JWT
Jwt (JSON web token) is an open, industry standard RFC 7519 method for representing claims securely between two parties.
Common use cases:
- Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
- Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn’t been tampered with.
Before using it, verify the level of support that each library has for JWT authentication. I am using Node.js, and the library I am using offers full support (checking if token is expired, etc).
After that, install the library (npm install jsonwebtoken for Node.js)
A JWT typically looks like this:
xxxxx.yyyyy.zzzzz
Header . Payload . Signature
example header: { "alg": "HS256", "typ": "JWT" }
example payload: { "sub": "1234567890", "name": "John Doe", "admin": true }
example signature: HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Verify Token
jwt.verify() error handling depends on the library: https://jwt.io/
restify errors
const { username, password } =req.body;constuser=awaitUser.findOne({ username });if (!user){thrownewError("You are not authorized")}constmatch=awaitbcrypt.compare(password, user.password);get jwt token
consttoken=awaitjwt.sign(userId, secret, exp);
verify token
const userData = await jwt.verify(token, secret);
https://tools.ietf.org/html/rfc7519
Sidenote: request for comment: An RFC is authored by engineers and computer scientists in the form of a memorandum describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems. It is submitted either for peer review or to convey new concepts, information, or (occasionally) engineering humor.
JWT is sessionless authentication, so how to verify user for token exists?
1. check if user exists (implement aud)
2. when user deletes account, remove token from client
3. store token in user account
https://riptutorial.com/jwt/example/21537/remove-the-token-from-client-storage
Stateless vs stateful (When to use)
Insomnia is stateful, so like your browser, if you set a cookie, the other methods would have the cookie too
Stateful systems:
Booking systems with Log in, etc (logged in once and not have to log in till exp date)
Put in cookie
Stateless systems:
API (auth is provided every time)
Put in URL headers or auth
Auth Headers vs cookies
prefix “X-” denotes custom headers (deprecated)
3. Recommendations for Creators of New Parameters
…
- SHOULD NOT prefix their parameter names with “X-” or similar constructs.
4. Recommendations for Protocol Designers
…
- SHOULD NOT prohibit parameters with an “X-” prefix or similar constructs from being registered.
- MUST NOT stipulate that a parameter with an “X-” prefix or similar constructs needs to be understood as unstandardized.
- MUST NOT stipulate that a parameter without an “X-” prefix or similar constructs needs to be understood as standardized.
Front end apps cannot set the cookie, only browser can set the cookie if the server sent set-cookie in headers (due to browser security)
Cookies
https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie
jwt is sessionless
session cookies are usually stored in the server
Consumer + CORS
}
Access-Control-Allow-Origin: http://www.example.com Access-Control-Allow-Methods: PUT, DELETE
Stuff I Have Learnt 