Nodejs login authentication tutorial


author small image Siva Kishore G
Posted : 25 Dec 2021
Modified : 06 Jun 2022
Intermediate Developers


In this tutorial, you will learn how to create signup & login pages, server authentication, user verification and multi-factor authentication setup. I'm assuming you have already installed and initialized a node js server. If not, follow Install NPM & Node JS


node js login authentication flow pictorial representation

Let's discuss the flow of the app. The user will sign up using a form on the signup page. After signing up, we will ask them to verify the email. This can be done in two ways, a six digit code or a link sent to email. For the sake of simplicity and less work on the user's end we will go with verifying by link. After the user verifies, we will prompt the user to add 2-factor (multifactor) authentication. This can be done either by sending code via sms or to email and I will choose the latter.


Before we get started, you need to have a complete understanding of the following packages and concepts. Take a minute to divulge into it if you are a beginner, otherwise it will be hard to follow the tutorial.

  1. Node JS
  2. Express Handlebars
  3. AWS DynamoDB
  4. JWT Tokens
  5. Email Service (I chose SendGrid)
  6. Cookies

Step - 1

Install packages

Install the required packages in your node application. Then create or login your AWS account. AWS has a lot of free tiers which includes dynamodb. If you want to keep the environment completely local, then download a copy of dynamoDB and set it up locally.

      npm install --save aws-sdk express express-handlebars cookie-parser body-parser bcryptjs jsonwebtoken @sendgrid/mail

Step - 2

Configure AWS

After installing all the packages, set up your AWS config using the credentials (API Keys) obtained from AWS's IAM. Make sure you attach the dynamodb policy to the role created in AWS. Now, create a users table in dynamodb with partition key name userid and sort key name processed_on.

Step - 3

Import packages & run node server

There are many packages available in npm repo to monitor the application changes and restart the node app automatically. My favorite is nodemon, so we will go with it.

      npm install -g nodemon

Create necessary folders in the project folder according to handlebars specifications. If you are new to this, then you need to create this structure as shown below and create

  • lib
    • helpers.json
  • node_modules
  • static_files
    • images
    • css
    • js
  • views
    • layouts
      • main.handlebars
    • partials
    • login.handlebars
    • signup.handlebars
  • index.js

Copy and paste the following code into your index.js file. Create your own JWT secret.

      var express = require('express');
var app = express();
var bodyParser = require('body-parser');
var bcrypt = require("bcryptjs")
var cookieParser = require('cookie-parser')
  limit: "20mb",
  extended: true,
  parameterLimit: 50000
var handlebars = require('express-handlebars').create({
  defaultLayout: 'main',
  helpers: require('./lib/helpers').helpers

app.engine('handlebars', handlebars.engine);
app.set('view engine', 'handlebars');
app.use('/static_files', express.static(__dirname + '/static_files'));
const mail = require('@sendgrid/mail');
const AWS = require('aws-sdk')
// Save the aws credentials in json file
AWS.config.loadFromPath(__dirname + '/awsCreds.json')
const db = new AWS.DynamoDB.DocumentClient();

var jwt = require('jsonwebtoken');
const jwtSecret = 'your_custom_secret_token'

// Middleware to check if user is logged in or not
app.use( (req,res,next)=>{
  if (req.cookies.app_login){
    jwt.verify(req.cookies.app_login, jwtSecret, function(err, decoded) {
        req.decoded = decoded
        req.isLoggedin = true

app.get('/login', (req,res)=>{

app.get('/signup', (req,res)=>{

Copy & paste this code into your main.handlebars. Create a favicon.png file in your static_files > images. Modify the title and meta content to your requirement

      <!DOCTYPE html>
<!-- Developed by Siva Kishore G-->
<html lang="en">
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
	<meta http-equiv = "X-UA-Compatible" content="IE=edge">
  <link rel="icon" href="/static_files/images/favicon.png"/>
	<link rel="stylesheet" href="" integrity="sha384-DNOHZ68U8hZfKXOrtjWvjxusGo9WQnrNx2sqG0tfsghAvtVlRW3tvkXWZh58N9jp" crossorigin="anonymous">
  <link href="" rel="stylesheet" integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
  <link rel="stylesheet" type="text/css" href="/static_files/css/{{pageCSS}}.css">
  <title>Login Tutorial</title>
	<meta name="description" content= "Login tutorial">
    <div class="site-content">
  <script src="" integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>
	<script src="/static_files/js/{{pageJS}}.js" ></script>

Copy and paste the HTML code from signup into your signup.handlebars file. Copy the JS file and create the javascript files appropriate for login & signup pages. Save them under static_files > js.
Copy and paste the HTML & CSS code from page centered section into your login.handlebars file.

