Prevent non-logged in users from accessing the API, except the login route.

[steph-koopmanschap]

If a user is NOT logged in. The user should have no access to any of the API functions or routes except the one to log in a user.

This is to prevent unauthorized access to sensitive data of the users and the database.

If an unauthorized logged out user tries to connect to any of the api routes (except the login one) then the server should send a 401 Unauthorized response.

[ooddaa]

One of the ways it could be done is by adding an auth middleware to route handlers.

Here's an example which uses JWT to authenticate users.

Here is how the auth middleware it is imported and used in route handlers.

[steph-koopmanschap]

What does this do? or where does it come from? const config = require('config'); in your examples.

And is the jwtSecret auto-generated? Or can you make it anything you want? Is there any rules to it? If the project is open-source and the jwtSecret secret is visible in the code? Then is possible for anyone to use the secret key without actually logging in? Or should the secret key be hashed first and the plaintext key be shared by server owners?

Does anything need to be done on the client side?

[ooddaa]

What does this do? or where does it come from? const config = require('config'); in your examples.

Config package allows configuring Nodejs environments. At the moment we have not bothered with setting up separate development/testing/production environments but in future we'll have to do it. Config files (.json) should not be public as they contain secrets. Normally configuration .json files are either added to .gitignore or encrypted with git-crypt.

And is the jwtSecret auto-generated? Or can you make it anything you want?

It's not auto-generated, you should set up your own JWT secret.

If the project is open-source and the jwtSecret secret is visible in the code? Then is possible for anyone to use the secret key without actually logging in?

Secrets should not be publicly available (I just didn't care for that project and pushed all to github).

Or should the secret key be hashed first and the plaintext key be shared by server owners?

More robust would be to use git-crypt to encrypt config files for those who are not authorized to see them. Then encrypted files can be added to git and versioned. You and I would need to exchange public keys.

Does anything need to be done on the client side?

JWT-based authentication works as follows:

1. Server receives credentials and checks them. If they are valid, it creates (signs) and returns a JWT token (with expiration/no expiration) (at registration) or (at authorization).
2. Client stores JWT in localStorage and adds it to every request it makes to the server. "Adds to every request" means client sets JWT as 'x-auth-token' header, because that is where server expects to find JWT before deciding to grant/deny access to protected routes (which are all but /auth and /register).