Full record of the actual simulation process of JWT login authentication

After careful compilation by php editor Banana, we introduce to you a popular full record of the actual development simulation process - JWT login authentication actual simulation. JWT (JSON Web Token) is an open standard for authentication. It generates a token (Token) after the user successfully logs in, and the user carries this token in subsequent requests for identity authentication. This article will provide an in-depth analysis of the implementation process of JWT login authentication and provide a comprehensive practical demonstration recording. In the process, we will take you to understand the principles of JWT and how to apply it in actual development. Whether you are a beginner or an experienced developer, you can gain valuable knowledge and practical experience from this article.

Token authentication process

• As the most popular cross-domain authentication solution, JWT (JSON WEB Token) is deeply lovedDevelopers's favorite, the main process is as follows:
• The client sends an account and password request to log in
• The server receives the request and verifies whether the account password is passed
• After successful verification, the server will generate a unique token and return it to the client.
• The client receives the token and stores it in cookie or localStroge.
• After that, every client When the client sends a request to the server, it will carry the token through a cookie or header

• The server verifies the validity of the token and returns the response data only after passing the request

Token authentication advantages

• Supports cross-domain access: Cookies do not allow cross-domain access. This does not exist for the Token mechanism, provided that the user authentication information transmitted passesHttpHeader transmission
• Stateless: The Token mechanism does not need to store session information on the server side, because the Token itself contains the information of all logged-in users, and only needs to store state information in the client's cookie or local media
• Wider applicability: As long as the client supports the http protocol, token authentication can be used.
• No need to consider CSRF: Since it no longer relies on cookies, CSRF will not occur when using token authentication, so there is no need to consider CSRF defense

JWT structure

• A JWT is actually a string, which consists of three parts: header, payload and signature. Use a dot . in the middle to separate it into three parts. Note that there are no line breaks inside the JWT.

? Header/header

header consists of two parts: The type of tokenJWT and algorithmname:H<strong class="keylink">Mac</strong>,SHA256,RSA

{
"alg": "HS256",
"typ": "JWT"
}

{
"iss": "xxxxxxx",
"sub": "xxxxxxx",
"aud": "xxxxxxx",
"user": [
	'username': '极客飞兔',
	'gender': 1,
	'nickname': '飞兔小哥' 
 ] 
}

// 其中secret 是密钥
String signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

fetch('license/login', {
	headers: {
		'Authorization': 'X-TOKEN' + token
	}
})

composer require firebase/php-jwt

<?php


namespace app\services;

use app\Helper;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

class JwtService
{
protected $salt;

public function __construct()
{
//从配置信息这种或取唯一字符串，你可以随便写比如md5(&#39;token&#39;)
$this->salt = config(&#39;jwt.salt&#39;) || "autofelix";
}

// jwt生成
public function generateToken($user)
{
$data = array(
"iss" => &#39;autofelix&#39;,//签发者 可以为空
"aud" => &#39;autofelix&#39;, //面象的用户，可以为空
"iat" => Helper::getTimestamp(), //签发时间
"nbf" => Helper::getTimestamp(), //立马生效
"exp" => Helper::getTimestamp() + 7200, //token 过期时间 两小时
"user" => [ // 记录用户信息
&#39;id&#39; => $user->id,
&#39;username&#39; => $user->username,
&#39;truename&#39; => $user->truename,
&#39;phone&#39; => $user->phone,
&#39;email&#39; => $user->email,
&#39;role_id&#39; => $user->role_id
]
);
$jwt = JWT::encode($data, md5($this->salt), &#39;HS256&#39;);
return $jwt;
}

// jwt解密
public function chekToken($token)
{
JWT::$leeway = 60; //当前时间减去60，把时间留点余地
$decoded = JWT::decode($token, new Key(md5($this->salt), &#39;HS256&#39;));
return $decoded;
}
}

<?php
declare (strict_types=1);

namespace app\controller;

use think\Request;
use app\ResponseCode;
use app\Helper;
use app\model\User as UserModel;
use app\services\JwtService;

class License
{
public function login(Request $request)
{
$data = $request->only([&#39;username&#39;, &#39;passWord&#39;, &#39;code&#39;]);

// ....进行验证的相关逻辑...
$user = UserModel::where(&#39;username&#39;, $data[&#39;username&#39;])->find();
		
		// 验证通过生成 JWT, 返回给前端保存
$token = (new JwtService())->generateToken($user);

return json([
&#39;code&#39; => ResponseCode::SUCCESS,
&#39;message&#39; => &#39;登录成功&#39;,
&#39;data&#39; => [
&#39;token&#39; => $token
]
]);
}
}

<?php
// 全局中间件定义文件
return [
	// ...其他中间件
// JWT验证
\app\middleware\Auth::class
];

<?php
declare (strict_types=1);

namespace app\middleware;

use app\ResponseCode;
use app\services\JwtService;

class Auth
{
private $router_white_list = [&#39;login&#39;];

public function handle($request, \Closure $next)
{
if (!in_array($request->pathinfo(), $this->router_white_list)) {
$token = $request->header(&#39;token&#39;);

try {
	// jwt 验证
$jwt = (new JwtService())->chekToken($token);
} catch (\Throwable $e) {
return json([
&#39;code&#39; => ResponseCode::ERROR,
&#39;msg&#39; => &#39;Token验证失败&#39;
]);
}

$request->user = $jwt->user;
}

return $next($request);
}
}