- Core concepts (authentication method, encryption/decryption, HTTPS)
- How JWT works
- Node.js integrated JWT
Authentication method:
Advantages of JWT : easy to expand, support for mobile devices, cross-application calls, security, and rich in carrying information.
Disadvantages: refresh and expiration processing, payload (payload) is not easy to be too large, man-in-the-middle attack
Advantages of session/cookie : Easier to expand, simple
Disadvantages: Low security, low performance, server storage, difficult to synchronize sessions with multiple servers (requires services such as redis), and difficult to cross-platform.- oAuth 2.0 (Third-party login, such as WeChat, github scan QR code login)
Advantages: open, safe, simple, and specified permissions
Disadvantages: need to increase authorization server and increase network requests
What is JWT
The full name of JWT is JSON Web Token. A JWT consists of three parts: Header, Payload, Signature.
- The header
mainly specifies the encryption method used by the token and the type of the token.{ "alg":"HS256", "typ":"JWT" } - Payload is
mainly some user information contained in the token, such as: user name, expiration time, etc.{ "sub":"2021-01-01", "name":"zyy", "admin":true } - Signature
is the base64 value of the header + the base64 value of the payload + the string generated by the secret,
and then perform the specified encryption on this, and finally get the signature
HMACSHA256( base64UrlEncode(header) + "."+ base64UrlEncode(payload), secret )
JWT features
- Anti-CSRF (mainly forged requests, with cookies)
- Suitable for mobile applications (mainly refers to the app, because cookies need to be stored on the browser)
- Stateless, encoded data
jwt online verification: https://jwt.io/
Algorithm/Encryption
Algorithm:
The instruction in the algorithm describes a calculation, when it runs, it can start from an initial state and initial input (may be empty), after a series of 有限而清晰定义的状态final output and stop in a final state. (Similar to function)
Encryption:
The basic process of data encryption is to process the original plaintext file or data according to a certain algorithm to make it an unreadable piece of code, usually called "ciphertext". Through this approach, the purpose of protecting data from being stolen and read by unauthorized persons is achieved.
HTTPS
The secure transfer protocol HTTPS
HTTPS (HyperText Transfer Protocol Secure) is often referred to as HTTP over TLS, HTTP over SSL or HTTP Secure. It is a transmission protocol for secure communication through a computer network.
API security design
- Communication channel encryption: use HTTPS
- Communication data encryption: ciphertext + encrypted key data
- Communication security strategy: authorization middle layer, number of attempts, expiration strategy. . .