当前位置：网站首页>Actual combat simulation │ JWT login authentication

Actual combat simulation │ JWT login authentication

2022-07-05 12:58:00 【51CTO】

Catalog
Token The certification process
Token Certification benefits
JWT structure
JWT Basic use
actual combat ： Use JWT Login authentication

Token The certification process

As the most popular cross domain authentication solution ,JWT（JSON Web Token） Loved by developers , The main process is as follows ：
The client sends an account and password to request login
The server receives the request , Verify whether the account and password pass
After successful verification , The server will generate a unique token, And return it to the client
Client received token, Store it in cookie perhaps localStroge in
After that, every time the client sends a request to the server , Will pass cookie perhaps header Take with you token
Server side validation token The effectiveness of the , The data of the response is returned only after passing

Live simulation │JWT Login authentication _ Security

Token Certification benefits

Support cross domain access ：Cookie Cross domain access is not allowed , That's right Token There is no mechanism , The premise is that the transmitted user authentication information passes HTTP Head transmission
No state ：Token The mechanism does not need storage on the server session Information , because Token It contains the information of all users who log in , Just on the client side cookie Or local media storage status information
More applicable ： As long as it's support http Protocol client , You can use token authentication .
Don't need to consider CSRF： Because no longer rely on cookie, So using token The authentication method will not happen CSRF, So there is no need to consider CSRF Defense

JWT structure

One JWT It's actually a string , It consists of three parts ： Head 、 load And Signature . Middle point . Divided into three parts . Be careful JWT There is no line break inside .

Live simulation │JWT Login authentication _ Security _02

Head / header
header It's made up of two parts ： token The type of JWT And algorithm name ：HMAC、SHA256、RSA

load / Payload
Payload Part of it is also a JSON object , It is used to store the data that needs to be transferred .JWT Specify seven default fields to choose from .
In addition to the default fields , You can add any field you want , Generally, after the user logs in successfully , Store user information here

iss： The issuer 
exp： Due time 
sub： The theme 
aud： user 
nbf： Not available until 
iat： Release time 
jti：JWT ID Used to identify the JWT

     
      1.
      2.
      3.
      4.
      5.
      6.
      7.

{
  "iss": "xxxxxxx",
  "sub": "xxxxxxx",
  "aud": "xxxxxxx",
  "user": [
  	  'username': ' Geek flying rabbit ',
  	  'gender': 1,
  	  'nickname': ' Flying rabbit ' 
   ] 
}

     1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Signature / Signature
The signature part is on the above Head 、 load Data signature with two parts of data
To ensure that the data is not tampered with , You need to specify a key , And this key is usually only known by you , And stored on the server
The code to generate the signature is generally as follows ：

JWT Basic use

The client receives the JWT, Can be stored in Cookie Inside , It can also be stored in localStorage
then Every time the client communicates with the server , Take this with you JWT
hold JWT Save in Cookie Send request inside , It can't be Cross domain
It's better to put it in HTTP Requested header information Authorization In the field

actual combat ： Use JWT Login authentication

Use here ThinkPHP6 Integrate JWT Login and authenticate for actual combat simulation
install JWT Expand

Package generation JWT And decryption methods

<?php /** * Desc: JWT authentication  * Author: autofelix * Time: 2022/07/04 */ namespace app\services; use app\Helper; use Firebase\JWT\JWT; use Firebase\JWT\Key; class JwtService { protected $salt; public function __construct() { // Get a unique string from the configuration information , You can write whatever you like md5('token') $this->salt = config('jwt.salt') || "autofelix"; } // jwt Generate  public function generateToken($user) { $data = array( "iss" => 'autofelix', // Issuer   Can be null  "aud" => 'autofelix', // Face users , Can be null  "iat" => Helper::getTimestamp(), // The issuance of time  "nbf" => Helper::getTimestamp(), // Take effect immediately  "exp" => Helper::getTimestamp() + 7200, //token  Expiration time   Two hours  "user" => [ //  Record user information  'id' => $user->id, 'username' => $user->username, 'truename' => $user->truename, 'phone' => $user->phone, 'email' => $user->email, 'role_id' => $user->role_id ] ); $jwt = JWT::encode($data, md5($this->salt), 'HS256'); return $jwt; } // jwt Decrypt  public function chekToken($token) { JWT::$leeway = 60; // Subtract... From the current time 60, Leave some room for time  $decoded = JWT::decode($token, new Key(md5($this->salt), 'HS256')); return $decoded; } } 






















































After the user logs in , Generate JWT identification

<?php declare (strict_types=1); namespace app\controller; use think\Request; use app\ResponseCode; use app\Helper; use app\model\User as UserModel; use app\services\JwtService; class License { public function login(Request $request) { $data = $request->only(['username', 'password', 'code']); // .... Relevant logic for verification ... $user = UserModel::where('username', $data['username'])->find(); //  Verify by generating  JWT,  Return to front end save  $token = (new JwtService())->generateToken($user); return json([ 'code' => ResponseCode::SUCCESS, 'message' => ' Login successful ', 'data' => [ 'token' => $token ] ]); } } 

































Middleware verifies whether the user logs in
stay middleware.php Register middleware

<?php
//  Global middleware definition file 
return [
	// ... Other middleware 
    // JWT verification 
    \app\middleware\Auth::class
];

     1.
2.
3.
4.
5.
6.
7.

After registering middleware , Improve the verification logic in the permission verification middleware

<?php declare (strict_types=1); namespace app\middleware; use app\ResponseCode; use app\services\JwtService; class Auth { private $router_white_list = ['login']; public function handle($request, \Closure $next) { if (!in_array($request->pathinfo(), $this->router_white_list)) { $token = $request->header('token'); try { // jwt  verification  $jwt = (new JwtService())->chekToken($token); } catch (\Throwable $e) { return json([ 'code' => ResponseCode::ERROR, 'msg' => 'Token Validation failed ' ]); } $request->user = $jwt->user; } return $next($request); } } 
































