当前位置:网站首页>Actual combat simulation │ JWT login authentication
Actual combat simulation │ JWT login authentication
2022-07-05 01:02:00 【Geek flying rabbit】
Token The certification process
- As the most popular cross domain authentication solution ,
JWT(JSON Web Token)
Loved by developers , The main process is as follows : - The client sends an account and password to request login
- The server receives the request , Verify whether the account and password pass
- After successful verification , The server will generate a unique
token
, And return it to the client - Client received
token
, Store it incookie
perhapslocalStroge
in - After that, every time the client sends a request to the server , Will pass
cookie
perhapsheader
Take with youtoken
- Server side validation
token
The effectiveness of the , The data of the response is returned only after passing
Token Certification benefits
- Support cross domain access :
Cookie
Cross domain access is not allowed , That's rightToken
There is no mechanism , The premise is that the transmitted user authentication information passesHTTP
Head transmission - No state :
Token
The mechanism does not need storage on the serversession
Information , becauseToken
It contains the information of all users who log in , Just on the client sidecookie
Or local media storage status information - More applicable : As long as it's support
http
Protocol client , You can usetoken
authentication . - Don't need to consider CSRF: Because no longer rely on
cookie
, So usingtoken
The authentication method will not happenCSRF
, So there is no need to considerCSRF
Defense
JWT structure
- One
JWT
It's actually a string , It consists of three parts :Head
、load
AndSignature
. Middle point.
Divided into three parts . Be carefulJWT
There is no line break inside .
- Head / header
header
It's made up of two parts :token
The type ofJWT
And algorithm name :HMAC
、SHA256
、RSA
{
"alg": "HS256",
"typ": "JWT"
}
- load / Payload
Payload
Part of it is also aJSON
object , It is used to store the data that needs to be transferred .JWT
Specify seven default fields to choose from .- In addition to the default fields , You can add any field you want , Generally, after the user logs in successfully , Store user information here
iss: The issuer
exp: Due time
sub: The theme
aud: user
nbf: Not available until
iat: Release time
jti:JWT ID Used to identify the JWT
{
"iss": "xxxxxxx",
"sub": "xxxxxxx",
"aud": "xxxxxxx",
"user": [
'username': ' Geek flying rabbit ',
'gender': 1,
'nickname': ' Flying rabbit '
]
}
- Signature / Signature
- The signature part is on the above Head 、 load Data signature with two parts of data
- To ensure that the data is not tampered with , You need to specify a key , And this key is usually only known by you , And stored on the server
- The code to generate the signature is generally as follows :
// among secret It's the key
String signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
JWT Basic use
- The client receives the
JWT
, Can be stored inCookie
Inside , It can also be stored inlocalStorage
- then Every time the client communicates with the server , Take this with you
JWT
- hold
JWT
Save inCookie
Send request inside , It can't beCross domain
- It's better to put it in
HTTP
Requested header informationAuthorization
In the field
fetch('license/login', {
headers: {
'Authorization': 'X-TOKEN' + token
}
})
actual combat : Use JWT Login authentication
Use here
ThinkPHP6
IntegrateJWT
Login and authenticate for actual combat simulationinstall JWT Expand
composer require firebase/php-jwt
- Package generation JWT And decryption methods
<?php
/** * Desc: JWT authentication * Author: autofelix * Time: 2022/07/04 */
namespace app\services;
use app\Helper;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
class JwtService
{
protected $salt;
public function __construct()
{
// Get a unique string from the configuration information , You can write whatever you like md5('token')
$this->salt = config('jwt.salt') || "autofelix";
}
// jwt Generate
public function generateToken($user)
{
$data = array(
"iss" => 'autofelix', // Issuer Can be null
"aud" => 'autofelix', // Face users , Can be null
"iat" => Helper::getTimestamp(), // The issuance of time
"nbf" => Helper::getTimestamp(), // Take effect immediately
"exp" => Helper::getTimestamp() + 7200, //token Expiration time Two hours
"user" => [ // Record user information
'id' => $user->id,
'username' => $user->username,
'truename' => $user->truename,
'phone' => $user->phone,
'email' => $user->email,
'role_id' => $user->role_id
]
);
$jwt = JWT::encode($data, md5($this->salt), 'HS256');
return $jwt;
}
// jwt Decrypt
public function chekToken($token)
{
JWT::$leeway = 60; // Subtract... From the current time 60, Leave some room for time
$decoded = JWT::decode($token, new Key(md5($this->salt), 'HS256'));
return $decoded;
}
}
- After the user logs in , Generate JWT identification
<?php
declare (strict_types=1);
namespace app\controller;
use think\Request;
use app\ResponseCode;
use app\Helper;
use app\model\User as UserModel;
use app\services\JwtService;
class License
{
public function login(Request $request)
{
$data = $request->only(['username', 'password', 'code']);
// .... Relevant logic for verification ...
