JWT Support - rwhite-rg/amazing_sample GitHub Wiki

Synopsis

This article is designed to describe:

  • What the JWT Token software is for
  • How to use it
  • Challenges that were overcome in incorporating it
  • Future ideas for expansion

Details

JWT Tokens

JWT stands for JSON Web Tokens. They are used as a means to identify someone after authenticating with an API. This token, among other things, identifies the user and determines their access level. Further details are at:

How to use JWTs in this library

I designed a set of API endpoints to test and exercise the JWTs. I've included a Postman collection/environment to help in tests/Postman/

The endpoints:

  1. POST (api url)/api/register ** Running this endpoint will register a new user in the database with a specific email and passw ** Returns the JWT Token for the user (to chain to other parts of the API)
  2. POST (api url)/api/login ** Running this endpoint will log a user into the API ** Returns the JWT Token for the user (to chain to other parts of the API)
  3. GET (api url)/api/users ** Running this endpoint will get all users in the API (standard REST GET call) ** A valid JWT token is required to access this endpoint

Steps to reproduce:

  1. Hit the /api/register endpoint to create a user
  2. Use the resulting token and hit /api/users endpoint to get users

...or...

  1. Hit the (api url)/api/login endpoint to login with a user
  2. Use the resulting token and hit /api/users endpoint to get users

Challenges

Using middleware as a means to setup, dispense, and validate JWT Tokens can be a bit tricky. Here's a brief rundown of problems that came up:

  • Had to find a JWT auth library that was compatible and maintained for the latest version of Laravel that I was using. I've worked with tymondesigns/jwt-auth before, so I used that one.
  • The latest stable version wasn't updated enough for my needs, so I had to use Composer to get the latest dev version (dev-develop). It had the support I needed for Laravel 5.8
  • The docs are a bit antiquated, so I had to dig a little to get the information I needed to set things up.
  • There's some tutorials for this, but some of them were using outdated information on the APIs, so I had to dig a little bit to find further information to discount the outdated tutorials
  • I forgot that when registering middleware for only specific endpoints, you need to put the class call in the $routesMiddleware variable and not the $middleware variable. This was a result of two competing tutorials that I was trying to follow. This took me a while to figure out why even my login endpoint was trying to check the JWT Tokens when trying to access.

Future ideas

  • Need to set up repositories to offload data logic (ie, the model calls) away from the Controller to centralize the data log in the Repos and keep the Controllers clean for business logic. This will improve the readability of the Controller and allow for more domain-driven design.
  • Need to clean up the JWT tokens to use proper claims and experiment with using them as intended.