Your task is to implement Authentication and Authorization with JWT (Access and Refresh tokens)
- User can signup new account with personal login & password
– User can login with personal login & password, server returns response with Access token and Refresh token (Refresh token is in advanced scope). - Refresh token helps to get new pair Access/Refresh tokens (optional) – User now should use valid Access token to access resources – When the Access token is expired, user can't use it anymore
- Refresh token helps to get new pair Access/Refresh tokens (optional)
- Task should be implemented on Typescript
- Use 22.x.x version (22.9.0 or upper) of Node.js
- Endpoints
Signup
(auth/signup
route)POST auth/signup
- sendlogin
andpassword
to create a newuser
- Server should answer with
status code
201 and corresponding message if dto is valid - Server should answer with
status code
400 and corresponding message if dto is invalid (nologin
orpassword
, or they are not astrings
)
- Server should answer with
Login
(auth/login
route)POST auth/login
- sendlogin
andpassword
to get Access token and Refresh token (optionally)- Server should answer with
status code
200 and tokens if dto is valid - Server should answer with
status code
400 and corresponding message if dto is invalid (nologin
orpassword
, or they are not astrings
) - Server should answer with
status code
403 and corresponding message if authentication failed (no user with suchlogin
,password
doesn't match actual one, etc.)
- Server should answer with
Refresh
(auth/refresh
route)POST auth/refresh
- send refresh token in body as{ refreshToken }
to get new pair of Access token and Refresh token- Server should answer with
status code
200 and tokens in body if dto is valid - Server should answer with
status code
401 and corresponding message if dto is invalid (norefreshToken
in body) - Server should answer with
status code
403 and corresponding message if authentication failed (Refresh token is invalid or expired)
- Server should answer with
-
Once POST
/auth/signup
acceptspassword
property, it is replaced with hash (for example, you can use bcrypt package or its equivalent likebcryptjs
) for password encryption, no raw passwords should be in database (NB! Password should remain hashed after any operation with service). -
JWT Access token should contain
userId
andlogin
in a payload and has expiration time (expiration time of Refresh token should be longer, than Access token). -
The JWT Access token should be added in HTTP
Authorization
header to all requests that requires authentication. Proxy all the requests (exceptauth/signup
,auth/login
,/doc
,/
) and check that HTTPAuthorization
header has the correct value of JWT Access token.
HTTP authentication must followBearer
scheme:
Authorization: Bearer <jwt_token>
-
In case of the HTTP
Authorization
header in the request is absent or invalid or doesn’t followBearer
scheme or Access token has expired, further router method execution should be stopped and lead to response with HTTP 401 code and the corresponding error message. -
Secrets used for signing the tokens should be stored in
.env
file.
gyp ERR! stack Error: "pre" versions of node cannot be installed, use the --nodedir flag instead
Please check compatibility between Node.JS and Bcrypt versions.
node-pre-gyp ERR! Tried to download(404): https://github.com/kelektiv/node.bcrypt.js/releases/download/v1.0.2/bcrypt_lib-v1.0.2-node-v48-linux-x64.tar.gz
Make sure you have the appropriate dependencies installed and configured for your platform. You can find installation instructions for the dependencies for some common platforms in this page.