JWT Module
The jwt module provides JSON Web Token generation and verification.
Configuration
Set JWT secret and expiry in .env:
JWT_SECRET=your_secret_key_here
JWT_EXPIRY=3600funcs
jwt.sign()
Create a JWT token:
let payload = {
"user_id": 123,
"username": "alice",
"email": "alice@example.com"
};
let token = jwt.sign(payload);
print(token); // eyJhbGciOiJIUzI1NiIsInR5cCI6...jwt.verify()
Verify token validity:
let token = jwt.sign({"user_id": 123});
let is_valid = jwt.verify(token);
print(is_valid); // truejwt.decode()
Decode and extract payload:
let payload = {"user_id": 123, "role": "admin"};
let token = jwt.sign(payload);
let decoded = jwt.decode(token);
print(decoded["user_id"]); // 123
print(decoded["role"]); // "admin"Authentication Flow
// Login endpoint
func handle_login(req, res) {
let credentials = json.parse(req.body);
let username = credentials["username"];
let password = credentials["password"];
// Authenticate user
let db = sqlite.open("users.db");
let sql = "SELECT id, password_hash FROM users WHERE username = '" + username + "'";
let results = sqlite.query(db, sql);
if (len(results) == 0) {
res.writeHead(401, {"Content-Type": "application/json"});
res.end(json.stringify({"error": "Invalid credentials"}));
return;
}
let user = results[0];
if (!auth.verify(password, user["password_hash"])) {
res.writeHead(401, {"Content-Type": "application/json"});
res.end(json.stringify({"error": "Invalid credentials"}));
return;
}
// Create JWT
let token = jwt.sign({
"user_id": user["id"],
"username": username
});
res.writeHead(200, {"Content-Type": "application/json"});
res.end(json.stringify({"token": token}));
sqlite.close(db);
}Protected Routes
func verify_token(token_string) {
if (token_string == null) {
return null;
}
if (!jwt.verify(token_string)) {
return null;
}
return jwt.decode(token_string);
}
func handle_protected_route(req, res) {
// Get token from header
let auth_header = req.headers["Authorization"];
if (auth_header == null) {
res.writeHead(401, {"Content-Type": "application/json"});
res.end(json.stringify({"error": "No token provided"}));
return;
}
// Verify token
let token = replace(auth_header, "Bearer ", "");
let user_data = verify_token(token);
if (user_data == null) {
res.writeHead(401, {"Content-Type": "application/json"});
res.end(json.stringify({"error": "Invalid token"}));
return;
}
// User is authenticated
res.writeHead(200, {"Content-Type": "application/json"});
res.end(json.stringify({
"message": "Welcome",
"user_id": user_data["user_id"]
}));
}Session Management
let active_sessions = {};
func create_session(user_id, username) {
let token = jwt.sign({
"user_id": user_id,
"username": username
});
active_sessions[token] = {
"user_id": user_id,
"created_at": "2024-12-12",
"last_activity": "2024-12-12"
};
return token;
}
func invalidate_session(token) {
if (token in active_sessions) {
// Remove from active sessions
delete active_sessions[token];
return true;
}
return false;
}Best Practices
- Keep JWT_SECRET secure and never commit to version control
- Set appropriate expiry times
- Validate tokens on every protected request
- Include minimal data in payload
- Implement token refresh mechanism
- Invalidate tokens on logout
Next Steps
- Auth Module - Password hashing
- HTTP Module - Build secure APIs
- Examples - Complete authentication systems