How to Initialize Multilayer Node.js RESTful API with JWT Auth and PostgreSQL in 3 Steps

March 15, 2018 0 Comments

How to Initialize Multilayer Node.js RESTful API with JWT Auth and PostgreSQL in 3 Steps



It’s a little-known fact that when Julius Caesar delivered his famous quote “Divide and conquer,” he was actually talking about using layered architecture for building web applications. Its principle lies in separating the user interface from the business logic and the business logic from the data access logic. Layered architecture offers increased flexibility, maintainability and scalability, plus it’s easier to write, test and maintain. Sounds good but how can you implement it using modern technologies?

For those of you who are new to Node.js and RESTful API, we’ve written a how-to guide that will help you create a RESTful API that can be developed into a large service. In this tutorial, we’ll show you how to start building a RESTful API in three steps. The JSON Web Token technique will help us handle authentication and PostgreSQL will be our database.

So, our steps to writing a RESTful API are:

  1. Initializing a Node.js project

  2. JWT authentication

  3. Adding layers

Let’s start building our application. Create an empty folder and initialize a new project with the following command:npm init

To install the necessary packages, run the command:npm i bcrypt bluebird body-parser express http jsonwebtoken lodash pg sequelize sequelize-values — save

Next, create the following files in the main folder:

  • config.js (the application’s configuration like database connections, password salts, etc.)
  • db.js (responsible for the database connection)
  • router.js (handles http requests and dispatches them to controllers)
  • index.js — (a startup file)

Here’s the code our files contain:

module.exports = { port: 3000, dbConnectionString: 'your postgresql connection', saltRounds: 2, jwtSecret: 'yo-its-a-secret', tokenExpireTime: '6h'


const config = require('./config');const Sequelize = require('sequelize');var sequelize = new Sequelize(config.dbConnectionString);


module.exports = sequelize;
module.exports.set = app => { //endpoints will be here soon


const express = require('express');const http = require('http');const bodyParser = require('body-parser');const app = express();const config = require('./config');

const router = require('./router');

app.use(bodyParser.json());app.use(bodyParser.urlencoded({ extended: true}));app.use(express.static('client'));


app.listen(config.port, () => console.log('App listening on port '+ config.port));

After you’ve finished creating the files in the main folder, you have to define data models. To do this, create a folder models with the file index.js inside. Like this:

const Sequelize = require('sequelize');
const sequelize = require('../db');
const User = sequelize.define('user', { login: Sequelize.STRING, password: Sequelize.STRING,


const Order = sequelize.define('order', { title: Sequelize.STRING, date: { type: Sequelize.DATE, defaultValue: Sequelize.NOW }, user_id: { type: Sequelize.INTEGER, references: { model: User, key: 'id' } }


User.hasMany(Order, {foreignKey: 'user_id'});
module.exports = { User, Order


This is how you start your multilayer Node.js project. At this point we have an entry point into our application (index.js), two DB models (models/index.js) and some basic configuration.

Before writing an actual API, let’s add authentication to our application. Create a services folder with files user.jsand auth.js inside. Like this:

const sequelize = require('../db');
const Users = require('../models').User;
const addUser = user => Users.create(user);
const getUserByLogin = login => Users.findOne({where: {login}});
module.exports = { addUser, getUserByLogin


Once a user is logged-in, each subsequent request will include a token (JWT), allowing the user to access routes, services and resources according to the permissions stored in the token.

const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');
const Users = require('../models').User;
const config = require('../config');
const authenticate = params => { return Users.findOne({ where: { login: params.login }, raw: true }).then(user => { if (!user) throw new Error('Authentication failed. User not found.'); if (!bcrypt.compareSync(params.password || '', user.password)) throw new Error('Authentication failed. Wrong password.'); const payload = { login: user.login, id:, time: new Date()


 var token = jwt.sign(payload, config.jwtSecret, { expiresIn: config.tokenExpireTime }); return token; });


module.exports = { authenticate


To handle requests for registration and authentication, our application should have a controller.

Let’s create a file auth.js and place it in the controllers folder.

const config = require('../config');const jwt = require('jsonwebtoken');

const bcrypt = require('bcrypt');

const authService = require('../services/auth');
const userService = require('../services/user');
function login(req, res){ return authService.authenticate(req.body) .then(token => { res.send({ success: true, data: { token } }); }) .catch(err => { res.send({ success: false, message: err.message //not the best error handling. //for better error handling visit github repository, link provided below }); })


function register(req, res){ var login = req.body.login; return userService.getUserByLogin(req.body.login || '')

.then(exists => {

 if (exists){ return res.send({ success: false, message: 'Registration failed. User with this email already registered.' });


 var user = { login: req.body.login, password: bcrypt.hashSync(req.body.password, config.saltRounds)


 return userService.addUser(user) .then(() => res.send({success: true})); });


module.exports = { login, register


After this, we need to add endpoints to our API.

const authController = require('./controllers/auth');
module.exports.set = app => {'/login', authController.login);'/register', authController.register);


Let’s start the server by running the command node index.js and test the login and register functionality.

Now we have the Controller layer and the Data Access layer in our application. To link them together, we need the Service layer in between. Using layers is a good way to ensure separation of responsibilities, which allows making data, business logic and presentation code independent. The Presentational layer (user) interacts with the Controllers layer (API) that uses the Service layer (business rules) to access and modify data via the Data Access layer.

So, let’s start with our first service for the order model.

const Orders = require('../models').Order;
const getAll = () => Orders.findAll();
const getById = id => Orders.findById(id);
const add = order => Orders.create(order);
module.exports = {add, getAll, getById};

Now, we can create a controller to work with that service.

const orderService = require('../services/order');
function getOrders(req, res){ orderService.getAll() .then(data => res.send(data));


function getOrder(req, res){ orderService.getById( .then(data => res.send(data));


function addOrder(req, res){ orderService.add({ title: req.body.title, user_id: 1 }) .then(data => res.send(data));


module.exports = { getOrders, getOrder, addOrder


const orderController = require('./controllers/order');… app.get('/orders', orderController.getOrders); app.get('/orders/:id', orderController.getOrder);'/orders', orderController.addOrder);

Here’s some testing illustration of a working API:

The next thing we need is to allow access only to authenticated users. To do this, let’s add middleware that checks if the user is logged in:

const jwt = require('jsonwebtoken');
const config = require('../config');
const checkAuth = (req, res, next) => { var token = req.headers['token']; if (!token) return res.status(403).send({ auth: false, message: 'No token provided.' }); jwt.verify(token, config.jwtSecret, (err, decoded) => { if (err)

return res.status(500).send({ auth: false, message: 'Failed to authenticate token.' });

 req.user = { login: decoded.login, id:


 next(); });


module.exports = { checkAuth


After this, the authentication middleware should be used as the middleware argument (the second one) in endpoints functions. Now, the user can’t access data without providing a valid authentication token.

app.get('/orders', authMiddleware.checkAuth, orderController.getOrders);app.get('/orders/:id', authMiddleware.checkAuth, orderController.getOrder);'/orders', authMiddleware.checkAuth, orderController.addOrder);

app.get('/user_orders', authMiddleware.checkAuth, userController.getUsersWithOrders)

As you can see it works :)

function addOrder(req, res){ orderService.add({ title: req.body.title, user_id: }) .then(data => res.send(data));


And that’s it! We’ve created a small app with RESTful API. According to the Multilayer Architecture concept, we have the Controllers layer, the Service layer and the Data Access layer. Our API with JWT authorization makes it easy to add the Presentational layer, e.g. web application or mobile application.

Feel free to check the code in the repository. Well, don’t just stand there — go ahead and try it yourself. Good luck from ElifTech!

Tag cloud