Full record of the actual simulation process of JWT login authentication

After careful compilation by php editor Banana, we introduce to you a popular full record of the actual development simulation process - JWT login authentication actual simulation. JWT (JSON Web Token) is an open standard for authentication. It generates a token (Token) after the user successfully logs in, and the user carries this token in subsequent requests for identity authentication. This article will provide an in-depth analysis of the implementation process of JWT login authentication and provide a comprehensive practical demonstration recording. In the process, we will take you to understand the principles of JWT and how to apply it in actual development. Whether you are a beginner or an experienced developer, you can gain valuable knowledge and practical experience from this article.

Token authentication process

• As the most popular cross-domain authentication solution, JWT (JSON WEB Token) is deeply lovedDevelopers's favorite, the main process is as follows:
• The client sends an account and password request to log in
• The server receives the request and verifies whether the account password is passed
• After successful verification, the server will generate a unique token and return it to the client.
• The client receives the token and stores it in cookie or localStroge.
• After that, every client When the client sends a request to the server, it will carry the token through a cookie or header

• The server verifies the validity of the token and returns the response data only after passing the request

Token authentication advantages

• Supports cross-domain access: Cookies do not allow cross-domain access. This does not exist for the Token mechanism, provided that the user authentication information transmitted passesHttpHeader transmission
• Stateless: The Token mechanism does not need to store session information on the server side, because the Token itself contains the information of all logged-in users, and only needs to store state information in the client's cookie or local media
• Wider applicability: As long as the client supports the http protocol, token authentication can be used.
• No need to consider CSRF: Since it no longer relies on cookies, CSRF will not occur when using token authentication, so there is no need to consider CSRF defense

JWT structure

• A JWT is actually a string, which consists of three parts: header, payload and signature. Use a dot . in the middle to separate it into three parts. Note that there are no line breaks inside the JWT.

? Header/header

header consists of two parts: The type of tokenJWT and algorithmname:H<strong class="keylink">Mac</strong>,SHA256,RSA

{
"alg": "HS256",
"typ": "JWT"
}

? Payload/Payload

##Payload part is also a js<strong class="keylink">ON </strong> Object, used to store the actual data that needs to be transferred. JWT Specifies seven default fields to choose from.

In addition to the default fields, you can add any fields you want. Generally, after a user successfully logs in, the user information will be stored here

iss: Issuer

exp: expiration time
sub: topic
aud: user
nbf: not available before
iat: publication time
jti: JWT ID used to identify this JWT

{
"iss": "xxxxxxx",
"sub": "xxxxxxx",
"aud": "xxxxxxx",
"user": [
	'username': '极客飞兔',
	'gender': 1,
	'nickname': '飞兔小哥' 
 ] 
}

?
• Signature/Signature
The signature part is the data signature of the above two parts of the header and payload data
In order to ensure that the data is not tampered with, you need to specify a key, which is generally known only to you and stored on the server.
• The code to generate the signature is generally as follows:

// 其中secret 是密钥
String signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Basic use of JWT

The client receives the JWT returned by the
• server, which can be stored in Cookie or localStorage
Then every time the client communicates with the server, it must bring this JWT
• Save the JWT in the cookie to send the request, so that it cannot cross domain
• A better approach is to put it in the HTTP request In the Authorization field of the header information

fetch('license/login', {
	headers: {
		'Authorization': 'X-TOKEN' + token
	}
})

Actual combat: using JWT login authentication

Here we use

ThinkPHP<strong class="keylink">6</strong>IntegrationJWT Login authentication for actual simulation

?

Install JWT extension

composer require firebase/php-jwt

?

Encapsulation to generate JWT and decryption method

<?php


namespace app\services;

use app\Helper;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

class JwtService
{
protected $salt;

public function __construct()
{
//从配置信息这种或取唯一字符串，你可以随便写比如md5(&#39;token&#39;)
$this->salt = config(&#39;jwt.salt&#39;) || "autofelix";
}

// jwt生成
public function generateToken($user)
{
$data = array(
"iss" => &#39;autofelix&#39;,//签发者 可以为空
"aud" => &#39;autofelix&#39;, //面象的用户，可以为空
"iat" => Helper::getTimestamp(), //签发时间
"nbf" => Helper::getTimestamp(), //立马生效
"exp" => Helper::getTimestamp() + 7200, //token 过期时间 两小时
"user" => [ // 记录用户信息
&#39;id&#39; => $user->id,
&#39;username&#39; => $user->username,
&#39;truename&#39; => $user->truename,
&#39;phone&#39; => $user->phone,
&#39;email&#39; => $user->email,
&#39;role_id&#39; => $user->role_id
]
);
$jwt = JWT::encode($data, md5($this->salt), &#39;HS256&#39;);
return $jwt;
}

// jwt解密
public function chekToken($token)
{
JWT::$leeway = 60; //当前时间减去60，把时间留点余地
$decoded = JWT::decode($token, new Key(md5($this->salt), &#39;HS256&#39;));
return $decoded;
}
}

?

After the user logs in, a JWT identification is generated

<?php
declare (strict_types=1);

namespace app\controller;

use think\Request;
use app\ResponseCode;
use app\Helper;
use app\model\User as UserModel;
use app\services\JwtService;

class License
{
public function login(Request $request)
{
$data = $request->only([&#39;username&#39;, &#39;passWord&#39;, &#39;code&#39;]);

// ....进行验证的相关逻辑...
$user = UserModel::where(&#39;username&#39;, $data[&#39;username&#39;])->find();
		
		// 验证通过生成 JWT, 返回给前端保存
$token = (new JwtService())->generateToken($user);

return json([
&#39;code&#39; => ResponseCode::SUCCESS,
&#39;message&#39; => &#39;登录成功&#39;,
&#39;data&#39; => [
&#39;token&#39; => $token
]
]);
}
}

?

Middleware verifies whether the user is logged in

Register

middleware in middleware.php##

<?php
// 全局中间件定义文件
return [
	// ...其他中间件
// JWT验证
\app\middleware\Auth::class
];

After registering the middleware, improve the verification logic in the authority verification middleware

<?php
declare (strict_types=1);

namespace app\middleware;

use app\ResponseCode;
use app\services\JwtService;

class Auth
{
private $router_white_list = [&#39;login&#39;];

public function handle($request, \Closure $next)
{
if (!in_array($request->pathinfo(), $this->router_white_list)) {
$token = $request->header(&#39;token&#39;);

try {
	// jwt 验证
$jwt = (new JwtService())->chekToken($token);
} catch (\Throwable $e) {
return json([
&#39;code&#39; => ResponseCode::ERROR,
&#39;msg&#39; => &#39;Token验证失败&#39;
]);
}

$request->user = $jwt->user;
}

return $next($request);
}
}

附：为什么使用jwt而不使用session

• session是将客户端数据储存在服务器的内存，当客服端的数据过多，服务器的内存开销大；
• session的数据储存在某台服务器，在分布式的项目中无法做到共享；
• jwt的安全性更好。

总而言之，如果使用了分布式，切只能在session和jwt里面选的时候，就一定要选jwt。

The above is the detailed content of Full record of the actual simulation process of JWT login authentication. For more information, please follow other related articles on the PHP Chinese website!