Sign-in

The API endpoint to sign in a user is declared in the following route.

mern-skeleton/server/routes/auth.routes.js:

router.route('/auth/signin').post(authCtrl.signin)

When the Express app gets a POST request at '/auth/signin', it executes the signin controller function.

mern-skeleton/server/controllers/auth.controller.js:

const signin = (req, res) => {
  User.findOne({
    "email": req.body.email
  }, (err, user) => {
    if (err || !user)
      return res.status('401').json({
        error: "User not found"
      })

    if (!user.authenticate(req.body.password)) {
      return res.status('401').send({
        error: "Email and password don't match."
      })
    }

    const token = jwt.sign({
      _id: user._id
    }, config.jwtSecret)

    res.cookie("t", token, {
      expire: new Date() + 9999
    })

    return res.json({
      token,
      user: {_id: user._id, name: user.name, email: user.email}
    })
  })
}

The POST request object receives the email and password in req.body. This email is used to retrieve a matching user from the database. Then, the password authentication method defined in the UserSchema is used to verify the password received in the req.body from the client.

If the password is successfully verified, the JWT module is used to generate a JWT signed using a secret key and the user's _id value.

Install the jsonwebtoken module to make it available to this controller in the import by running npm install jsonwebtoken --save from the command line.

Then, the signed JWT is returned to the authenticated client along with user details. Optionally, we can also set the token to a cookie in the response object so it is available to the client side if cookies is the chosen form of JWT storage. On the client side, this token must be attached as an Authorization header when requesting protected routes from the server.