Using JWT validation in ThinkPHP6

With the development of the Internet, the number of users of Web applications has gradually increased, and security issues have become increasingly important. Authentication is an important part of web application security because only authenticated users can access resources that require permissions.

JSON Web Token (JWT) is a lightweight, self-contained authentication token that is a great way to securely transfer information between web applications. The JWT authentication scheme is suitable for distributed systems and single-page applications.

ThinkPHP is a popular PHP framework that provides many tools to develop secure web applications. In this article, we will cover how to use JWT for authentication in ThinkPHP6 to enhance the security of your application.

Development environment and dependencies

Before we begin, we need to ensure that the development environment has been set up correctly. The following are the environments and dependencies used in this article. Please change accordingly based on your needs.

• PHP 7.2 or higher
• ThinkPHP 6.0.0 or higher
• Firebase JWT PHP library

Step 1 :Install the Firebase JWT PHP library

Installing the Firebase JWT PHP library is the first step in using the JWT authentication scheme. This library will help us create, sign and verify JWTs.

We can use Composer to install the Firebase JWT PHP library. Enter the following command at the command line:

composer require firebase/php-jwt

Step 2: Create the Token class

To facilitate the management and use of JWT, we create a class named Token to handle various aspects of JWT verification. This class will include functions such as creating tokens, verifying tokens, and obtaining token information.

Create the Token.php file in the app/common directory and add the following code:

<?php

namespace appcommon;

use FirebaseJWTJWT;

class Token
{
    private static $key = 'your_secret_key';
    private static $alg = 'HS256';

    public static function createToken($data, $expiration = 3600)
    {
        $payload = [
            'iss' => 'localhost',
            'sub' => 'token',
            'iat' => time(),
            'exp' => time() + $expiration,
            'data' => $data
        ];

        return JWT::encode($payload, self::$key, self::$alg);
    }

    public static function decodeToken($token)
    {
        return JWT::decode($token, self::$key, [self::$alg]);
    }

    public static function getDataByToken($token)
    {
        $decoded = self::decodeToken($token);

        if (isset($decoded->data)) {
            return $decoded->data;
        } else {
            return false;
        }
    }

    public static function verifyToken($token)
    {
        $result = false;
        try {
            $decoded = self::decodeToken($token);
            $result = true;
        } catch (Exception $e) {
            // Invalid token
        }
        return $result;
    }
}

In the code, we use encode in the FirebaseJWTJWT library () and decode() methods to create and parse JWT. $key is the key we used to sign the JWT and $alg is the algorithm we chose. In the createToken() method, we use the four keys (iss, iat, exp and sub) from the JWT payload and add custom data. $expirationThe parameter specifies the expiration time of the JWT. Therefore, JWT can only be used within the validity period.

Step 3: Validate the token in the middleware

Now that we have created the Token class to handle the JWT related work, we need to validate the user JWT in the middleware. Using middleware makes it easy to intercept and set responses in your application's controller code, and you can separate the code into different classes for better management and modification.

Create the Jwt.php file in the app/middleware directory and add the following code:

<?php

namespace appmiddleware;

use appcommonToken;
use thinkexceptionHttpResponseException;
use thinkResponse;

class Jwt
{
    public function handle($request, Closure $next)
    {
        if (!$request->header('Authorization')) {
            return json(['code' => 401, 'msg' => 'Unauthorized']);
        }

        $header = $request->header('Authorization');
        $token = substr($header, 7);
        if (Token::verifyToken($token)) {
            $request->data = Token::getDataByToken($token);
            return $next($request);
        } else {
            return json(['code' => 401, 'msg' => 'Unauthorized']);
        }
    }
}

In this middleware, we use verifyToken()## in the Token class #Method to verify JWT. This method will return true or false indicating whether the token is valid. If valid, we will use the getDataByToken() method to get the data portion of the JWT and store it in $request->data. This data is then available to the controller.

Step 4: Set up routing

Now that we have created the middleware, we need to apply it to the appropriate route.

Suppose we want to protect the route of

/api/user, we need to set the route in the route pi.php file as follows:

use appmiddlewareJwt;

Route::group('api', function() {
  Route::get('user', 'UserController@getUserInfo')->middleware(Jwt::class);
});

Please note that in this route, we pass the

Jwt middleware as a parameter to the middleware() method. This is the sample code for the getUserInfo() method in UserController.

<?php

namespace appcontroller;

use appcommonToken;

class UserController
{
    public function getUserInfo()
    {
        $data = request()->data;
        ...
    }
    ...
}

In the controller, you can access the data stored in the authenticated JWT by calling

$request->data.

Conclusion

The JWT authentication method can make your web applications more secure and reliable. In this article, we covered how to use the Firebase JWT PHP library to create and validate JWTs in ThinkPHP6.

We created a class named Token, which is used to handle JWT related work, and added a middleware for validating JWT and setting data. Finally, we set up the routing and controller code that uses this middleware to access the data stored in the JWT.

The main purpose of introducing JWT authentication is to ensure that resources in the application can only be used by authenticated users. I hope this article helped you understand how to use JWT authentication to secure your application!

The above is the detailed content of Using JWT validation in ThinkPHP6. For more information, please follow other related articles on the PHP Chinese website!