Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Angularjs and slim framework JWT authentication and token refresh flow

I would like to know if what I've done so far is a sound way of authenticating/renewing the token and if there are any flaws or vulnerabilities that I should be aware of as I tried to limit database interaction to nil. Here goes.

  1. The user authenticates via normal Username/password or via Facebook
  2. The PHP backend generates a token with an expiration time of 30 minutes and sends it to the angularjs client
  3. The JWT token gets stored in $localStorage
  4. The JWT token is injected, with the help of an interceptor, in every request header
  5. All the Slim routes that need authentication check the sent token with the help of a middleware.
  6. If the token is invalid (expired, has been tampered with, is not suitable for that particular role), Slim will respond with a 401/403 error.
  7. An angular service checks every minute if the token is about to expire
  8. If the token is about to expire (5 to 1 minutes left), the service posts the old token to another API endpoint.
  9. The API endpoint checks the validity of the token and responds with a new one with an expiry time of +30 mins.
  10. The polling service I mentioned before replaces the old token in $localStorage.
  11. Rinse and repeat.

NB: SSL will be implemented in production

Bounty awarded to @Valdas as he was the only one who actually answered

like image 338
Răzvan Avatar asked Aug 23 '15 06:08

Răzvan


People also ask

How does JWT token and refresh token work?

The API returns a short-lived token (JWT), which expires in 15 minutes, and in HTTP cookies, the refresh token expires in 7 days. JWT is currently used for accessing secure ways on API, whereas a refresh token generates another new JWT access token when it expires or even before.

Is refresh token necessary in JWT?

Yes, you need a separate service that issues and refreshes token. It won't update the expiration of the existing JWT Token. A token is simply JSON field-value pairs that are base64 encoded. So changing the data, changes the output.

How do I authenticate a JWT token?

To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.

What is JWT authentication in Angular?

JSON web tokens (JWTs) provide a method of authenticating requests that's convenient, compact, and secure. More often than not, Angular apps will include them in their data flows.


1 Answers

There is no need to loop token expiration checking. I use https://github.com/auth0/angular-jwt as a library for my Angular projects, which provides a way to refresh token just before the HTTP request is fired, simplifying auth mechanism.

Also, you could remove token from request if its loading a template (ends with .html), but this is just a personal preference.

like image 58
Valdas Avatar answered Sep 18 '22 16:09

Valdas