<h1>JWT - Java, Security Lesson </h1>
Period 1 - Emma, Vivian, Grace, Aliya, Kevin, Isabelle

<h1> Definitions & Purpose</h1>

- JSON Web Token (JWT) 
    - popular way to authenticate users in a web application. It is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS). 
    - Compact, url safe means of representing claims to securely transmit information between parties.
        - These claims are encoded as JSON objects that are digitally signed using a JSON web signature






Concise and efficient representation, allows for ease of transmissions over networks
No need to reference external source/database to validate info
Common use cases: 
Authentication
information exchange
Authorization
Secure your APIs!

Popcorn hack: list 3 real world applications of JWT: 

<h1>Components of JWT</h1>

1. Header
    - Algorithm and token type
2. Payload
    - Claims and user data
    - claims are statements about the entity (users)
    - There are three types of claims: 
        - registered: predefined claims that are no mandatory but recommended
        - public: claims defined within the IA and JSON web token registry
        - private: custom claims created to share information between parties that agree to using them
3. Signature
    - Ensuring integrity and authenticity
    - verify the sender of the JWT

- Below is code for what the JSON object for JWT looks like. Here is a link to a JWT website, you can mess around with it [Link](https://jwt.io/)


In [None]:
// header
{
    "alg": "HS256", //type of sign in algorithm
    "typ": "JWT"    //type of token
}

// payload
"sub": "jwt", //example of a registered claim
"name": "jwt lesson",
"iat": 1516239022",
"authorities": [
    "ADMIN",
    "MANAGER"
],
"extra-claims": "some data here"

//signature
HMACSHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
    your-256-bit-secret
) secret base64 encoded


<h1>Deep Dive into Anatomy of a JWT </h1>

<h1> Implementation Approaches & Security Considerations </h1>

<h1> JWT with Spring Boot </h1>

<h2> Big Idea </h2>
<img alt="JWTProcess" src="{{site.baseurl}}/images/JwtProcess.png">

1. JwtAuthFilter is executed first (validates and checks JWT Tokens)
    - Internal check to check if the token is there or not. 
    - Extracts the subject (username or email)
    - If token is missing → 403 error sent
    - If token is there:
        - Makes a call using the UserDetails Service to fetch user info from the database. Uses the subject extracted to do so
        - Response comes back from the database (user either exists or doesn't)
        - If the user does not exist → 403 error sent
        - If user exists → validate JWT process is started

2. Validate JWT Process
- Calls the jwt service which takes the user and jwt token as parameters
- Token isn't valid → 403 error sent
- Token is valid → update the security context holder and set the connected user. User is now authenticated yay!
    - Automatically dispatch request → sent to dispatcher servlet → sent to controller → allow all execution user wants to do 
    - Sends http 200


<h2> Code Implementation </h2>
- Clone this repo and follow along in each JWT file: https://github.com/vivianknee/jwtlessonBackend.git

<h3> Logic flow </h3>
<b>Step 1 (Client - Login Request):</b> The client sends a login request with user credentials (username and password) to the /authenticate endpoint.

<b>Step 2 (JwtApiController):</b>
- The JwtApiController receives the login request.
- It authenticates the user credentials using the AuthenticationManager.
- If authentication is successful:
Retrieves user details using the PersonDetailsService.
Generates a JWT using the JwtTokenUtil.
Sends the JWT as an HTTP-only secure cookie in the response.

<b>Step 3 (Client - Subsequent Requests):</b>
- The client includes the JWT cookie in the headers of subsequent requests.

<b>Step 4 (JwtRequestFilter):</b>
- For each incoming request, the JwtRequestFilter intercepts the request.
- Extracts the JWT from the HTTP request headers or cookies.
- Validates the JWT using the JwtTokenUtil.
- If the token is valid, sets up authentication using Spring Security's SecurityContextHolder.

<b>Step 5 (Spring Security):</b>
- Spring Security processes the request with the authenticated user.
- The application can now authorize the user based on the roles and permissions associated with the JWT.

<b>Step 6 (Error Handling - JwtAuthenticationEntryPoint):</b>
- If the JWT is missing, invalid, or expired, and the request requires authentication, the JwtAuthenticationEntryPoint handles the authentication failure.
- Responds with an HTTP 401 (Unauthorized) status.


<h1>Hacks </h1>