[!SUMMARY]- Table of Contents - [[Login-Logout-refresh#Middleware|Middleware]] - [[Login-Logout-refresh#Add Routes|Add Routes]] - [[Login-Logout-refresh#Add Controllers|Add Controllers]]
Middleware¶
Add middle ware which retrieves the token from either a cookie or the Authorization header, decodes it using the secret key stored in the environment variables, and then queries the user model to find the corresponding user. If the user is found, it attaches the user object to the request object (req.user) and proceeds to the next middleware. If any error occurs during this process, it throws an ApiError with a status code of 401 (Unauthorized) and an appropriate error message.
import { User } from "../models/user.model.js";
import { ApiError } from "../utils/ApiError.js";
import { asyncHandler } from "../utils/asyncHandler.js";
import jwt from "jsonwebtoken";
export const verifyJWT = asyncHandler(async (req, res, next) => {
try {
const token =
req.cookies?.accessToken ||
req.header("Authorization")?.replace("Bearer ", "");
if (!token) {
throw new ApiError(401, "Unauthorized request");
}
const decodedToken = jwt.verify(token, process.env.ACCESS_TOKEN_SECRET);
const user = await User.findById(decodedToken?._id).select(
"-password -refreshToken"
);
if (!user) {
throw new ApiError(401, "Invalid Access Token");
}
req.user = user;
next();
} catch (error) {
throw new ApiError(401, error?.message || "Invalid Access Token");
}
});
Add Routes¶
Set up routes for user authentication and registration using an Express Router. It defines endpoints for registering, logging in, logging out, and refreshing tokens. The /register route expects a POST request for user registration with optional file uploads for avatar and cover image. The /login, /logout, and /refresh-token routes handle user login, logout, and token refreshing respectively. The /logout and /refresh-token routes are secured with the verifyJWT middleware to ensure authentication before accessing them.
import { Router } from "express";
import {
loginUser,
logoutUser,
refreshAccessToken,
registerUser,
} from "../controllers/user.controller.js";
import { upload } from "../middlewares/multer.middleware.js";
import { verifyJWT } from "../middlewares/auth.middleware.js";
const router = Router();
router.route("/register").post(
upload.fields([
{ name: "avatar", maxCount: 1 },
{ name: "coverImage", maxCount: 1 },
]),
registerUser
);
router.route("/login").post(loginUser);
// secured routes
router.route("/logout").post(verifyJWT, logoutUser);
router.route("/refresh-token").post(refreshAccessToken);
export default router;
Import and mount the user router for handling user-related endpoints under "/api/v1/users". Overall, it establishes a foundation for handling user authentication and registration operations within an API.
import express from "express";
import cors from "cors";
import cookieParser from "cookie-parser";
const app = express();
// middlewares
app.use(
cors({
origin: process.env.CORS_ORIGIN,
credentials: true,
})
);
app.use(express.json({ limit: "16kb" }));
app.use(express.urlencoded({ extended: true, limit: "16kb" }));
app.use(express.static("public"));
app.use(cookieParser());
// routes import
import userRouter from "./routes/user.routes.js";
//routes declaration
app.use("/api/v1/users", userRouter);
export { app };
Add Controllers¶
import { asyncHandler } from "../utils/asyncHandler.js";
import { ApiError } from "../utils/ApiError.js";
import { User } from "../models/user.model.js";
import { uploadOnCloudinary } from "../utils/cloudinary.js";
import { ApiResponse } from "../utils/ApiResponse.js";
import jwt from "jsonwebtoken";
import fs from "fs";
const generateAccessAndRefreshTokens = async (userId) => {
try {
const user = await User.findById(userId);
const accessToken = user.generateAccessToken();
const refreshToken = user.generateRefreshToken();
user.refreshToken = refreshToken;
await user.save({ validateBeforeSave: false });
return { accessToken, refreshToken };
} catch (error) {
throw new ApiError(
500,
"Something went wrong while generating refresh and access token"
);
}
};
const registerUser = asyncHandler(async (req, res) => {
// get user details from frontend
// validation of user details - not empty
// check if user exists : emails, username
// check for images, check for avatar
// upload them to cloudinary, avatar
// create user object - create entry in db
// remove password and refresh token field from response
// check for user creation
// return response
const { fullname, email, username, password } = req.body;
console.log(
"Inside registerUser Controller:\n Details recieved",
fullname,
email,
username,
password
