JWT-Introduction.md

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
# Intro to JWT

JSON Web Tokens (JWTs) are a popular way of granting temporary access to resources in web applications. They are commonly used to authenticate and authorize users, and can be used to grant access to certain features or resources in your application.

JWTs are essentially a compact, URL-safe way of transmitting information between parties. They consist of three parts: a header, a payload, and a signature. The header typically contains information about the algorithm used to sign the token, the payload contains the actual data being transmitted, and the signature is used to verify the authenticity of the token.

To issue a JWT to a user, you'll need to first authenticate the user and generate a token that contains the relevant user information and access permissions. This process typically involves the following steps:

1. On the server-side (in Python), you'll need to generate a token that contains the user's information and access permissions. This can be done using a library like PyJWT, which provides a simple interface for generating and verifying JWTs.

Here's an example of how you might generate a JWT in Python:

```python
import jwt
import datetime

# Generate a JWT for the authenticated user
def generate_jwt(user_id):
    # Set the expiration time for the token (in this case, 1 hour)
    expiration_time = datetime.datetime.utcnow() + datetime.timedelta(hours=1)

    # Set the payload for the token
    payload = {
        'user_id': user_id,
        'exp': expiration_time
    }

    # Generate the token using a secret key
    token = jwt.encode(payload, 'my_secret_key', algorithm='HS256')

    return token
```

This function generates a JWT that includes the user ID and an expiration time of 1 hour. The token is signed using a secret key that is known only to the server.

2. On the client-side (in JavaScript), you'll need to store the token in a secure location (such as a cookie or local storage) and include it in the headers of any requests to the server that require authentication.

Here's an example of how you might store the token in a cookie in JavaScript:

```javascript
// Store the JWT in a cookie
function setTokenCookie(token) {
  // Set the expiration time for the cookie (in this case, 1 hour)
  const expirationTime = new Date(new Date().getTime() + 60 * 60 * 1000);

  // Set the cookie value
  document.cookie = `jwt=${token}; expires=${expirationTime.toUTCString()}; path=/`;
}

```

This function sets a cookie named 'jwt' that contains the JWT and an expiration time of 1 hour.

3. On the server-side (in Python), you'll need to verify the authenticity of the token and ensure that the user has the required access permissions for the requested resource.

Here's an example of how you might verify the JWT in Python:

```python
import jwt

# Verify the JWT and extract the user ID
def verify_jwt(token):
    try:
        # Verify the token using the secret key
        payload = jwt.decode(token, 'my_secret_key', algorithms=['HS256'])

        # Extract the user ID from the payload
        user_id = payload['user_id']

        return user_id
    except jwt.ExpiredSignatureError:
        # Handle the case where the token has expired
        raise Exception('Token has expired')
    except jwt.InvalidTokenError:
        # Handle the case where the token is invalid
        raise Exception('Invalid token')

```

This function verifies the authenticity of the JWT using the secret key and extracts the user ID from the payload. If the token has expired or is invalid, an exception is raised.

4. On the client-side (in JavaScript), you'll need to include the JWT in the headers of any requests that require authentication. This can be done using the `Authorization` header and the `Bearer` authentication scheme.

Here's an example of how you might include the JWT in a fetch request in JavaScript:

```javascript
// Make a request to a protected resource
function fetchData() {
  const token = getTokenCookie();

  fetch('/api/data', {
    headers: {
      'Authorization': `Bearer ${token}`
    }
  })
    .then(response => response.json())
    .then(data => console.log(data))
    .catch(error => console.error(error));
}
```

This function retrieves the JWT from the cookie and includes it in the `Authorization` header of the fetch request using the `Bearer` authentication scheme.

5. It's important to consider the security implications of using JWTs in your application. In particular, you'll need to ensure that the secret key used to sign the tokens is kept secure and that the tokens themselves are protected from interception and misuse.

Here are some best practices to follow when using JWTs:

* Use a strong, unique secret key for each application and keep it secure.
* Set appropriate expiration times for the tokens to minimize the risk of misuse.
* Use HTTPS to encrypt traffic between the client and server to protect against interception.
* Store tokens securely on the client side (e.g., in an HttpOnly cookie) to prevent theft or tampering.
* Validate the contents of the token on the server side to prevent unauthorized access.

In summary, using JWTs can be an effective way to grant temporary access to resources in your web application. By following best practices for token generation and security, you can ensure that your application remains secure and protected from unauthorized access.

Ron says:
> Help me understand what "claims" I should use in the body when designing my JWT authorization scheme. I have two user personas. In one case, a "rep" would be able to access and edit any resources associated with a particular "vendor". In the other case, a "host" would be able to access and edit all resources. Provide some example client-side code using JavaScript and some example server-side code using Python for accessing and securing these resources. Assume the client-side is a multi-page application interacting with a REST API backend.


In JWTs, the "claims" are essentially key-value pairs that contain information about the token and the user. Claims are defined in the payload of the JWT, and can be used to specify user attributes such as their role or permissions.

