The idea
This was a simple idea I had having in mind that most of the web processes are abstracted away from new programmers. That made me look after how is the functioning of the web authentication practices and how I could implement them. It was also a way to reapproximate with raw SQL, as my contact was blew away by sophisticated ORMs.
You can watch my results on my GitHub repo.
What did I get from it?
The token based authentication, specifically the JWT, uses a process that uses the following items:
- A header, containing the algorithm and the type of token;
- A payload, containing id info about the user, data envolving time and issuer;
To create a three part token, separated by periods, that will contain:
A base64 encoded header, then a dot, a base64 encoded payload, a dot and then the previous items separated by dots and signed with a key and an encryption based on the algorithm defined in the header.
Failures
I didn't think much of the validation at first, so I made the simple ones as reading the owner of the token and who sent it and validating the expiration time in it. There is actually much more, what made my implelmentation not very secure, but it was a great try for a first timer.
To implement
I think about securing it later in a later version, also adding refresh tokens to understand the differences and have more control on future projects about how or who access my applications.