$user = UserModel::where('username', $data['username'])->find();
// Verify by generating JWT, Return to front end save
$token = (new JwtService())->generateToken($user);
return json([
'code' => ResponseCode::SUCCESS,
'message' => ' Login successful ',
'data' => [
'token' => $token
]
]);
}
}
- Middleware verifies whether the user logs in
- stay
middleware.php
Register middleware
<?php
// Global middleware definition file
return [
// ... Other middleware
// JWT verification
\app\middleware\Auth::class
];
- After registering middleware , Improve the verification logic in the permission verification middleware
<?php
declare (strict_types=1);
namespace app\middleware;
use app\ResponseCode;
use app\services\JwtService;
class Auth
{
private $router_white_list = ['login'];
public function handle($request, \Closure $next)
{
if (!in_array($request->pathinfo(), $this->router_white_list)) {
$token = $request->header('token');
try {
// jwt verification
$jwt = (new JwtService())->chekToken($token);
} catch (\Throwable $e) {
return json([
'code' => ResponseCode::ERROR,
'msg' => 'Token Validation failed '
]);
}
$request->user = $jwt->user;
}
return $next($request);
}
}
边栏推荐
- [STM32] (I) overview and GPIO introduction
- [FPGA tutorial case 9] design and implementation of clock manager based on vivado core
- Basic operations of database and table ----- delete index
- Basic concept and usage of redis
- [Yocto RM]10 - Images
- Daily practice (18): stack containing min function
- 潘多拉 IOT 开发板学习(RT-Thread)—— 实验4 蜂鸣器+马达实验【按键外部中断】(学习笔记)
- 6. Scala operator
- How to use words to describe breaking change in Spartacus UI of SAP e-commerce cloud
- Expose testing outsourcing companies. You may have heard such a voice about outsourcing
猜你喜欢
Arbitrum: two-dimensional cost
Postman automatically fills headers
整理混乱的头文件,我用include what you use
Applet live + e-commerce, if you want to be a new retail e-commerce, use it!
[wave modeling 3] three dimensional random real wave modeling and wave generator modeling matlab simulation
兩個數相互替換
skimage: imread & imsave & imshow
“薪资倒挂”、“毕业生平替” 这些现象说明测试行业已经...
Analysis and comparison of leetcode weekly race + acwing weekly race (t4/t3)
Deux nombres se remplacent
随机推荐
Discrete mathematics: Main Normal Form (main disjunctive normal form, main conjunctive normal form)
Innovation leads the direction. Huawei Smart Life launches new products in the whole scene
Basic operation of database and table ----- phased test II
[wave modeling 3] three dimensional random real wave modeling and wave generator modeling matlab simulation
Query for Boolean field as "not true" (e.g. either false or non-existent)
小程序直播 + 电商,想做新零售电商就用它吧!
Basic operations of database and table ----- create index
【微处理器】基于FPGA的微处理器VHDL开发
2022.07.03 (LC 6109 number of people who know secrets)
(script) one click deployment of any version of redis - the way to build a dream
Binary conversion problem
SAP UI5 应用的主-从-从(Master-Detail-Detail)布局模式的实现步骤
Detailed explanation of multi-mode input event distribution mechanism
Daily practice (18): stack containing min function
POAP:NFT的采用入口?
Reasons and solutions of redis cache penetration and avalanche
Digital DP template
dotnet-exec 0.6.0 released
[Yocto RM]10 - Images
[Yocto RM]10 - Images