当前位置:网站首页>Actual combat simulation │ JWT login authentication

Actual combat simulation │ JWT login authentication

2022-07-04 19:52:00 InfoQ

 Token  The certification process

  • As the most popular cross domain authentication solution ,
    JWT(JSON Web Token)
      Loved by developers , The main process is as follows :
  • The client sends an account and password to request login
  • The server receives the request , Verify whether the account and password pass
  • After successful verification , The server will generate a unique  
    token
    , And return it to the client
  • Client received  
    token
    , Store it in  
    cookie
      perhaps  
    localStroge
      in
  • After that, every time the client sends a request to the server , Will pass  
    cookie
      perhaps
    header
      Take with you  
    token
  • Server side validation  
    token
      The effectiveness of the , The data of the response is returned only after passing
be based on Token The certification process

 Token  Certification benefits

  • Support cross domain access :
    Cookie
      Cross domain access is not allowed , That's right  
    Token
      There is no mechanism , The premise is that the transmitted user authentication information passes  
    HTTP
      Head transmission
  • No state :
     
    Token
      The mechanism does not need storage on the server  
    session
      Information , because  
    Token
      It contains the information of all users who log in , Just on the client side  
    cookie
      Or local media storage status information
  • More applicable :
      As long as it's support  
    http
      Protocol client , You can use  
    token
      authentication .
  • Don't need to consider CSRF:
      Because no longer rely on  
    cookie
    , So using  
    token
      The authentication method will not happen  
    CSRF
    , So there is no need to consider  
    CSRF
      Defense

 JWT  structure

  • One  
    JWT
      It's actually a string , It consists of three parts :
    Head
    load
    And
    Signature
    . Middle point  
    .
      Divided into three parts . Be careful  
    JWT
      There is no line break inside .
JWT structure
  •  
    Head  / header
  • header
      It's made up of two parts : 
    token
      The type of  
    JWT
      And algorithm name :
    HMAC
    SHA256
    RSA

{
 "alg": "HS256",
 "typ": "JWT"
}
  •  
    load  / Payload
  • Payload
      Part of it is also a  
    JSON
      object , It is used to store the data that needs to be transferred .
    JWT
      Specify seven default fields to choose from .
  • In addition to the default fields , You can add any field you want , Generally, after the user logs in successfully , Store user information here

iss: The issuer
exp: Due time
sub: The theme
aud: user
nbf: Not available until
iat: Release time
jti:JWT ID Used to identify the JWT
{
 "iss": "xxxxxxx",
 "sub": "xxxxxxx",
 "aud": "xxxxxxx",
 "user": [
 'username': ' Geek flying rabbit ',
 'gender': 1,
 'nickname': ' Flying rabbit ' 
 ] 
}
  •  
    Signature  / Signature
  • The signature part is on the above   Head 、 load   Data signature with two parts of data
  • To ensure that the data is not tampered with , You need to specify a key , And this key is usually only known by you , And stored on the server
  • The code to generate the signature is generally as follows :

//  among secret  It's the key
String signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

 JWT  Basic use

  • The client receives the  
    JWT
    , Can be stored in  
    Cookie
      Inside ,  It can also be stored in  
    localStorage
  • then   Every time the client communicates with the server , Take this with you  
    JWT
  • hold  
    JWT
      Save in  
    Cookie
      Send request inside , It can't be
    Cross domain
  • It's better to put it in  
    HTTP
      Requested header information  
    Authorization
      In the field

fetch('license/login', {
 headers: {
 'Authorization': 'X-TOKEN' + token
 }
})

  actual combat : Use  JWT  Login authentication

  • Use here  
    ThinkPHP6
      Integrate  
    JWT
      Login and authenticate for actual combat simulation
  •  
    install  JWT  Expand

composer require firebase/php-jwt
  •  
    Package generation  JWT  And decryption methods

<?php
/**
 * Desc: JWT authentication
 * Author: autofelix
 * Time: 2022/07/04
 */

namespace app\services;

use app\Helper;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

class JwtService
{
 protected $salt;

 public function __construct()
 {
 // Get a unique string from the configuration information , You can write whatever you like md5('token')
 $this->salt = config('jwt.salt') || &quot;autofelix&quot;;
 }

 // jwt Generate
 public function generateToken($user)
 {
 $data = array(
 &quot;iss&quot; => 'autofelix', // Issuer   Can be null
 &quot;aud&quot; => 'autofelix', // Face users , Can be null
 &quot;iat&quot; => Helper::getTimestamp(), // The issuance of time
 &quot;nbf&quot; => Helper::getTimestamp(), // Take effect immediately
 &quot;exp&quot; => Helper::getTimestamp() + 7200, //token  Expiration time   Two hours
 &quot;user&quot; => [ //  Record user information
 'id' => $user->id,
 'username' => $user->username,
 'truename' => $user->truename,
 'phone' => $user->phone,
 'email' => $user->email,
 'role_id' => $user->role_id
 ]
 );
 $jwt = JWT::encode($data, md5($this->salt), 'HS256');
 return $jwt;
 }

 // jwt Decrypt
 public function chekToken($token)
 {
 JWT::$leeway = 60; // Subtract... From the current time 60, Leave some room for time
 $decoded = JWT::decode($token, new Key(md5($this->salt), 'HS256'));
 return $decoded;
 }
}
  •  
    After the user logs in , Generate  JWT  identification

<?php
declare (strict_types=1);

namespace app\controller;

use think\Request;
use app\ResponseCode;
use app\Helper;
use app\model\User as UserModel;
use app\services\JwtService;

class License
{
 public function login(Request $request)
 {
 $data = $request->only(['username', 'password', 'code']);

 // .... Relevant logic for verification ...
 $user = UserModel::where('username', $data['username'])->find();
 
 //  Verify by generating  JWT,  Return to front end save
 $token = (new JwtService())->generateToken($user);

 return json([
 'code' => ResponseCode::SUCCESS,
 'message' => ' Login successful ',
 'data' => [
 'token' => $token
 ]
 ]);
 }
}
  •  
    Middleware verifies whether the user logs in
  • stay  
    middleware.php
      Register middleware

<?php
//  Global middleware definition file
return [
 // ... Other middleware
 // JWT verification
 \app\middleware\Auth::class
];
  • After registering middleware , Improve the verification logic in the permission verification middleware

<?php
declare (strict_types=1);

namespace app\middleware;

use app\ResponseCode;
use app\services\JwtService;

class Auth
{
 private $router_white_list = ['login'];

 public function handle($request, \Closure $next)
 {
 if (!in_array($request->pathinfo(), $this->router_white_list)) {
 $token = $request->header('token');

 try {
 // jwt  verification
 $jwt = (new JwtService())->chekToken($token);
 } catch (\Throwable $e) {
 return json([
 'code' => ResponseCode::ERROR,
 'msg' => 'Token Validation failed '
 ]);
 }

 $request->user = $jwt->user;
 }

 return $next($request);
 }
}
原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/185/202207041832451131.html

边栏推荐

猜你喜欢

随机推荐