Full record of the actual simulation process of JWT login authentication-PHP Tutorial-php.cn

After careful compilation by php editor Banana, we introduce to you a popular full record of the actual development simulation process - JWT login authentication actual simulation. JWT (JSON Web Token) is an open standard for authentication. It generates a token (Token) after the user successfully logs in, and the user carries this token in subsequent requests for identity authentication. This article will provide an in-depth analysis of the implementation process of JWT login authentication and provide a comprehensive practical demonstration recording. In the process, we will take you to understand the principles of JWT and how to apply it in actual development. Whether you are a beginner or an experienced developer, you can gain valuable knowledge and practical experience from this article.

Token authentication process

As the most popular cross-domain authentication solution, JWT (JSON WEB Token) is deeply lovedDevelopers's favorite, the main process is as follows:
The client sends an account and password request to log in
The server receives the request and verifies whether the account password is passed
After successful verification, the server will generate a unique token and return it to the client.
The client receives the token and stores it in cookie or localStroge.
After that, every client When the client sends a request to the server, it will carry the token through a cookie or header
The server verifies the validity of the token and returns the response data only after passing the request

Token authentication advantages

Supports cross-domain access: Cookies do not allow cross-domain access. This does not exist for the Token mechanism, provided that the user authentication information transmitted passesHttpHeader transmission
Stateless: The Token mechanism does not need to store session information on the server side, because the Token itself contains the information of all logged-in users, and only needs to store state information in the client's cookie or local media
Wider applicability: As long as the client supports the http protocol, token authentication can be used.
No need to consider CSRF: Since it no longer relies on cookies, CSRF will not occur when using token authentication, so there is no need to consider CSRF defense

JWT structure

A JWT is actually a string, which consists of three parts: header, payload and signature. Use a dot . in the middle to separate it into three parts. Note that there are no line breaks inside the JWT.

? Header/header

header consists of two parts: The type of tokenJWT and algorithmname:HMac,SHA256,RSA

{
"alg": "HS256",
"typ": "JWT"
}

Copy after login

? Payload/Payload

##Payload part is also a jsON Object, used to store the actual data that needs to be transferred. JWT Specifies seven default fields to choose from.

In addition to the default fields, you can add any fields you want. Generally, after a user successfully logs in, the user information will be stored here

iss: Issuer
exp: expiration time
sub: topic
aud: user
nbf: not available before
iat: publication time
jti: JWT ID used to identify this JWT

{
"iss": "xxxxxxx",
"sub": "xxxxxxx",
"aud": "xxxxxxx",
"user": [
	&#39;username&#39;: &#39;极客飞兔&#39;,
	&#39;gender&#39;: 1,
	&#39;nickname&#39;: &#39;飞兔小哥&#39; 
 ] 
}

Copy after login

Signature/Signature

// 其中secret 是密钥
String signature = HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Copy after login

Basic use of JWT

server, which can be stored in Cookie or localStorage

fetch(&#39;license/login&#39;, {
	headers: {
		&#39;Authorization&#39;: &#39;X-TOKEN&#39; + token
	}
})

Copy after login

Actual combat: using JWT login authentication

Here we use

ThinkPHP6IntegrationJWT Login authentication for actual simulation

Install JWT extension

composer require firebase/php-jwt

Copy after login

Encapsulation to generate JWT and decryption method

<?php


namespace app\services;

use app\Helper;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;

class JwtService
{
protected $salt;

public function __construct()
{
//从配置信息这种或取唯一字符串，你可以随便写比如md5(&#39;token&#39;)
$this->salt = config(&#39;jwt.salt&#39;) || "autofelix";
}

// jwt生成
public function generateToken($user)
{
$data = array(
"iss" => &#39;autofelix&#39;,//签发者 可以为空
"aud" => &#39;autofelix&#39;, //面象的用户，可以为空
"iat" => Helper::getTimestamp(), //签发时间
"nbf" => Helper::getTimestamp(), //立马生效
"exp" => Helper::getTimestamp() + 7200, //token 过期时间 两小时
"user" => [ // 记录用户信息
&#39;id&#39; => $user->id,
&#39;username&#39; => $user->username,
&#39;truename&#39; => $user->truename,
&#39;phone&#39; => $user->phone,
&#39;email&#39; => $user->email,
&#39;role_id&#39; => $user->role_id
]
);
$jwt = JWT::encode($data, md5($this->salt), &#39;HS256&#39;);
return $jwt;
}

// jwt解密
public function chekToken($token)
{
JWT::$leeway = 60; //当前时间减去60，把时间留点余地
$decoded = JWT::decode($token, new Key(md5($this->salt), &#39;HS256&#39;));
return $decoded;
}
}

Copy after login

After the user logs in, a JWT identification is generated

<?php
declare (strict_types=1);

namespace app\controller;

use think\Request;
use app\ResponseCode;
use app\Helper;
use app\model\User as UserModel;
use app\services\JwtService;

class License
{
public function login(Request $request)
{
$data = $request->only([&#39;username&#39;, &#39;passWord&#39;, &#39;code&#39;]);

// ....进行验证的相关逻辑...
$user = UserModel::where(&#39;username&#39;, $data[&#39;username&#39;])->find();
		
		// 验证通过生成 JWT, 返回给前端保存
$token = (new JwtService())->generateToken($user);

return json([
&#39;code&#39; => ResponseCode::SUCCESS,
&#39;message&#39; => &#39;登录成功&#39;,
&#39;data&#39; => [
&#39;token&#39; => $token
]
]);
}
}

Copy after login

Middleware verifies whether the user is logged in

middleware in middleware.php##

<?php
// 全局中间件定义文件
return [
	// ...其他中间件
// JWT验证
\app\middleware\Auth::class
];

Copy after login

After registering the middleware, improve the verification logic in the authority verification middleware

<?php
declare (strict_types=1);

namespace app\middleware;

use app\ResponseCode;
use app\services\JwtService;

class Auth
{
private $router_white_list = [&#39;login&#39;];

public function handle($request, \Closure $next)
{
if (!in_array($request->pathinfo(), $this->router_white_list)) {
$token = $request->header(&#39;token&#39;);

try {
	// jwt 验证
$jwt = (new JwtService())->chekToken($token);
} catch (\Throwable $e) {
return json([
&#39;code&#39; => ResponseCode::ERROR,
&#39;msg&#39; => &#39;Token验证失败&#39;
]);
}

$request->user = $jwt->user;
}

return $next($request);
}
}

Copy after login

附：为什么使用jwt而不使用session

session是将客户端数据储存在服务器的内存，当客服端的数据过多，服务器的内存开销大；
session的数据储存在某台服务器，在分布式的项目中无法做到共享；
jwt的安全性更好。

总而言之，如果使用了分布式，切只能在session和jwt里面选的时候，就一定要选jwt。

The above is the detailed content of Full record of the actual simulation process of JWT login authentication. For more information, please follow other related articles on the PHP Chinese website!

Related labels：

jquery seo php programming Backend Development ASD addclass

Previous article：How to add a class in jQuery? Next article：Understand DI dependency injection in PHP in one article

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn