Actual combat simulation │ JWT login authentication

Token The certification process

• As the most popular cross domain authentication solution ,JWT（JSON Web Token） Loved by developers , The main process is as follows ：
• The client sends an account and password to request login
• The server receives the request , Verify whether the account and password pass
• After successful verification , The server will generate a unique token, And return it to the client
• Client received token, Store it in cookie perhaps localStroge in
• After that, every time the client sends a request to the server , Will pass cookie perhaps header Take with you token
• Server side validation token The effectiveness of the , The data of the response is returned only after passing

Token Certification benefits

• Support cross domain access ：Cookie Cross domain access is not allowed , That's right Token There is no mechanism , The premise is that the transmitted user authentication information passes HTTP Head transmission
• No state ：Token The mechanism does not need storage on the server session Information , because Token It contains the information of all users who log in , Just on the client side cookie Or local media storage status information
• More applicable ： As long as it's support http Protocol client , You can use token authentication .
• Don't need to consider CSRF： Because no longer rely on cookie, So using token The authentication method will not happen CSRF, So there is no need to consider CSRF Defense

JWT structure

• One JWT It's actually a string , It consists of three parts ： Head 、 load And Signature . Middle point . Divided into three parts . Be careful JWT There is no line break inside .

• Head / header
• header It's made up of two parts ： token The type of JWT And algorithm name ：HMAC、SHA256、RSA

{  "alg": "HS256",  "typ": "JWT"}

• load / Payload
• Payload Part of it is also a JSON object , It is used to store the data that needs to be transferred .JWT Specify seven default fields to choose from .
• In addition to the default fields , You can add any field you want , Generally, after the user logs in successfully , Store user information here

iss： The issuer exp： Due time sub： The theme aud： user nbf： Not available until iat： Release time jti：JWT ID Used to identify the JWT

{  "iss": "xxxxxxx",  "sub": "xxxxxxx",  "aud": "xxxxxxx",  "user": [  	  'username': ' Geek flying rabbit ',  	  'gender': 1,  	  'nickname': ' Flying rabbit '    ] }

• Signature / Signature
• The signature part is on the above Head 、 load Data signature with two parts of data
• To ensure that the data is not tampered with , You need to specify a key , And this key is usually only known by you , And stored on the server
• The code to generate the signature is generally as follows ：

//  among secret  It's the key String signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

JWT Basic use

• The client receives the JWT, Can be stored in Cookie Inside , It can also be stored in localStorage
• then Every time the client communicates with the server , Take this with you JWT
• hold JWT Save in Cookie Send request inside , It can't be Cross domain
• It's better to put it in HTTP Requested header information Authorization In the field

fetch('license/login', {	headers: {		'Authorization': 'X-TOKEN' + token	}})

actual combat ： Use JWT Login authentication

• Use here ThinkPHP6 Integrate JWT Login and authenticate for actual combat simulation

• install JWT Expand

composer require firebase/php-jwt

• Package generation JWT And decryption methods

<?php/** * Desc: JWT authentication  * Author: autofelix * Time: 2022/07/04 */namespace app\services;use app\Helper;use Firebase\JWT\JWT;use Firebase\JWT\Key;class JwtService{    protected $salt;    public function __construct()    {        // Get a unique string from the configuration information , You can write whatever you like md5('token')        $this->salt = config('jwt.salt') || "autofelix";    }    // jwt Generate     public function generateToken($user)    {        $data = array(            "iss" => 'autofelix',        // Issuer   Can be null             "aud" => 'autofelix',             // Face users , Can be null             "iat" => Helper::getTimestamp(),   // The issuance of time             "nbf" => Helper::getTimestamp(),   // Take effect immediately             "exp" => Helper::getTimestamp() + 7200, //token  Expiration time   Two hours             "user" => [ //  Record user information                 'id' => $user->id,                'username' => $user->username,                'truename' => $user->truename,                'phone' => $user->phone,                'email' => $user->email,                'role_id' => $user->role_id            ]        );        $jwt = JWT::encode($data, md5($this->salt), 'HS256');        return $jwt;    }    // jwt Decrypt     public function chekToken($token)    {        JWT::$leeway = 60; // Subtract... From the current time 60, Leave some room for time         $decoded = JWT::decode($token, new Key(md5($this->salt), 'HS256'));        return $decoded;    }}

• After the user logs in , Generate JWT identification

<?phpdeclare (strict_types=1);namespace app\controller;use think\Request;use app\ResponseCode;use app\Helper;use app\model\User as UserModel;use app\services\JwtService;class License{    public function login(Request $request)    {        $data = $request->only(['username', 'password', 'code']);        // .... Relevant logic for verification ...        $user = UserModel::where('username', $data['username'])->find();				//  Verify by generating  JWT,  Return to front end save         $token = (new JwtService())->generateToken($user);        return json([            'code' => ResponseCode::SUCCESS,            'message' => ' Login successful ',            'data' => [                'token' => $token            ]        ]);    }}

• Middleware verifies whether the user logs in
• stay middleware.php Register middleware

<?php//  Global middleware definition file return [	// ... Other middleware     // JWT verification     \app\middleware\Auth::class];

• After registering middleware , Improve the verification logic in the permission verification middleware

<?phpdeclare (strict_types=1);namespace app\middleware;use app\ResponseCode;use app\services\JwtService;class Auth{    private $router_white_list = ['login'];    public function handle($request, \Closure $next)    {        if (!in_array($request->pathinfo(), $this->router_white_list)) {            $token = $request->header('token');            try {            	// jwt  verification                 $jwt = (new JwtService())->chekToken($token);            } catch (\Throwable $e) {                return json([                    'code' => ResponseCode::ERROR,                    'msg' => 'Token Validation failed '                ]);            }            $request->user = $jwt->user;        }        return $next($request);    }}