Node Auth Tutorial (JWT) #10 - JSON Web Tokens (theory)
Skills:
Auth & Authorisation60%
Key Takeaways
Explains the theory of JSON Web Tokens for user authentication in Node.js applications
Full Transcript
so imagine that we want to log into our application from the browser well first of all the user logs in via a web form from our website which sends a request to the server with their credentials an email and a password the server then checks those credentials the email and password against those stored in a database for that user now if they are correct the server then creates a json web token for the user and it sends it to the browser where it can be stored in a cookie the json web token contains encoded data about that user to identify them so for as long as they have this token in the cookie then they are considered logged in and authenticated so now the user has this json web token stored in a cookie in their browser now remember cookies are sent to the server by the browser for every request they make eg for new pages on the website so when the server gets that token from the cookie in the request it can verify it and decode it to identify the user now if it is verified to be a valid token the user can be seen as logged in by the server and the server can then decide to show the user protected data or pages which require the user to be authenticated if the token is missing or not valid the use is not authenticated and the server can send back some kind of error or direct them to the login page or something now this process is a little bit more complex under the hood but we're going to look at each stage in detail as we create the authentication process and like i mentioned in the last video there is a pitfall to watch out for when using jwt's inside cookies for authentication it does potentially open up your site to cross-site request forgery attacks now that basically means that a malicious site can take a user's authentication cookie and then make requests to our server posing as that user now if our server exposes state changing end points then this is a security risk because it means that the malicious site can then manipulate your user data and potentially access more of it now in our case we won't be exposing any state changing endpoints that require authentication so there is minimal risk for us but for larger more complex websites with state changing end points you will want to negate that security risk as best as possible so i'll leave a link below with more information about that which i highly suggest that you read for now let's talk a little bit more about how these json web tokens are created and verified okay then so i'm on the jwt website which is jwt dot io and this is a really nice place to see how tokens are made as well as for debugging tokens as well so if we scroll down here right here we can see a json web token which is basically an encoded long string of characters made up of three parts you see we've got three different colours right the red the purple and the blue and they correspond to these three different parts which are the decoded versions of those three strings so the first one the red part that is the token header which is a bit like metadata for the token now the second part is the payload and that is data that is encoded into the jwt now this could be a user id to identify the user so that when it's decoded on the server we know which user is going to be logged in now it's important that no sensitive data is put inside this payload in case a token is intercepted by somebody because it can be decoded by anyone that knows how now the last part is the thing that kind of ties everything together and we're going to talk about this a little bit more in a minute that is a signature and that is used to verify the token on the server now notice this if i change something over here for example in the payload then all of this changes on the left as well so changing the data embedded inside of this changes the resulting encoded token so this token this is the thing that is created on a server and then sent to the browser and potentially stored in a cookie so now what i'd like to do is explain how this kind of works under the hood and explain what this signature is for right here okay then so we know the three different parts that jwt is made up from the headers the payload and the signature but why do we need all of those three parts and how do they all work together to authenticate and verify users well first of all the headers are needed because they tell the server what type of signature is being used it contains metadata about the token the payload is needed because when it's decoded it's going to help us identify the user on the server and it will contain something like the user id now the signature is the thing that ties everything together and it makes the jwt secure and it makes sure that tokens are not tampered with on the client it's a bit like a stamp of authenticity from the server now the way they all work together is like this when our server is creating the jwt after a user successfully logs in or signs up then it creates the header part and the payload part first and encodes them both then to sign the token or to add the signature it takes both of those two parts and it hashes them together with something called a secret which is a secure secret string stored on the server now this secret must remain a secret because it's the key to unlocking the jwt and the only way to verify a token so you would never publish the secret to any kind of public repository where anyone could see it so when those three things are hashed together it creates the token signature now the token signature is then added to the end of the jwt after the other two parts and it can be sent to the browser so the actual hashed resulting token would look something like this so our jwt is then added into a cookie and sent and stored in a browser so for any subsequent request to the server the token is then received by the server inside that cookie the server can then verify this token on every request by looking at the header and the payload and hashing them with the secret which remember is stored on the server if the hashed value of those two things with the secret matches the signature which remember is also the hashed value of those two parts and the secret it knows then that it's valid and the jwt has not been tampered with on the client if the jwt had been tampered with on the client for example the data in the payload modified then those two parts either the header or the payload would have been changed right the encoded parts and when they're hashed together with the secret they would not match whatever the token signature is and therefore we would say hey no you're not logged in you're not authenticated anymore so this whole process of signing and verifying jwts might sound a little bit complicated but with the help of the json web token package that we're going to install soon it's actually really really easy to implement so anyway that's a bird's eye view of the authentication process that we'll be using with jwts and we'll start that process in the next video
Original Description
hey gang, in this node authentication tutorial we'll talk a little bit more about JSON web tokens (JWTs) and how we can use them to authenticate users.
