/jwt-back

JWT Serverless authentication

Primary LanguageTypeScript

JWT Serverless Authentication

In this repo you can check the frontend, it also has a demo link!

This is a demo about how you can authenticate your endpoints using JSON Web Tokens (JWT) with API Gateway.

These are the deployed endpoints:

  • /create-account (public) Fill in a name and create an account
  • /get-token (public) Get the token needed for the account you entered
  • /read-account (authenticated) Get the account data
  • /update-account (authenticated) Update the account data

For all the authenticated endpoints we have to include a valid token in the request.

NOTE: They expire after 5m, so it should be a recent one

The token is generated by get-token, there we sign it with a secret stored in the backend. The requests that require authentication (/read-account and /update-account) will fail if the token isn't signed with that same secret (or has expired).

Lambda get-token expect a secret and an issuer being set in AWS Parameter Store, so create both with names /jwt/<stage>/SECRET and /jwt/<stage>/ISSUER with some random text.

For example, for dev stage, you'll need to create the parameters with names /jwt/dev/SECRET and /jwt/dev/ISSUER, while for prod, /jwt/prod/SECRET and /jwt/prod/ISSUER.

Check what you get when reading or updating the account data while checking/unchecking "Include token in Authorization Header" option.

Techs used in this backend

  • Serverless Framework
  • Node, TypeScript
  • Jest
  • Axios

AWS serverless:

  • Lambda
  • DynamoDB
  • Parameter Store
  • API Gateway

CI/CD:

  • GitHub Actions

Deployment instructions

  1. Use Node 14 version as lambdas, using nvm you can:

    # set Node 14 in current terminal
    nvm use 14
    # set Node 14 as default (new terminals will use 14)
    nvm alias default 14
    
  2. Install dependencies

    npm ci
  3. Deployment

    Set up your AWS credentials.

    Authenticated lambdas read-account and update-account expect authorizer to exist, but when you deploy for the first time it doesn't exist, so in the first deployment you will have to deploy authorizer and only in subsequent deployments you will be able to use authorizer in read-account and update-account.

    One way to do the first deployment it's commenting out authorizer in functions > read-account & update-account > events > http in serverless.yml, deploying, then uncommenting them, and you're all set to start deploy normally.

    # deploy on dev stage
    npm run deploy
    # deploy on prod stage
    npm run deploy:prod