The User IP added to the JWT token's payload. In addition, the IP is encrypted, so as it go back to user browser it will not be exposes.

Author: dz-ai

controller/auth.js

@@ -1,4 +1,4 @@
-const { genrateToken } = require('../util');
+const { generateToken } = require('../util');
 const user = require('../models/user');
 
 exports.login = async function(req, res, next) {
@@ -11,7 +11,7 @@ exports.login = async function(req, res, next) {
 		"emailId":userValidated.emailId,
 		"type": userValidated.userType,
 		}
-		let token = genrateToken(userDetails);
+		let token = generateToken(userDetails, req.ip);
 		userDetails["token"] = token;
 		res.send({res:"welcome", user:userDetails})
 	}

middleware/auth.js

@@ -1,17 +1,25 @@
 const jwt = require('jsonwebtoken');
+const { decrypt } = require('../util')
 
 function authenticateToken(req, res, next) {
   const authHeader = req.headers['authorization'];
   const token = authHeader && authHeader.split(' ')[1];
   if (token == null) return res.sendStatus(401);
-  jwt.verify(token, process.env.TOKEN_SECRET, (err, user) => {
 
-    if (err) return res.sendStatus(403);
-
-    req.user = user;
+  try {
+    const payload = jwt.verify(token, process.env.TOKEN_SECRET);
+    console.log('try');
+    const decryptedIP = decrypt(payload.ip);
+    if (decryptedIP !== req.ip) {
+      res.status(403)
+      res.send({err:"Unauthorized"});
+    }
 
     next();
-  })
+  } catch (error) {
+    res.status(403)
+    res.send({err:"Unauthorized"});
+  }
 }
 
 module.exports = authenticateToken;

util.js

@@ -1,8 +1,28 @@
 const jwt = require("jsonwebtoken");
+const crypto = require("crypto");
 
-exports.genrateToken = (data)=>{
-    return jwt.sign(data, process.env.TOKEN_SECRET);
-} 
+const key = crypto.randomBytes(32);
+const iv = crypto.randomBytes(16);
+const algorithm = 'aes-256-cbc';
+
+exports.generateToken = (data, IP)=>{
+    const encryptedIP = this.encrypt(IP);
+    return jwt.sign({data: data, ip: encryptedIP}, process.env.TOKEN_SECRET);
+}
+
+exports.encrypt = (IP) => {
+    const cipher = crypto.createCipheriv(algorithm, key, iv);
+    let encrypted = cipher.update(IP, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    return encrypted;
+}
+
+exports.decrypt = (IP) => {
+    const decipher = crypto.createDecipheriv(algorithm, key, iv);
+    let decrypted = decipher.update(IP, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
 
 /**
  *