Step - 4

Signup Logic

Create a post request api in your index.js and save the values supplied by the signup form. Here, we need to add some additional fields such as userStatus , processed_on'/signup', (req, res) => {
  bcrypt.hash(req.body.password, 8, function(err, hash) {
    if(err) return res.status(503).send("Error creating a secure password. Try again")
    delete req.body.password //dont store the password in plain text
    var email_token = "some random string"
      TableName: "users",
      Item: {...req.body,email_token,processed_on :,pass_hash:hash,userStatus:'pending'},
      ConditionExpression: 'attribute_not_exists(userid)'
      if(err) return res.status(503).send( err.code === "ConditionalCheckFailedException" ? "User Already Exists" : "Signup Error. Contact Admin")
      var token = jwt.sign({userid:req.body.userid,firstname:req.body.firstname, lastname:req.body.lastname}, jwtSecret, {expiresIn: 24 * 60 * 60}) // jwt token valid for 24 hours

      res.cookie('app_login', token, {
        maxAge: 86400000,
        httpOnly: true
      res.send("Signup Successful")

Step - 5

Login Logic

Create a post request api in your index.js. Get the userid from the request body and check the database. If the userStatus is pending, notify the user that email verification is pending and send him/her the verification link via email

      function welcomeEmail(userid){
  var email_token = jwt.sign({userid}, jwtSecret, {expiresIn:5 * 60}) //token expires in 5 minutes
  let msg = {
    from: '',
    to: email,
    replyTo: '',
    subject: 'Welcome to my awesome website',
    html: `Click this link to verify the email <a target="_blank" href="${email_token}">here</a>`
  mail.send(msg, (error, result) => {});
}'/login', (req, res) => {
  if(!req.body.password) return res.status(503).send("Password field is not supplied")
  if(req.body.password.trim() === "") return res.status(503).send("Empty password supplied")
    TableName : 'users',
    Key : {userid : req.body.userid}
    if(err) return res.status(503).send("Login Error. Contact Admin")
    if(!data.Item) return res.status(503).send("User does not exists")
    if(data.Item.userStatus === 'pending') {
      return res.status(401).send("Email verification required")
    }, data.Item.pass_hash, (err,result)=>{
      if(err) return res.status(503).send("Incorrect password")
      if(!result) return res.status(503).send("Incorrect password")

      var token = jwt.sign({userid:req.body.userid}, jwtSecret, {expiresIn: 24 * 60 * 60})
      res.cookie('app_login', token, {
        maxAge: 86400000,
        httpOnly: true
      res.send("Logged in succesfully")

Step - 6

Verify Email

Create a get request in your index.js. This step is to verify the email of the user. So, the user clicks on the link received in the email which has an embedded JWT token. Once the user opens the link, get the token and verify the JWT. If it passes then get the userid and change the value of userStatus to "active" else, send 401 status.

  if(!req.query.token) return res.status(401).send("Unauthorized usage")
  jwt.verify(req.query.token, jwtSecret, function(err, decoded) {
    if(err) return res.status(401).send("Unauthorized usage")
    if (!decoded) return res.status(401).send("Unauthorized usage")
    var userid = decoded.userid
      TableName: 'users',
      Key : {userid},
      UpdateExpression : "SET #us = :val",
      ExpressionAttributeNames : {"#us" : "userStatus"},
      ExpressionAttributeValues : {":val" : "active"}
    }, (err, data) => {
      if(err)  return res.status(401).send("Unable to verify the user")
      res.send("User Verified")


This is the easiest login and signup flow for devs who are into AWS. This can be modified to use with AWS STS. Or, if you would like to overhaul completely, use AWS amplify (AWS Cognito).

Please feel free to post comments if you think there is any flaw or modification required.

Post a comment

I promise, I keep it clean *


Alert SVG Cookie Consent

This website uses cookies and similar technologies, to enhance your browsing experience and provide personalized recommendations. By continuing to use our website, you agree to our Privacy policy.