3.4.3.Securing API with Tokens & JWT

Token based authentication
- 1.Client向API server索取token
  - 如果body中的name, password符合則用secret加密新的payload (Base64)後形成的token, 回傳給Client
  - 如果body中的name, password不符合則回401
- 2.Client將token放到header, 向API server索取資料
  - 如果header中的token是undefined, 則回401
  - 如果header中的token在server的記憶體中不存在則視為Unauthorized, 回401
  - 如果header中的token無法被secret decode, 或是decode後的expired time超過時間則視為invalid, 從server的記憶體中將token刪除, 回401
  - 否則將token存放在server的記憶體中, 回200
Token
- Token are encoded strings used for authentication
  - hashing or private key for encryption
- Eliminates the need of sessions on the API
  - HTTP header
  - Query parameters
  - Request body
- Issuer can control the validity
  - Expiry
  - Revocation
JSON Web Token (JWT)
- 由三個部分組成
  - 1.以Base64加密Header後的字串
  - 2.以Base64加密Payload後的字串
  - 3.Signature字串
Header
- Type
  - "JWT"
- Algorithm
  - HS256, HMAC
- e.g.,
  { type: "JWT", alg" "HMAC" }
Payload (claims)
- Registered
  - iss
  - exp
  - nbf
- Public
  - name
  - Email
  - phone_number
- Private
  - agree upon by consumer & provider
- e.g.,
  { exp: "288828888", iss: "Sam", name: "John" }
Signature
- (以Base64加密Header後的字串 + "." + 以Base64加密Payload後的字串)再以secret hash過的字串

Sample code

Visual studio code
node.js

1.clone repository

git clone https://github.com/acloudfan/REST-API-security.git
cd REST-API-COURSE/
npm install

程式碼解析
- 使用套件: jwt-simple
- 流程
  - Client向API server索取token
  - 如果body中的name, password符合則用secret加密新的payload後形成的token, 回傳給Client
  - 如果body中的name, password不符合則回401
- Client將token放到header, 向API server索取資料
  - 如果header中的token是undefined, 則回401
  - 如果header中的token在Server端不存在則視為Unauthorized, 回401
  - 如果header中的token無法被secret decode, 或是decode後的expired time超過時間則視為invalid, 回401
  - 否則回200
將auth function作為middleware function, 放在middleware callback處

// JWT Token Authentication
// Part of the course on "REST API Design Development & Management"
// http://www.acloudfan.com

var     express = require('express')
var     bodyParser = require('body-parser')
var     jwtAuth = require(__dirname + '/tokens/jwtauth')
var     jwtValidate = require(__dirname + '/tokens/validator')

// Express app setup
var app = express();
app.use(bodyParser.json())
var router = express.Router();

// This is the passport middlewae function tha get called first
var  auth = jwtAuth.auth
router.post('/token',auth,function(req, res){
    res.send('token');
});

auth = jwtValidate.auth
router.get('/private',auth,function(req,res){
    res.send('Access granted to private resource!!!')
});

app.use(router);

app.listen(3000);

console.log('Listening on 3000')

Previous3.4.2.Securing API with Basic Authentication Next3.4.4.Securing API with API Key & Secret

Last updated 4 years ago

// JWT Token Authentication // Part of the course on "REST API Design Development & Management" // http://www.acloudfan.com var express = require('express') var bodyParser = require('body-parser') var jwtAuth = require(__dirname + '/tokens/jwtauth') var jwtValidate = require(__dirname + '/tokens/validator') // Express app setup var app = express(); app.use(bodyParser.json()) var router = express.Router(); // This is the passport middlewae function tha get called first var auth = jwtAuth.auth router.post('/token',auth,function(req, res){ res.send('token'); }); auth = jwtValidate.auth router.get('/private',auth,function(req,res){ res.send('Access granted to private resource!!!') }); app.use(router); app.listen(3000); console.log('Listening on 3000')