Share Access token to all controllers

[PabloPomodoro]

Hello,

first of thank you for the great Hono framework!

I'm trying to build a backend with hono and deno, and I have an issue with my access token.

When my user logs in I want to create a bearer token that is used for authentication which is sent with every request to the backend. Therefore I want my routes to be protected with bearerAuth - somewhat like so:

let token;

auth.post('/login', async (c) => {
  ...
  token = accessToken.generate('gmd');
  return c.json(token);
}

auth.get('/secret-data', bearerAuth({token: token}), (c) => {
  return c.json('SECRET');
});

However I get the error that the token cannot be null or empty and when I set let token = accessToken.generate('gmd'); I cannot change it later on, when I log out for example.

Maybe I'm approaching this all wrong, if you have an idea please let me know.

Your help is much appreciated!

[NicoPlyley]

I see the let token is outside your route. Are you doing that to try and keep the token for future use? That token should be sent by the browser on each request. Otherwise that route would be available to every user.

[PabloPomodoro]

• So when would you suggest that the token is created? Every time the user logs in? Or only once at user creation (and optionally at the expiration if used)

• If the access token is only stored on the frontend, would that mean that every time I call a route e. g. '/table-data', I should decode the JWT token and extract the user to check if it is present in my user db?

• The main thing I still don't understand is, how is the bearerAuth({token: token}) used here? If the token is in the request, how can I validate it, using this method? Or is this just the wrong way of validating the access token?

Thank you for your help!

[NicoPlyley]

The token would be created at every login (which can also include signup). When the token expires the user would be logged out since it's no longer valid. Every device the user logs into would have it own token as well.

Now when I say they would be "logged out" this has nothing to do with the server. The server for the most part has no memory of each request. It does not know who you are, or if you visited before. That is why we send it a token to let it know who we are. Then the server can verify that it created that token and make sure it is still valid.

Here is the order how it should work

• Request from client
• Middleware checks token and validates
  • If token is invalid skip next step and throw and error
• Process the data
• Send response

So in your case

auth.get('/secret-data', protect, (c) => {  // protect is the middleware
  return c.json('SECRET');
});`

// protect middleware

import { createMiddleware } from 'hono/factory'


const protect = createMiddleware(async (c) => {
 const token =  c.req.header('Authorization');

const authorized = // check and verify token
if (!authorized) {
  c.json({message: 'not authorized'}, 401)
}

await next() // continue to handler
});

I did not test this code, it may have typos, I wrote it in GitHub

Now if you choose to use JWT, you can use this middleware already in Hono and you won't have to create your own

https://hono.dev/middleware/builtin/jwt

[PabloPomodoro]

Alright, I start to see it clearer now - thank you!

One last question - would you advise against doing the validation somewhat like this:

auth.get(
  '/secret-data',
  bearerAuth({
    verifyToken: async (token) => {
      if (accesstoken.validate(token)) {
         await next();
      }
      // throw error
    },
  }),
  (c) => {
    return c.json('SECRET');
  },
);

Or do you think the middleware is the way to go?

[NicoPlyley]

I would just use the middleware setup for JWT if you are using that, the Bearer Auth is more for API keys or a single key

https://hono.dev/middleware/builtin/jwt

[PabloPomodoro]

Thanks a lot!

One last thing - I'm going with the simpler deno access token, so I use a custom middleware; would you say it's best practice, to add them to each route right away like so:

// e. g. quote-controller.ts
//...
const quote = new Hono();
quote.use(tokenAuthentication);
//...

// middleware.ts
import {createMiddleware} from 'https://deno.land/x/hono/helper.ts';

const tokenAuthentication = createMiddleware(async (c, next) => {
   // validation
   // ...
  await next();
});

export {tokenAuthentication};

[NicoPlyley]

You can do that, but that will apply to all routes in bulk. If you have some routes that don't need to be protected then you can add it into that route manually app.get('/', protect, (c) =>

[PabloPomodoro]

Great!

You've been very helpful - I appreciate your support :)