## JWT Implementation



# What is JWT
JWT (JSon Web tokens) is a compact url safe means of representing claims bewtween two parties

# Parts of JWT

- Header: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA. This part is base64Url encoded.

- Payload: Contains the claims, which are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims. This part is also base64Url encoded.

- Signature: used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. The signature is appended to the encoded header and payload. This part is used to verify the integrity of the token.

# Implementing JWT into Flask Project

**CORS Configuration:**

Change: Added CORS support for both deployed and local runs.
Purpose: CORS (Cross-Origin Resource Sharing) is configured to allow or restrict requests from different origins. This change ensures that your Flask application can handle requests from various sources.


In [None]:
cors = CORS(app, supports_credentials=True)

**Dynamic Allowed Origins:**

Change: Added a before_request hook to dynamically set the allowed origin based on the request's 'Origin' header.
Purpose: Dynamically adjusting the allowed origins based on the incoming request helps ensure that only specified origins are allowed, preventing unauthorized cross-origin requests.


In [None]:

@app.before_request
def before_request():
    allowed_origin = request.headers.get('Origin')
    if allowed_origin in ['http://localhost:4100', 'http://127.0.0.1:4100', 'https://nighthawkcoders.github.io']:
        cors._origins = allowed_origin

**SameSite Attribute in set_cookie:**

Change: Added samesite='None' to the set_cookie method to allow cross-site requests.
Purpose: Setting the SameSite attribute to 'None' is crucial for cookies to be sent with cross-site requests. This is required when working with front-end applications hosted on different domains.


In [None]:

resp.set_cookie(
    "jwt",
    token,
    max_age=3600,
    secure=True,
    httponly=True,
    path='/',
    samesite='None'
)

**Nginx Preflighted Requests Configuration:**

Change: Added Nginx configuration for handling preflighted requests, allowing only the specified frontend server.
Purpose: Preflighted requests are pre-checks made by the browser before the actual request. This Nginx configuration ensures that only the designated frontend server is allowed for preflighted requests.


In [None]:

if ($request_method = OPTIONS) {
    add_header "Access-Control-Allow-Credentials" "true" always;
    add_header "Access-Control-Allow-Origin"  "https://nighthawkcoders.github.io" always;
    add_header "Access-Control-Allow-Methods" "GET, POST, PUT, OPTIONS, HEAD" always;
    add_header "Access-Control-Allow-MaxAge" 600 always;
    add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
    return 204;
}

1. Install JWT extension or Flask-JWT-Extended extension

In [None]:
pip install pyJWT

2. Create Flask app and initialize JWT

In [None]:
from flask import Flask
from pyJWT import JWTManager

app = Flask(__name__)
app.config['JWT_SECRET_KEY'] = 'your-secret-key'  # Replace with a strong secret key
jwt = JWTManager(app)

3. Create login endpoint to generate tokens

In [None]:
@app.route('/login', methods=['POST'])
def login():
    # Verify user credentials
    if verify_credentials():  # Replace with your authentication logic
        user_id = get_user_id()
        access_token = create_access_token(identity=user_id)  # JWT creation
        return jsonify({'access_token': access_token})
    else:
        return jsonify({'error': 'Invalid credentials'}), 401

# JWT Cookies
Cookies are pices of information taht are used to be sent to a browser and stored on the device it has been sent to

# Anatomy of Cookies

# Validating Cookies