1

About the login step at Angular 6:

If I did it as the following:

  1. Send username and password to PHP;
  2. Server code check user if exists;
  3. If really exists, we will send a json array again to Angular containing username and user role
  4. Save them in localstorage
  5. And when user try to navigate through the app, we will check these credentials using canActivate guard service.

Do we need to use JWT too to set a token or isn't necessary ?

alim1990
  • 4,656
  • 12
  • 67
  • 130
  • No JWT is just extra layer of security & You can leave it, if your application doesn't require that much security or you have less time to make the application. – Atul Sharma Jul 16 '18 at 06:44
  • Yeah. Here I do need the username, to monitor how made changes in the database, so why do I need the jwt ?!! – alim1990 Jul 16 '18 at 06:47
  • @AtulSharma Yeah. Here I do need the username, to monitor how made changes in the database, so why do I need the jwt ?!! – alim1990 Jul 16 '18 at 06:48
  • You need JWT to establish Validity of data provided by the client. As data can be modified in middle or through client machine before received by the server. So JWT just protect invalid data modifications in between. JWT passes data in encrypted format instead of plain text or json. – Atul Sharma Jul 16 '18 at 06:49

3 Answers3

1

Yes! you need, because :

The token-based authentication systems allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without entering their username and password at each request. Once their token has been obtained, the user can use the token to access specific resources for a set time period.

JWT (pronounced 'jot') is a token based authentication system. It is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature. The JWT is a self-contained token which has authentication information, expire time information, and other user defined claims digitally signed.

Source: JWT (JSON Web Tokens) Are Better Than Session Cookies

more info: JWT

introduction: this link

Implementation example: php-authorization-jwt-json-web-tokens

Hasan Fathi
  • 5,610
  • 4
  • 42
  • 60
1

Its not compulsory to use JWT, If your application requires extra mission critical security use it.

Using JWT protects data from unwanted modifications before its received by the server. The unwanted modifications may be made by someone intercepting the data or from the user itself .

JWT just sends data to server in encoded format along with signature. So, that modification become little tough or even if made, data is not accepted by server as signature validation fails.

Sample JWT data passed : 

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9           // header
.eyJrZXkiOiJ2YWwiLCJpYXQiOjE0MjI2MDU0NDV9      // payload
.eUiabuiKv-8PYk2AkGY4Fb5KMZeorYBLw261JPQD5lM

Sample plain/json data

{
  "username": "hello",
  "full_name" : "Jason Bourne"
}

Here, you can easily see and modify the data passed, and in JWT you can't.

Atul Sharma
  • 9,397
  • 10
  • 38
  • 65
  • can I incorporate the username and user role into JWT and then extract them in later stage, to add them into a log table so I can monitor who made changes ? – alim1990 Jul 16 '18 at 06:54
  • Yes, you in server you are going to receive the plain data itself (second one) then you can save it to db and do whatever you want. JWT only encrypts the data when it is sent from client to server. – Atul Sharma Jul 16 '18 at 06:56
  • So I will save the JWT in a local storage, and whith each server request, I will attach it with the data. Now at the server side, how do I check if this jwt is the correct one ? Do I need to save the JWT into a session upon creation ? – alim1990 Jul 16 '18 at 06:59
  • Yes, some mapping between JWT token and user session identifier need to be made or you can pass the logged in user id every-time from client . – Atul Sharma Jul 16 '18 at 07:01
  • So it's not that complicated, I will just generate a token with the needed info (username, and user role) and save it in a session (server side) and in local storage (client side) – alim1990 Jul 16 '18 at 07:02
  • yes,you can. You can easily find libraries where complete JWT implementation is there. You just need to write data passing & processing functionality after receiving the data. – Atul Sharma Jul 16 '18 at 07:03
  • Do you recommend to use the jwt-php library or it is better to generate it using jwt-angular library. Because I am seeing multiple libraries out there. – alim1990 Jul 16 '18 at 07:04
  • 2
    Please don't advise people to store anything confidential inside JWT token. – Mike Doe Jul 16 '18 at 07:07
  • @emix so what we should store inside JWT, it is just the user and its role in the db. – alim1990 Jul 16 '18 at 07:08
  • Anything that is meaningful for your application. User ID maybe, printable name, user role etc. You are not supposed to keep any secrets there. – Mike Doe Jul 16 '18 at 07:09
  • @emix you mean the password ? He is giving a sample example, of course no one would save a pass in a jwt. Thanks for the edit. – alim1990 Jul 16 '18 at 07:10
  • Well I would argue. I spend lots of time on SO and know what people are capable of doing. Especially in [tag:php]. – Mike Doe Jul 16 '18 at 07:11
  • @AtulSharma your statements: "JWT just sends encrypted data to server" "Here, you can easily see and modify the data passed, and in JWT you can't." are quite misleading. In the example JWT you show (a signed JWT aka JWS) I can of course see what's inside. The data is not encrypted, just base64url encoded. It's just the signature, which is a hash, that makes it secure. Of course there is also an encrypted variant of JWT, the JWE, but that's much less common and you don't mention it here. Please don't claim that data is encrypted in a JWT. – jps Jul 16 '18 at 07:40
0

It is not neccessary, but may come in handy.

If you have single application working on a single webserver you could skip JWT completely and just have a cookie autentication mechanism, so that each JavaScript call to the webserver contains your authentication cookie so your backend can respond with proper user data.

JWT comes in handy though when you have more servers involved. Think of SSO service acting as a glue between multiple related sites, like StackOverflow and others. You just pass the JWT token and each server can safely assume the data was not tampered with and have immediate access to the user's identity, some basic details etc.

Mike Doe
  • 16,349
  • 11
  • 65
  • 88
  • Well, I will run the web app locally after all, since we are an NGO and can't get funds to upload on an online server. But since it is a long term project, we may need some day to upload it, so using JWT is mandatory. – alim1990 Jul 16 '18 at 07:21
  • I think you misunderstood my "single webserver" expression. If you put your website somewhere on the Internet it is still not required to use JWT. – Mike Doe Jul 16 '18 at 07:23