Full record of the actual simulation process of JWT login authentication

After careful compilation by php editor Banana, we introduce to you a popular full record of the actual development simulation process - JWT login authentication actual simulation. JWT (JSON Web Token) is an open standard for authentication. It generates a token (Token) after the user successfully logs in, and the user carries this token in subsequent requests for identity authentication. This article will provide an in-depth analysis of the implementation process of JWT login authentication and provide a comprehensive practical demonstration recording. In the process, we will take you to understand the principles of JWT and how to apply it in actual development. Whether you are a beginner or an experienced developer, you can gain valuable knowledge and practical experience from this article.

Token authentication process

• As the most popular cross-domain authentication solution, JWT (JSONWEBToken) is deeply lovedDevelopers's favorite, the main process is as follows:
• The client sends an account and password request to log in
• The server receives the request and verifies whether the account password is passed
• After successful verification, the server will generate a unique token and return it to the client.
• The client receives the token and stores it in cookie or localStroge.
• After that, every client When the client sends a request to the server, it will carry the token through a cookie or header

• The server verifies the validity of the token and returns the response data only after passing the request

Token authentication advantages

• Supports cross-domain access: Cookies do not allow cross-domain access. This does not exist for the Token mechanism, provided that the user authentication information transmitted passesHttpHeader transmission
• Stateless: The Token mechanism does not need to store session information on the server side, because the Token itself contains the information of all logged-in users, and only needs to store state information in the client's cookie or local media
• Wider applicability: As long as the client supports the http protocol, token authentication can be used.
• No need to consider CSRF: Since it no longer relies on cookies, CSRF will not occur when using token authentication, so there is no need to consider CSRF defense

JWT structure

• A JWT is actually astring, which consists of three parts: header, payload and signature. Use a dot . in the middle to separate it into three parts. Note that there are no line breaks inside the JWT.

?Header/header

headerconsists of two parts:The type of tokenJWTandalgorithmname:HMac,SHA256,RSA

{ "alg": "HS256", "typ": "JWT" }

{ "iss": "xxxxxxx", "sub": "xxxxxxx", "aud": "xxxxxxx", "user": [ 'username': '极客飞兔', 'gender': 1, 'nickname': '飞兔小哥' ] }

// 其中secret 是密钥 String signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

fetch('license/login', { headers: { 'Authorization': 'X-TOKEN' + token } })

composer require firebase/php-jwt

salt = config('jwt.salt') || "autofelix"; } // jwt生成 public function generateToken($user) { $data = array( "iss" => 'autofelix',//签发者 可以为空 "aud" => 'autofelix', //面象的用户，可以为空 "iat" => Helper::getTimestamp(), //签发时间 "nbf" => Helper::getTimestamp(), //立马生效 "exp" => Helper::getTimestamp() + 7200, //token 过期时间 两小时 "user" => [ // 记录用户信息 'id' => $user->id, 'username' => $user->username, 'truename' => $user->truename, 'phone' => $user->phone, 'email' => $user->email, 'role_id' => $user->role_id ] ); $jwt = JWT::encode($data, md5($this->salt), 'HS256'); return $jwt; } // jwt解密 public function chekToken($token) { JWT::$leeway = 60; //当前时间减去60，把时间留点余地 $decoded = JWT::decode($token, new Key(md5($this->salt), 'HS256')); return $decoded; } }

only(['username', 'passWord', 'code']); // ....进行验证的相关逻辑... $user = UserModel::where('username', $data['username'])->find(); // 验证通过生成 JWT, 返回给前端保存 $token = (new JwtService())->generateToken($user); return json([ 'code' => ResponseCode::SUCCESS, 'message' => '登录成功', 'data' => [ 'token' => $token ] ]); } }

              
After registering the middleware, improve the verification logic in the authority verification middleware
              

               

                
pathinfo(), $this->router_white_list)) { $token = $request->header('token'); try { // jwt 验证 $jwt = (new JwtService())->chekToken($token); } catch (\Throwable $e) { return json([ 'code' => ResponseCode::ERROR, 'msg' => 'Token验证失败' ]); } $request->user = $jwt->user; } return $next($request); } }
                
附：为什么使用jwt而不使用session
                

                 
session是将客户端数据储存在服务器的内存，当客服端的数据过多，服务器的内存开销大；
                 
session的数据储存在某台服务器，在分布式的项目中无法做到共享；
                 
jwt的安全性更好。
                
                
总而言之，如果使用了分布式，切只能在session和jwt里面选的时候，就一定要选jwt。