);
if (
[fullname, email, username, password].some(
(field) => field?.trim() === ""
)
) {
throw new ApiError(400, "ALL fields are required");
}
const existedUser = await User.findOne({ $or: [{ username }, { email }] });
if (existedUser) {
throw new ApiError(409, "User with email or username already exists");
}
const avatarLocalPath = req.files?.avatar[0]?.path;
let coverImageLocalPath;
if (
req.files &&
Array.isArray(req.files.coverImage) &&
req.files.coverImage.length > 0
) {
coverImageLocalPath = req.files.coverImage[0].path;
}
if (!avatarLocalPath) {
throw new ApiError(400, "Avatar file is required");
}
const avatar = await uploadOnCloudinary(avatarLocalPath);
let coverImage;
if (coverImageLocalPath) {
coverImage = await uploadOnCloudinary(coverImageLocalPath);
console.log("uploading cover Image");
}
if (!avatar) {
throw new ApiError(400, "Avatar file is required");
}
const user = await User.create({
fullname,
avatar: avatar.url,
coverImage: coverImage?.url || "",
email,
password,
username: username.toLowerCase(),
});
const createdUser = await User.findById(user._id).select(
"-password -refreshToken"
);
if (!createdUser) {
throw new ApiError(500, "Something went wrong while registering User");
}
console.log(createdUser);
fs.unlinkSync(avatarLocalPath);
if (coverImageLocalPath) fs.unlinkSync(coverImageLocalPath);
console.log("after unlinkSync");
return res
.status(201)
.json(new ApiResponse(200, createdUser, "User registered Succesfully"));
});
const loginUser = asyncHandler(async (req, res) => {
// req body -> data
// username email validation
// find the user
// password check
// access and refresh token
// send cookie
const { email, username, password } = req.body;
if (!username && !email) {
throw new ApiError(400, "username or email is required");
}
const user = await User.findOne({ $or: [{ username }, { email }] });
if (!user) {
throw new ApiError(404, "User does not exist");
}
const isPasswordValid = await user.isPasswordCorrect(password);
if (!isPasswordValid) {
throw new ApiError(401, "Invalid user credentials");
}
const { accessToken, refreshToken } = await generateAccessAndRefreshTokens(
user._id
);
const loggedInUser = await User.findById(user._id).select(
"-password -refreshToken"
);
const options = {
httpOnly: true,
secure: true,
};
return res
.status(200)
.cookie("accessToken", accessToken, options)
.cookie("refreshToken", refreshToken, options)
.json(
new ApiResponse(
200,
{
user: loggedInUser,
accessToken,
refreshToken,
},
"User logged in Successfully"
)
);
});
const logoutUser = asyncHandler(async (req, res) => {
await User.findByIdAndUpdate(
req.user._id,
{
$set: {
refreshToken: undefined,
},
},
{
new: true,
}
);
const options = {
httpOnly: true,
secure: true,
};
return res
.status(200)
.clearCookie("accessToken", options)
.clearCookie("refreshToken", options)
.json(new ApiResponse(200, {}, "User logged Out Successfully"));
});
const refreshAccessToken = asyncHandler(async (req, res) => {
const incomingRefreshToken =
req.cookies.refreshToken || req.body.refreshToken;
if (!incomingRefreshToken) {
throw new ApiError(401, "Unauthorized request");
}
try {
const decodedToken = jwt.verify(
incomingRefreshToken,
process.env.REFRESH_TOKEN_SECRET
);
console.log(decodedToken);
const user = await User.findById(decodedToken?._id);
if (!user) {
throw new ApiError(401, "Invalid Refresh Token");
}
if (user?.refreshToken !== incomingRefreshToken) {
throw new ApiError(401, "Refresh token is expired or used");
}
const { accessToken, refreshToken } =
await generateAccessAndRefreshTokens(user._id);
console.log(accessToken, refreshToken);
const option = {
httpOnly: true,
secure: true,
};
return res
.status(200)
.cookie("accessToken", accessToken, option)
.cookie("refreshToken", refreshToken, option)
.json(
new ApiResponse(
200,
{ accessToken, refreshToken },
"Access Token Refreshed Successfully"
)
);
} catch (error) {
throw new ApiError(401, error?.message || "Invalid Refresh Token");
}
});
export { registerUser, loginUser, logoutUser, refreshAccessToken };
-
registerUser: Handles user registration, validates input fields, checks for existing users, uploads avatar and cover images to Cloudinary, creates a new user in the database, generates access and refresh tokens, and returns a success response with the logged-in user details. -
loginUser: Manages user login, validates username/email and password, generates access and refresh tokens upon successful login, sets cookies for tokens, and returns a success response with user details and tokens. -
logoutUser: Handles user logout by removing the refresh token from the database and clearing cookies, then returns a success response.