---
comments: true
layout: notebook
title: JWT Lesson 
description: Period 3 JWT Lesson _TEACHERRRRRRR
type: hacks
toc: true
courses: { csa: {week: 18} }
authors: Paaras, Varaprasad, Tanay, Rachit, Tanisha, Luna
---

# JWT Lesson

**Notebook Link**
wget ___

**Backend Repository Link**
git clone

## Why do you need JWT

Certain features in your application need to be restricted or require some sort of authentication mechanism. For example, a user information database  should only be accessed by administrators as it can contain sensitive information. Certain actions also need to be restricted such as deleting, updating, and creating new records. Additionally, different actions may be attributed to different roles. 

## What is JWT (AKA "JOT")

JWT stands for <mark>**JSON Web Tokens**</mark>. 

JWT allows information, in our case authentication roles, to be securely shared between an applications frontend and backend server as a JSON object . 

**Compact** = Because of its size, it can be sent through an URL, POST parameter, or inside an HTTP header. Additionally, due to its size its transmission is fast.
[will discuss payload later]

**Self-containe**d = The payload contains all the required information about the user, to avoid querying the database more than once.

## Web Tokens

When a user logs in a <mark>**JSON web token**</mark> is returned. Tokens are basically credentials so they need to be protected

- Should not keep tokens longer than required
- Should not store data in browser storage

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:


In [None]:
Authorization: Bearer <token>

If the token is sent in the Authorization header, Cross-Origin Resource Sharing (CORS) won't be an issue as it doesn't use cookies.

## Benefits of JWT

## Anatomy of JWT Folder

Open the cloned backend >>

src/main > spring_portfolio > mvc > jwt

**JwtApiController.java**

Maps the authentication token creation method to the “/create” endpoint. Validating email and password and if valid then generates the JWT token for credentialsl.

**JwtAuthenticationEntryPoint.java**

Implementing AuthenticationEntryPoint and overriding the commence function to specify what to do when a user is not authenticated, return unauthorized error.

**JwtRequestFilter.java**

Extend Spring Web Filter using OncePerRequestFiler class and overrides doFilterInternal function so requests sent to server are processed through function. Function then checks if JWT token is valid and sets Authentication to specify current user is authenticated.

**JwtTokenUtil.java**

Contains utilities/functions that are needed to generate JWT tokens and get information like email from JWT tokens to make sure JWT token is valid


## What is a JWT Token

JWT is represented as JSON objects, these objects contain information about the user. JWT are supposed to be compact (should be easy to send between 2 parties). This is useful in the context of web development. When data needs to be moved efficiently.

[by looking in the JwtTokenUtil.java]

**JWT mainly has 3 different parts:**

1. **Header**

- usually contains the type of token and signing algo being used 
- determined by ‘SignitureAlgorithm’ which is used for signing the key it is using HMAC SHA algorithm and the ‘getSecertKey’ method to provide key for signing

In [None]:
//header example
{
    "alg": "HS256",
    "typ": "JWT"
  }

2. **Payload**

- contains claims (statements about user) and other data, 3 types of claims: <mark>**registered, public, private.**</mark> It is good to have predetermined claims: iss (issuer), exp (expiration time), sub (subject), aud (audience), ect. Here are some more examples of predetermined claims.
- payload is made from the ‘doGenerateToken’ method here claims like orles are added ‘roles’ info is taken from ‘GrantedAuthority’ objects from ‘UserDetails

In [None]:
//payload example
{
    //subject
    "sub": "1234567890",
    "name": "Luna Iwazaki",
    "admin": true
}

3. **Signature** 

- to create signature part head and payload are combined and secret is used to sign it. Signature is used to verify sender of JWT to ensure message wasn’t changed along the way
- the signature is made from the <mark>**‘doGenerateToken’**</mark> method where the JWT is signed with <mark>**‘SecretKey’**</mark> from the ‘getSecretKey’ method

JWT are commonly used in authentication, when the user logs in and gets a JWT, sent to the request to authenticate said user. Servers can verify a token's authenticity by checking the signature, if valid then the server can trust the information in the token.

In [None]:
//example using the HMAC SHA 256 algorithm
HMACSHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
    secret)

## Unauthenticated User Redirect

## What Happens When you aren't Logged In

## Postman Testing (Live Demo)

# Hacks