0

So I'm unfortunately still trying to get a good grasp of the flow my app has to go through to provide authentication. So I plan on making an Angular app with a PHP back-end. To get a JWT, a user will provide their email/password as the body of a HTTP post request that will be made to a PHP file.

Inside that file, the database will be hit to check their credentials, and if they are valid, they will need a JWT provided to them. My question is, how will I send that JWT token to the front-end?

  • Doing a simple echo json_encode($jwt) I imagine would be a bad idea.

  • I could use PHP's setcookie() to send a cookie along with the rest of the HTTP headers. And I could set that cookie as httpOnly to make it even more secure, but I would need to add another cookie to prevent against XSRF attacks.

  • Once the client actually has the JWT token, I know I could use the Bearer authentication scheme and pass the token inside the Authorization HTTP header, and then the PHP file could grab the token by looking at the header. But could I also use the Bearer authentication scheme and use that Authorization HTTP header to pass the newly created JWT token from the PHP file to Angular?

Sorry if this is a bit confusing. If you have any questions, just post a comment.

Jacob
  • 439
  • 6
  • 19
  • 1
    Just don't include any overly sensitive data in the `$jwt` and send it back in your ajax response when the user logs in. Use it then to sign all subsequent calls (in the header) for the session. You should be using a library to parse the `$jwt` on each request (server side) and if any tampering is detected then abort the call and take any necessary action. – Simon K Jul 29 '18 at 21:57
  • Does this protect against CSRF attacks? – Jacob Jul 29 '18 at 23:41

1 Answers1

1

What's wrong with simply setting the jwt in the cookie or just returning the jwt, or even adding to the response's header?

The way I see it, is it all depends on how you want to read it on the client-side. If we're talking about standards, well then, in the header of the response or set cookie is probably the most standard way to do it but nothing is stoping you / there isn't a rulbook from returning it as json for example

Any security validation should be on the server side of things, because nothing is stopping me or you from just manipulating javascript and try to blow up the server. Receiving it with json_encode or on the Response's header or even the cookie, I will have access to it. After all, I need it to make further requests.

The thing about JWT is, that underneath string combination, there is data, like username, email, (password?), and expiration_date. You can combine any information you want into the $jwt, and it's using a secret (only known to your back-end) to cypher it and then return it to the user. Whenever the user makes a request, you need to:

  1. Verify if is receiving an authorization token (jwt) in the HTTPRequest

  2. Verify if the token is valid and if the content is valid (like for example, expire_date).

If you're looking for possible security breaches on this topic (and this topic I mean, authenticating and making sure the user who requested it receives the token), one of them is Man in the middle, but nothing that an HTTPS connection won't solve

abr
  • 2,071
  • 22
  • 38
  • You do make some valid points and remind me that using a JWT with a well protected secret key and HTTPS connection will do a pretty good job against security breaches. But I'm pretty sure I've read on other posts that if somebody looking to perform a CSRF attack can steal the JWT token and use it to make requests to the API. Yes they won't be able to modify the token at all due to the nature of JWT's, but they could still hypothetically overload the API with requests until the JWT expired. – Jacob Jul 29 '18 at 22:52
  • Imagine the scenario of the regular user intencionally spaming with requests, or some bad development is making non-stop requests. The way to limit those would be to throttle the request limit per user or per or ip or per token on the server side. Btw, if you find that post, link me, I like reading stuff :P – abr Jul 30 '18 at 01:52
  • https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf – Jacob Jul 30 '18 at 02:54