前言
雖已完成 JSON Web Token (JWT) 登入驗證機制,但一段時間後很容易忘記,因此統整出框架和重要觀念。
HTTP is stateless: there is no link between two requests being successively carried out on the same connection.
每個 request 獨立,Server 端和 Client 端不保持連線狀態,因此雙方狀態無即時更新。
This immediately has the prospect of being problematic for users attempting to interact with certain pages coherently, for example, using e-commerce shopping baskets.
But while the core of HTTP itself is stateless, HTTP cookies allow the use of stateful sessions.
Using header extensibility, HTTP Cookies are added to the workflow, allowing session creation on each HTTP request to share the same context, or the same state.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
This information can be verified and trusted because it is digitally signed.
JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens.
Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties.
When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.
JWT-Debugger:觀察 Token 結構
Token 結構 (HPS)=1. Header+2. Payload+3. Signature
1. Header (Base64URL 編碼機制,可反解):
標記 token 的 (1) 類型、(2) Hash 雜湊函式名稱
2. Payload (Base64URL 編碼機制,可反解):
Token 攜帶的資料,
例如:(1) user_id 、(2) 時間戳記,(3) 也可指定 token 過期時間
3. Signature (Hash雜湊,不可反解):
Hash雜湊=Header+Payload+secret (密鑰),
產生一組不可反解亂數,當成簽章,驗證 JWT 是否經篡改。
安裝套件:1. jsonwebtoken、2. passport-jwt
An implementation of JSON Web Tokens.
This was developed against draft-ietf-oauth-json-web-token-08. It makes use of node-jws.
A Passport strategy for authenticating with a JSON Web Token.
This module lets you authenticate endpoints using a JSON web token.
It is intended to be used to secure RESTful endpoints without sessions.
JSON Web Token (JWT) 登入功能實作:架構&流程
POSTMAN (API 測試工具軟體)-JWT 登入測試成功
1. Method:POST
2. URL:http://localhost:3000/api/signin
3. Body 填寫測試帳號:KEY-VALUE
(1) email-root@example.com
(2) password-12345678
CSRF (Cross-site request forgery) 攻擊
CSRF 運作原理&攻擊流程
CSRF 防禦機制:
1. Referer Check
2. Token:(1) Token 存入 Session、(2) Token 存入 Cookie
2–1. 純 Token 衍生 Server 端(Session) 效能問題&解法 (JWT)
1. Referer Check
2. Token
Token 登入機制相似 cookie-session,只是交換憑證為 Token。
(1) Token 存入 Session
(2) Token 存入 Cookie
2–1. 純 Token 衍生 Server 端(Session) 效能問題&解法 (JWT)
Token 可防禦 CSRF 攻擊,但衍生 Server 端(Session) 效能問題:
(1) 擴充性:
每個 Token 皆存入 Session 內,隨著用戶數增加,記憶體和費用成本上升。
(2) 維護性:
隨著用戶數增加,且若須整合不同 Server,架構變更複雜。
若 Web 有多子域,各子域使用不同 Server,而各 Server 須共享相同 Token,則須創造一個中心節點儲存 Token。
JWT 優點 (解決純 Token 問題)
Server 只負責產生&驗證 Token,不再將 Token 存入 Session 內。
因此,將 Server 原本的擴充和維護成本轉嫁分攤给所有 Client 端。
JWT 運作原理
JWT 運作流程
參考資訊
5. jsonwebtoken(npm)-Token Expiration
6. passport-jwt(npm)
7. passport-jwt(npm):passport.authenticate()
8. MDN-Authorization
