Json Web Token Authentication JWT Explained Securing API

hang on guys hold on welcome to a new video tutorial from IP Lewis do this one we're gonna explain the JSON web token authentication technique if you're not familiar with that we're gonna just walk you briefly on that I'm gonna explain what is it in whites very very important for api's or for everybody or actually for anybody wants to get into web development and like API is an authentication and want to understand what is that and if you are already familiar with this it's just kind of an authentication system it's called JSON web tokens it's new authentication system if you ma are familiar with cookies or tokens authentication system where like the user typed his credentials unlike a login form his username and password and click Submit then automatically the website or your website or your application one application just gonna create that token specifically for that user using the credentials of the user then started and like this is like hashed on algorithm using hashing algorithm you just convert his tokens into a really like long token it was in the different hash or encoding algorithms then you put it on the cookie on every time he'd submit a request on your server to check whether or not he's logged in or whether or not he's the person who needs to be in order to access some resource under the server you're just gonna check for this cookie and stuff like this it's pretty much for the JSON web token but what didn't work token or one we need two adjacent what you're currently using cookies for our cookies Joker cookies authentication for authenticating between a client and a server there's like couple freezers in here just for like the the JSON web token wants to need or one necessarily need the server to keep the token or held the sort of token on a database on the other hand for the token authentication technique the cookie is on to get the token on occasion technique from the server it needs to hold the the token on database then when the girl the users submit or try to connect to the server or do something to the server he compared the tokonoma cookie stored on the client side or on the client computer with the server one which is stored in the database but for the JSON web token it won't need that because every single data it's gonna be like on the token itself so we're on me to keep track of the token on the server side which is a really nice thing and make it really really more secure than that also it is X cos x es earth and CSS secure so if you're not if you are familiar with this vulnerabilities in here so hopefully for the JSON web tokens it has a three major part composed of three major parts there is the header which is holding the type of the Hudson authentication so you're like the authentication or the encoded arguments are used to encode the data using data into that token so they're gonna be stored on the header and the payload gonna have the user data so let's say the email they use your name the phone name whatever they're gonna be puts in the hip a lor then you're gonna check against it then there's the signature and the signature just means your passcode so yeah actually rather than the user's password so you don't need to put the user's password in the payload because it's just less secure and you can use a knowledge signature so like a passcode for every single token on your server or for every single user gonna like register in your server so give it like a passcode or no js' application or any any like password in a let's say password or a passcode and it gives gonna encrypt the whole thing using this signature thing and as I said it's form using header then a dot pelo dot a signature how symbols that this is how Jason what chunk is actually worth and it's super super useful so if you go in here like not on my website and the JSON web token website the main website actually we can sell thus the date it's called like Jason DW T dot IO you can check this one so here if we can go there's the encoded like this the encoder jayson werth token and this like Watts represents this the payload and the signature you put so for for this what it does it used EMC 256 event the base 64 your long encourage encode the header then the payload then the seeker you put in here so the secret you put whatever super it needs is just a very simple example in you but I really recommend going luck with a really complicated secret in here or Pascal for making sure no one gonna break this out and obviously this how it's gonna look at the end you're talking this is how we going to look so when absolutely let's say the ears you logged in to keep track of the usual so when let's say you have a service and the user log in to your service to access the API so probably we want the user from when he logged in and from now on he can access the the resource of the world of the server option so he can like I don't know get the data stored on the server get his username like you put or submit a post request for taken easy the username yeah yeah you have a lot of other things so to keep track of that you can put this Chokin on a cookie or local storage with a browser so you can just keep checking this and over and over again and as I've said you don't need to keep this racket or you don't need to keep track of this Chokin on the server just keep it on the client sign thank you or then you can check or do some checking on the server side whenever the user we use or trying to submit so enough talking actually let's just see a very brief example in here I'm using I know Jason here and the JSON web token module for doing that I've set up a very basic server as you can see as you can see using Express so that server using an API I'm having here like a very very simple data so just put in accounts the other this is the private dealer so on the server let's say this like a private dealer stored on the server and I'm putting our routes