DEV Community

Pramod K 💻
Pramod K 💻

Posted on • Edited on

Implement authentication and authorization in a ReactJS application

There are many ways to implement authentication and authorization in a ReactJS application. Here is one approach you can follow:

  • Decide on the type of authentication you want to implement. Options include:

    • Basic authentication: This involves sending the user’s login credentials (username and password) with every request.
    • OAuth: This is a protocol that allows users to authenticate with a third-party service (such as Google or Facebook) and authorize your application to access their data.
    • JSON Web Token (JWT): This is a type of token-based authentication that involves sending a signed token with each request to verify the user’s identity.
  • Choose an authentication method and set up a server to handle the authentication process. This can involve setting up a database to store user accounts, creating routes to handle login and logout requests, and implementing the logic to verify user credentials and issue tokens.

  • In your ReactJS application, create a login form for the user to enter their credentials. When the form is submitted, send a request to your authentication server with the user’s credentials.

    If the authentication is successful, the server will issue a token and send it back to the client. Store the token in a secure way (such as in an HTTP-only cookie or in the browser’s local storage).

  • On subsequent requests, include the token in the authorization header. The server can then use the token to verify the user’s identity and grant or deny access to protected routes or resources.

  • To implement authorization, you can assign roles to users and check the user’s role when they make a request. For example, you might have a route that is only accessible to users with the “admin” role. In this case, you would check the user’s role on the server and return a 403 Forbidden response if the user is not authorized.

**

Here are the some examples how you can implement some

**

  • On the server side, set up a route to handle login requests. This route will verify the user’s credentials and issue a JWT if the login is successful. Here is an example using Node.js and Express:
app.post('/login', (req, res) => {
 const { username, password } = req.body;
// Verify the user's credentials (omitted for brevity)
 const user = findUser(username, password);
 if (!user) {
 return res.status(401).json({ error: 'Invalid login credentials' });
 }
 If the login is successful, issue a JWT
 const payload = { userId: user.id, role: user.role };
 const token = jwt.sign(payload, process.env.JWT_SECRET, { expiresIn: '1h' });
 res.json({ token });
});
Enter fullscreen mode Exit fullscreen mode
  • In your ReactJS application, create a login form and handle the form submission by sending a request to the login route with the user’s credentials. Here is an example using the fetch API:
import React, { useState } from 'react';

function LoginForm() {
  const [username, setUsername] = useState('');
  const [password, setPassword] = useState('');

  const handleSubmit = async (event) => {
    event.preventDefault();

    // Send a POST request to the login route
    const response = await fetch('/login', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ username, password }),
    });

    // If the login is successful, store the JWT in local storage
    if (response.ok) {
      const { token } = await response.json();
      localStorage.setItem('token', token);
    }
  };

  return (
    <form onSubmit={handleSubmit}>
      <label htmlFor="username">Username:</label>
      <input type="text" id="username" value={username} onChange={(event) => setUsername(event.target.value)} />
      <br />
      <label htmlFor="password">Password:</label>
      <input type="password" id="password" value={password} onChange={(event) => setPassword(event.target.value)} />
      <br />
      <button type="submit">Login</button>
    </form>
  );
}

export default LoginForm;
Enter fullscreen mode Exit fullscreen mode
  • On subsequent requests, include the JWT in the authorization header. Here is an example using the fetch API again:
async function makeAuthenticatedRequest(url, options = {}) {
  // Get the JWT from local storage
  const token = localStorage.getItem('token');

  // Add the JWT to the authorization header
  const headers = { ...options.headers, Authorization: `Bearer ${token}` };
  const authenticatedOptions = { ...options, headers };

  // Send the request
  return fetch(url, authenticatedOptions);
}
Enter fullscreen mode Exit fullscreen mode
  • Protect sensitive routes and resources on the server by requiring an authenticated user. For example, you might set up a middleware function to verify the JWT on each request and only allow access to protected routes if the token is valid. Here is an example using Node.js and Express:
function verifyToken(req, res, next) {
  // Get the authorization header
  const authorizationHeader = req.headers.authorization;
  if (!authorizationHeader) {
    return res.status(401).json({ error: 'No authorization header' });
  }

  // Extract the JWT from the authorization header
  const token = authorizationHeader.split(' ')[1];
  if (!token) {
    return res.status(401).json({ error: 'Invalid authorization header' });
  }

  // Verify the JWT and attach the payload to the request object
  try {
    const payload = jwt.verify(token, process.env.JWT_SECRET);
    req.user = payload;
  } catch (error) {
    return res.status(401).json({ error: 'Invalid token' });
  }

  next();
}

app.get('/protected-route', verifyToken, (req, res) => {
  // Only authenticated users with a valid JWT can access this route
  res.json({ data: 'Secret information' });
});
Enter fullscreen mode Exit fullscreen mode
  • Implement logout by removing the JWT from storage and redirecting the user to the login page. Here is an example using the useHistory hook from the react-router-dom library:
import { useHistory } from 'react-router-dom';

function LogoutButton() {
  const history = useHistory();

  const handleClick = () => {
    // Remove the JWT from storage
    localStorage.removeItem('token');

    // Redirect the user to the login page
    history.push('/login');
  };

  return <button onClick={handleClick}>Logout</button>;
}
Enter fullscreen mode Exit fullscreen mode
  • To implement authorization, you can assign roles to users and check the user’s role when they make a request. For example, you might have a route that is only accessible to users with the “admin” role. In this case, you would check the user’s role on the server and return a 403 Forbidden response if the user is not authorized. Here is an example using the verifyToken middleware function from earlier:
app.get('/admin-route', verifyToken, (req, res) => {
  // Only authenticated users with the "admin" role can access this route
  if (req.user.role !== 'admin') {
    return res.sendStatus(403);
  }
  res.json({ data: 'Admin-only information' });
});
Enter fullscreen mode Exit fullscreen mode

Here are a few tips for making your authentication and authorization implementation more secure:

  • Use strong passwords: Encourage users to use strong, unique passwords that are difficult to guess or crack. You can also consider implementing password policies to ensure that users are using secure passwords.
  • Use a secure method to transmit login credentials: When the user logs in, make sure to transmit their credentials over a secure connection (HTTPS). This will prevent attackers from intercepting the credentials as they are being sent.
  • Use a long-lived JWT: If you are using JWTs for authentication, consider using a long expiration time (e.g. one week or one month) to reduce the need for the user to log in frequently. However, be aware that this increases the risk of the JWT being stolen or compromised. In this case, you may want to implement a mechanism for revoking JWTs if necessary.
  • Use rate limiting: To prevent brute force attacks, you can implement rate limiting on your login route. This will limit the number of login attempts that can be made within a certain time period.
  • Use two-factor authentication (2FA): Implementing 2FA can add an extra layer of security to your authentication process. With 2FA, the user must provide an additional piece of information (such as a code sent to their phone) in addition to their password to log in.
  • Keep your software up to date: Make sure to keep your server-side software (e.g. the database, web server, etc.) up to date with the latest security patches to protect against vulnerabilities.

Top comments (2)

Collapse
 
fpaghar profile image
Fatemeh Paghar

please write code blog like
Image description
It shows your colorful code and it is easier to read it.

Collapse
 
pramodk profile image
Pramod K 💻

Thank you 😊