Read about CSRF - https://owasp.org/www-community/attacks/csrf
🐱👤🐱👤 JOIN THE GANG -
https://www.youtube.com/channel/UCW5YeuERMmlnqo4oq8vwUpg/join
----------------------------------------
🐱💻 🐱💻 My Udemy Courses:
+ Modern JavaScript - https://www.thenetninja.co.uk/udemy/modern-javascript
+ Vue JS & Firebase - http://www.thenetninja.co.uk/udemy/vue-and-firebase
+ D3.js & Firebase - https://www.thenetninja.co.uk/udemy/d3-and-firebase
🐱💻 🐱💻 Course Files:
+ https://github.com/iamshaunjp/node-express-jwt-auth
🐱💻 🐱💻 Other Related Free Courses & Links:
+ Node.js Cash Course - https://www.youtube.com/watch?v=zb3Qk8SG5Ms&list=PL4cUxeGkcC9jsz4LDYc6kv3ymONOKxwBU
+ Get VS Code - https://code.visualstudio.com/
+ JWT Debugger - https://jwt.io/
🐱💻 🐱💻 Social Links:
Facebook - https://www.facebook.com/thenetninjauk
Twitter - https://twitter.com/thenetninjauk
Instagram - https://www.instagram.com/thenetninja/
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Net Ninja · Net Ninja · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Regular Expressions (RegEx) Tutorial #14 - Matching a Username
Net Ninja
Regular Expressions (RegEx) Tutorial #15 - Email RegEx Pattern
Net Ninja
Regular Expressions (RegEx) Tutorial #16 - Finishing Touches
Net Ninja
GraphQL Tutorial #1 - Introduction to GraphQL
Net Ninja
GraphQL Tutorial #2 - A Birdseye View of GraphQL
Net Ninja
GraphQL Tutorial #3 - Project (stack) Overview
Net Ninja
GraphQL Tutorial #4 - Making Queries (front-end preview)
Net Ninja
GraphQL Tutorial #5 - Express App Setup
Net Ninja
GraphQL Tutorial #6 - Setting up GraphQL
Net Ninja
GraphQL Tutorial #7 - GraphQL Schema
Net Ninja
GraphQL Tutorial #8 - Root Query
Net Ninja
GraphQL Tutorial #9 - The Resolve Function
Net Ninja
GraphQL Tutorial #10 - Testing Queries in Graphiql
Net Ninja
GraphQL Tutorial #11 - GraphQL ID Type
Net Ninja
GraphQL Tutorial #12 - Author Type
Net Ninja
GraphQL Tutorial #13 - Type Relations
Net Ninja
GraphQL Tutorial #14 - GraphQL Lists
Net Ninja
GraphQL Tutorial #15 - More on Root Queries
Net Ninja
GraphQL Tutorial #16 - Connecting to mLab
Net Ninja
GraphQL Tutorial #17 - Mongoose Models
Net Ninja
GraphQL Tutorial #18 - Mutations
Net Ninja
GraphQL Tutorial #19 - More on Mutations
Net Ninja
GraphQL Tutorial #20 - Updating the Resolve Functions
Net Ninja
GraphQL Tutorial #21 - GraphQL NonNull
Net Ninja
GraphQL Tutorial #22 - Adding a Front-end
Net Ninja
GraphQL Tutorial #23 - Create React App
Net Ninja
GraphQL Tutorial #24 - Book List Component
Net Ninja
GraphQL Tutorial #25 - Apollo Client Setup
Net Ninja
GraphQL Tutorial #26 - Making Queries from React
Net Ninja
GraphQL Tutorial #27 - Rendering Data in a Component
Net Ninja
GraphQL Tutorial #28 - Add Book Component
Net Ninja
GraphQL Tutorial #29 - External Query File
Net Ninja
GraphQL Tutorial #30 - Updating Component State
Net Ninja
GraphQL Tutorial #31 - Composing Queries
Net Ninja
GraphQL Tutorial #32 - query variables
Net Ninja
GraphQL Tutorial #33 - Re-fetching Queries
Net Ninja
GraphQL Tutorial #34 - Book Details Component
Net Ninja
GraphQL Tutorial #36 - Styling the App
Net Ninja
GraphQL Tutorial #35 - Making a Single Query
Net Ninja
Build Apps with Vue & Firebase - Udemy Course
Net Ninja
Updated Vue & Firebase Course (Udemy)
Net Ninja
Vue & Firebase Real-time Chat (Preview) #1 - Intro
Net Ninja
Vue & Firebase Real-time Chat (Preview) #2 - Project Structure
Net Ninja
Vue & Firebase Real-time Chat (Preview) #3 - Firestore Setup
Net Ninja
Vue & Firebase Real-time Chat (Preview) #4 - Welcome Screen
Net Ninja
Vue & Firebase Real-time Chat (Preview) #5 - Props in Routes
Net Ninja
Vue & Firebase Real-time Chat (Preview) #6 - Route Guards
Net Ninja
Vue & Firebase Real-time Chat (Preview) #7 - Chat Window
Net Ninja
Vue & Firebase Real-time Chat (Preview) #8 - New Message Component
Net Ninja
Object Oriented JavaScript Tutorial #1 - Introduction
Net Ninja
Object Oriented JavaScript Tutorial #2 - Object Literals
Net Ninja
Object Oriented JavaScript Tutorial #3 - Updating Properties
Net Ninja
Object Oriented JavaScript Tutorial #4 - Classes
Net Ninja
Object Oriented JavaScript Tutorial #5 - Class Constructors
Net Ninja
Object Oriented JavaScript Tutorial #6 - Class Methods
Net Ninja
Object Oriented JavaScript Tutorial #7 - Method Chaining
Net Ninja
Object Oriented JavaScript Tutorial #8 - Class Inheritance
Net Ninja
Object Oriented JavaScript Tutorial #9 - Constructors (under the hood)
Net Ninja
Object Oriented JavaScript Tutorial #10 - Prototype
Net Ninja
Object Oriented JavaScript Tutorial #11 - Prototype Inheritance
Net Ninja
More on: Auth & Authorisation
View skill →Related Reads
📰
📰
📰
📰
Java: Word to TXT Conversion
Dev.to · Jeremy K.
The New HTTP QUERY Method: How to Use It in Node.js and Express Today
Dev.to · Dev Encyclopedia
2 @Transactional Traps That Catch Even Senior Java Developers in interviews
Dev.to · Nikhil Kamani
10th Anniversary of the Excelize Open Source, New ersion 2.11.0 Released
Dev.to AI
🎓
Tutor Explanation
DeepCamp AI