forward slash user data so when anyone actually try to put your domain name then user data access the user data he gets a login required so he gets a check in first so if his logged in then he can get the data successfully whether if not is not then so he can't get the data and he can't like a message you're not authenticated or you're not having the right to access this server resources simples this this how it can be done so like this like for demonstration things I'm putting this in here so just to return this and user login required and how actually this is working so I'm putting the here for the route off sign in and I'm putting a post request so if you're not familiar with this like how it works the abroad or if you can't understand any of fast I really do recommend going checking these series on my channel so just give a look for its nodejs or you can find a link in description below no genius and you can just tell or watch the video of making a basic server you cannot understand all of these kind of things in how he works and middle worlds and all the kind of things they don't come back over here to understand what actually doing so we're putting a round sign in let me put in a post request and we're checking actually in here so we're doing if request body use your name not equals to user data let's say this is the user data stored on your database make sure to store in database just like for demonstration purposes I'm storing it in here as you can see so if the user name like he can actually sign in and the password they all match the data stored on the database then we can return this like an arrow since the the other just doesn't equal actually it's not the same so we've shown could not login about the username or password and you can do a lot of other things in here but this is how it basically works then the other thing so let me just go back over here and they'll go think if the user so request of a user and from what is actually coming if we go coming here I have in a middle world so as I've said if you're not familiar with that go we check in the no GS series on my channel to understand all these kind of things happening in here so for the middle row what we're doing is checking if request headers so the request has a headers and the Hitler's two authors the authorization and other stage and splits were displaying the authorization to JSON WT and like we're verifying the token in here so probably like we get GWT and we're getting taste JSON the total actual token actually so whatever put in the header or putting the token into the header so then we're checking in that token is valid if it's valid we're gonna let the e use your pass it's not valid we're gonna just let him tell him to sign in so here we're using GWT verify and we are verifying the headers so request headers the authorization and split by one so here this is the actual token we're gonna we're gonna like send in with a request on the header so under the authorization feel so putting in that we're gonna check it against GWT signature and this is what I was talking about this is the pass code we're gonna check against so this is the pass code it can put any custom pass code in here so we must the token you you sent to the user and you're checking against it must be the same actually so to make sure that everything gonna go smoothly is successful in you and we're gonna just go oh god get a callback if then error happens we just gonna say request all user issues in define and which means the the token does not match for the token does not exist so we're just setting the request --use your it wasn't defined else we put the actual decoded token in here which means this gonna hold the user's information then we panic just gonna get into the next request and here we're just saying if net if if not does not exist this headers authorization we're just gonna put the user to and define it the simple stance this is how using what choking actually verifies using the GWT beautiful if you're using any other programming language make sure to have or use your librarian here I'm requiring this module from the know GS NPM library so as I've almost saying you its symbols that you put the token you put the pass code you off your token then you get verified ifs match then you're gonna get the callback with no error else you're gonna get the error which says the user it wasn't define it then on the sign-in in here we're actually doing when the sign in which means the user isn't defined in the user has no token which may is the request dot users equals to n define it must equal so define and we're gonna just send success user logged an and we're gonna put or sign the credentials we use the GWT sign-in method or sign method we put in the payload and here is can sell this is the payload we're not dealing with the header or anything also just dealing with the Payoneer and the pass code which means or the signature part if your are in here if we go back here we're dealing only with the payload and the signature part if the header is already being set for us you can change the set headers in here but it doesn't really need to because it's already been set enough for us for the best algorithms or encryption angular's to be used for this for signing our credentials so here make sure to not put any like sensitive data here like passwords or something like that just put the username and email or you know other data are not so set of as passwords because this can be like decrypted so you don't want to your password to get leaks and if you want to this not get too corrupted you can use any other algorithms that's doesn't support two ways of hash encryption which means it cannot be decrypted actually only encrypted ones and like create or public private shared keys and stuff like that you can learn more about this from the official website but here this how the way each works so we send in the token this sign method gonna return token after