Jwt Auth

Understanding JWT (JSON Web Tokens)

JWTs, or JSON Web Tokens, are secure tokens sent with each request or response to ensure that the data between parties remains unchanged. Their simplicity and efficiency make them one of the most commonly used methods for user authentication and authorization.

Parts of a JWT

A JWT consists of three parts:

1. Headers: This contains the type of token and the algorithm used.
2. Payload: This contains user information like email, some permissions, and the token’s issuance and expiration dates.
3. Signature: This is a hashed combination of the headers and payload, plus a secret known only to the server.

The headers and payload are Base64 encoded and can be decoded using any Base64 decoder online, so sensitive information like passwords should not be included in them.

Signature

The signature is created by hashing the first two parts (headers and payload) with a secret. This secret is known only to the server and is usually stored in environment variables. The more complex the secret, the stronger the JWT.

Using JWT for Authentication and Authorization

Traditional User Authentication

Previously, user authentication followed these steps:

1. The user logs in with their email and password.
2. The server verifies the credentials and assigns a session ID to the user, storing it in the database.
3. The server sends the session ID to the user, and the browser stores it.
4. With each request, the user sends the session ID to the server.

This approach has two main issues:

1. The server needs to check the session ID against the database with each request, which consumes time and resources.
2. Sessions are vulnerable to cross-site attacks.

JWT Authentication

JWT addresses these issues differently:

1. The user logs in with their email and password.
2. The server verifies the credentials and creates a JWT without storing it on the server.
3. The JWT is sent to the user, and the browser stores it.
4. With each request, the user sends the JWT to the server.

How JWT Solves These Issues

1. Database Checks: The server doesn’t need to query the database with each request. Instead:

   • The server computes the hash of the headers and payload using the secret.
   • It compares this hash with the signature sent in the JWT.
   • If they match, the user’s identity is confirmed, as any tampering with the headers, payload, or secret would result in a different hash.

2. Cross-Site Attacks: This can be mitigated by including a specific type of security token in the payload called CSRF (Cross-Site Request Forgery) token. This ensures that the request originated from the correct site and verifies that the token hasn’t been tampered with.

Disadvantages of JWT

While JWT is efficient and easy to use, it has some trade-offs:

1. Revocation: It is challenging to revoke a JWT once the server generates it. Therefore, it is advisable to set a short expiration time for the token, prompting the user to log in again to generate a new token.
2. Payload Size: Since the JWT is sent with each request, a large payload increases the request size, negatively impacting network latency and bandwidth.
3. Implementation Ease: JWTs are straightforward to use and implement with ready-made libraries. You only need to specify the secret to use.

By understanding these core concepts, you can effectively utilize JWT for secure and efficient user authentication and authorization in your applications.