

  • Custom JWT implementation from scratch
  • Support for both HMAC and RSA algorithms
  • Base64URL encoding/decoding utilities
  • Comprehensive token validation

Database

  • SQLite database with users and refresh_tokens tables
  • Automatic database initialization
  • Proper indexing and foreign key constraints

Refresh Token System

The API implements a secure refresh token system with the following features:

Key Features

  • Optional Refresh Tokens: Only issued when issueRefreshToken: true is provided during login
  • Separate Secret: Refresh tokens are signed with a different secret (REFRESH_TOKEN_SECRET) than access tokens
  • Smart Expiration: Refresh tokens expire 30x longer than access tokens, with a minimum of 30 minutes
  • JWT-based: Refresh tokens are proper JWT tokens, not random strings
  • Token Rotation: Refresh tokens are rotated on each use for enhanced security
  • Database Tracking: Tokens are stored in the database for revocation support

⏱️ Expiration Logic

  • If access token expires in 1 hour → refresh token expires in 30 hours
  • If access token expires in 15 minutes → refresh token expires in 30 minutes (minimum)
  • If access token expires in 24 hours → refresh token expires in 30 days

Security Features

  • Refresh tokens use HS256 algorithm with separate secret
  • Token hashes stored in database for secure validation
  • Automatic cleanup of expired tokens
  • Multi-device logout support
  • Token rotation prevents replay attacks

Environment Variables

JWT_SECRET='your-access-token-secret'
REFRESH_TOKEN_SECRET='your-refresh-token-secret'

API Endpoints

Authentication Routes (/api/auth)

  • POST /signup - Register a new user
  • POST /login - Authenticate user and get access token
  • POST /refresh - Refresh access token using refresh token
  • POST /logout - Logout from current device
  • POST /logout-all - Logout from all devices
  • GET /algorithms - Get available JWT algorithms

User Routes (/api/user)

  • GET /secret - Get protected secret message (requires authentication)

Usage

Login with Optional Refresh Token

POST /api/auth/login
{
  "username": "john_doe",
  "password": "securePassword123",
  "algorithm": "HS256",
  "expiresIn": "1h",
  "issueRefreshToken": true
}

Note: Set issueRefreshToken: true in the login request to receive a refresh token. If not specified or set to false, only an access token will be issued.

Setup

  • nvm install 23
  • nvm use 23
  • npm install
  • npm run dev

TODO

  • HMAC
  • Utils Segregation
  • RSA
  • API Expose
    • Database for storing users' credentials and secret message for testing purposes
    • Secret message route
  • Refresh Token Functionality
    • Optional refresh token issuance based on user preference
  • Frontend Setup
  • Frontend Integration

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages