Using JWT Authentication with Swagger and Node.js

TL;DR: check the code on Github

I recently decided to use Swagger as the underlying technology for a Node.js REST API. Swagger (or it’s new “enterprise-friendly” OpenAPI branding) allows you to easily define a RESTful API using a JSON or YAML schema. Not only does it enforce you to follow all of REST’s best practices, it also provides a few very interesting tools that simplify the development process. A couple of examples are the Swagger Editor, that allows you to edit the API spec and see changes in real time, Swagger UI that automatically builds beautiful documentation, and Swagger Codegen, that generates the first version of the API endpoints’ code. Furthermore, there are many tools and integrations built for Swagger by its community.

While Swagger looked like a great fit for what I was looking for and everything started out nicely, some limitations soon became apparent. The first that I encountered is related to the use of JSON Web Tokens (JWT) for authentication purposes. Swagger’s specification allows for two types of mechanisms: OAuth, and what they call “apiKey”. Since JWT is definitely not OAuth, we have to use use “apiKey” to define that the JWT token will be sent in the HTTP Authorization header as “Bearer token_string“:

Furthermore, if we want to have different roles and manage the access to each API endpoint based on the user’s role, we will have to extend the Swagger spec, as it does not allow this for “apiKey” authentication. We can allow for role-based access as follows:

After the Swagger configuration is defined, we need to write the code to actually make this work. Here I will use Express and swagger-tools to care care of all the heavy lifting:

As you can see in line 13, the security checks are handed off to the verifyToken function in the auth module. Here is the code:

We just verify that the request presents a valid token (lines 21 through 27) and that the role of the user (which is saved in the token) matches one of the roles of the endpoint (line 13 and 29). The final piece of the puzzle is issuing a JWT with the user’s role as part of its payload:

Just return the token when the user correctly logs in, and you’re set:

And that’s basically it! All the code is available on Github, so feel free to check it out and test it for yourself.

Our video “A Sea of Robots” is nominated for “Best Robot Video” Award at AAAI 2016!

Our video “A Sea of Robots” is nominated for “Best Robot Video”Award at AAAI 2016. We are also nominated for “People’s Choice Award”, which is given out based on the number of “likes” on the YouTube video. So if you want to help us out, check out our video below and give us a thumbs up!

Update: We won!

Fixing SSHFS in Mac OS X El Capitan (10.11)

If you are like me and use SSHFS everyday, you’ve recently noticed that it stopped working on OS X El Capitan. The problem is that fuse4x is no longer supported, and does not work in this new version. The solution is to get rid of fuse4x and install OSXFUSE with its own version of SSHFS. Another issue is that macports also stops working with the update, so we have to fix macports before we can get rid of the old fuse4x and SSHFS ports. If you doing a clean install on El Capitan, just skip to step 3. If you’re updating from Yosemite or earlier, start here:

Step 1: Make macports work again:

Follow Chris Knight’s instructions for reinstalling macports on El Capitan:

Step 2: Uninstall sshfs and fuse4x from macports:

Step 3: Install OSXFuse and SSHFS:

Just go over to and grab both packages It might be necessary to reboot to make SSHFS start working.

You’re done!

Autonomous Drone Experiments — Navigation and Patrolling

We’ve been really really busy making progress on our drone swarm project, which leaves me little time to update my blog. The good news is that we already have conducted successful tests with autonomous behaviors with 1 and 3 drones. Here’s a recent video that shows 1 prototype drone autonomously executing navigation and patrolling tasks. During the next couple of months we will be conducting experiments with up to 10 drones if all goes well 🙂