For the scenario you've described, you might use the following claims:

* `sub` (subject): This claim identifies the user for whom the token was issued. In your case, the sub claim could contain the user ID or email of the authenticated user.
* `exp` (expiration time): This claim specifies the time at which the token should expire. You can set this to a relatively short time (e.g., 15 minutes) to limit the amount of time that the token is valid.
* `iss` (issuer): This claim identifies the entity that issued the token. This could be your application or authentication service.
* `aud` (audience): This claim specifies the intended audience for the token. This could be your API server or a particular endpoint.
* `role`: This claim specifies the role or permissions of the user. In your case, you might use the role claim to indicate whether the user is a rep or host, and to determine their access permissions.

Here's an example of how you might generate a JWT for a `rep` user in Python:

```python
import jwt
import datetime

def generate_jwt(user_id, vendor_id):
    # Set the expiration time for the token (in this case, 15 minutes)
    expiration_time = datetime.datetime.utcnow() + datetime.timedelta(minutes=15)

    # Set the payload for the token
    payload = {
        'sub': user_id,
        'exp': expiration_time,
        'iss': 'myapp',
        'aud': 'myapi',
        'role': 'rep',
        'vendor_id': vendor_id
    }

    # Generate the token using a secret key
    token = jwt.encode(payload, 'my_secret_key', algorithm='HS256')

    return token

```

In this example, the `vendor_id` claim is used to indicate the vendor associated with the `rep` user.

Here's an example of how you might generate a JWT for a host user in Python:

```python
import jwt
import datetime

def generate_jwt(user_id):
    # Set the expiration time for the token (in this case, 15 minutes)
    expiration_time = datetime.datetime.utcnow() + datetime.timedelta(minutes=15)

    # Set the payload for the token
    payload = {
        'sub': user_id,
        'exp': expiration_time,
        'iss': 'myapp',
        'aud': 'myapi',
        'role': 'host'
    }

    # Generate the token using a secret key
    token = jwt.encode(payload, 'my_secret_key', algorithm='HS256')

    return token

```

In this example, the `role` claim is set to `host`.

On the client-side (in JavaScript), you'll need to store the JWT securely and include it in the headers of any requests that require authentication. Here's an example of how you might store the JWT in a cookie and include it in a fetch request:

```javascript
// Set the JWT in a cookie
function setJwtCookie(jwt) {
  const expirationTime = new Date(new Date().getTime() + 15 * 60 * 1000);
  document.cookie = `jwt=${jwt}; expires=${expirationTime.toUTCString()}; path=/; secure; HttpOnly; SameSite=Strict`;
}

// Fetch data from the server
function fetchData() {
  const jwt = getJwtCookie();

  fetch('/api/data', {
    headers: {
      'Authorization': `Bearer ${jwt}`
    }
  })
    .then(response => response.json())
    .then(data => console.log(data))
    .catch(error => console.error(error));
}

```

In this example, the `Authorization` header includes the JWT in the `Bearer` authentication scheme.

On the server-side (in Python), you'll need to verify the JWT and ensure that the user has the required permissions to access the requested resource. Here's an example of how you might verify the JWT and extract the user information and access permissions:

```python
import jwt

def verify_jwt(token, role=None, vendor_id=None):
    try:
        # Verify the token using the secret key
        payload = jwt.decode(token, 'my_secret_key', algorithms=['HS256'])

        # Ensure that the token is intended for our application
        if payload['iss'] != 'myapp':
            raise jwt.InvalidTokenError('Invalid issuer')

        # Ensure that the token is intended for our API
        if payload['aud'] != 'myapi':
            raise jwt.InvalidTokenError('Invalid audience')

        # Ensure that the token is not expired
        if payload['exp'] < datetime.datetime.utcnow():
            raise jwt.ExpiredSignatureError('Token has expired')

        # Ensure that the user has the required role or permissions
        if role is not None and payload.get('role') != role:
            raise jwt.InvalidTokenError('Invalid role')

        if vendor_id is not None and payload.get('vendor_id') != vendor_id:
            raise jwt.InvalidTokenError('Invalid vendor')

        return payload['sub']
    except jwt.ExpiredSignatureError:
        # Handle the case where the token has expired
        raise Exception('Token has expired')
    except jwt.InvalidTokenError:
        # Handle the case where the token is invalid
        raise Exception('Invalid token')
```

In this example, the `verify_jwt` function verifies the authenticity of the JWT and checks that it is intended for your application and API. It also checks that the user has the required role or permissions (as specified by the `role` and `vendor_id` arguments). If the token is invalid or expired, or if the user doesn't have the required permissions, an exception is raised.

You can use the `verify_jwt` function to protect your API endpoints by calling it at the beginning of each endpoint function:

```python
from flask import Flask, request

app = Flask(__name__)

# Example API endpoint that requires a JWT
@app.route('/api/data')
def get_data():
    try:
        # Verify the JWT and extract the user ID
        user_id = verify_jwt(request.headers['Authorization'], role='host')

        # Get the data associated with the user
        data = get_data_for_user(user_id)

        return jsonify(data)
    except Exception as e:
        return str(e), 401
```

In this example, the `get_data` endpoint requires a `host` role and calls the `verify_jwt` function to extract the user ID and check the JWT. If the JWT is valid and the user has the required role, the endpoint returns the data associated with the user.