GitHunt
JE

jeevan42/jwt-auth-demo

๐Ÿ” JWT Auth system using Access + Refresh Tokens with blacklist support on logout. Includes protected routes, httpOnly cookies, and token refresh logic using MongoDB and Express.

access-tokenapi-authauth-systemauthenticationblacklistblacklist-tokencookie-authexpresshttponlyjwtjwt-authenticationmongodbnodejsrefresh-tokensecurity

JWT Auth Demo (Access + Refresh Token)

This project demonstrates a secure authentication system using JWT (access + refresh tokens) with blacklist support for logout.
It includes:

  • Signup & Login functionality
  • Get profile protected route functionality
  • JWT access token with expiry
  • Refresh token system using httpOnly cookie
  • Token blacklist on logout (to prevent reuse)
  • Protected route example (/profile)
  • MongoDB for user and blacklist token storage

๐Ÿš€ Tech Stack

  • Node.js
  • Express.js
  • MongoDB + Mongoose
  • JWT (jsonwebtoken)
  • bcrypt
  • dotenv
  • cookie-parser
  • CORS

๐Ÿ” Features

Feature Description
POST /auth/signup Register a new user
POST /auth/login Authenticate user and return access + refresh token
POST /auth/logout Invalidate current access token by blacklisting it
POST /auth/refresh-token Generate new access token using refresh token stored in httpOnly cookie
GET /auth/profile Access protected route (requires valid access token)

๐Ÿงช How to Use (via Postman)

  1. Signup/Login
    โžค Save the access token in localStorage (frontend)
    โžค refresh token is auto-set in httpOnly cookie

  2. Access Protected Route
    โžค Pass access token in Authorization: Bearer <token> header

  3. On Expired Access Token
    โžค Call /auth/refresh-token to get a new access token
    โžค Replace old access token in localStorage

  4. Logout
    โžค Calls /auth/logout and blacklists the current token

๐Ÿ“ฌ Author

Developed by @jeevan42 ๐Ÿ”ฅ
Feel free to fork & use!

Contributors

JE
Created May 14, 2025
Updated June 16, 2025