Difference between #1 and #2 of
JWT authentication tutorial

Revision #2 has been created by Allan Jensen on Jun 7, 2021, 9:51:31 AM with the memo:

Changed headings because they are not rendered properly
« previous (#1) next (#3) »

Changes

Title unchanged

JWT authentication tutorial

Category unchanged

Tutorials

Yii version unchanged

2.0

Tags changed

authentication,auth,jwt

Content changed

[...]
This token is generated upon login only, and is stored in the table `user_refresh_token`.
A user may have several RefreshToken in the database.


### Scenarios #### User logs in for the first time, via the `/auth/login` endpoint:

In our `actionLogin()` method two things happens, if the credentials are correct:
[...]
The RefreshToken is in your cookies, but can't be read/accessed/tempered with through Javascript (since it is `httpOnly`).

#### Token expired:

After some time, the JWT will eventually expire. Your API have to return `401 - Unauthorized` in this case.
[...]
Your HTTP client must take this new JWT, replace it in `localStorage`, and then cycle through the request queue and replay all failed requests.

#### My laptop got stolen:

If you set up an `/auth/sessions` endpoint, that returns all the current user's RefreshTokens, you can then display
[...]
#### Why do we trust the JWT blindly?

This is by design the purpose of JWT. It is secure enough to be trustable.
[...]
## Implementation Steps

### Prerequisites

* Yii2 installed
[...]
### Step-by-step setup

- Create an ActiveRecord model for the table `user_refresh_tokens`. We'll use the class name `app\models\UserRefreshToken`.

- Disable [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) validation on all your controllers:
[...]
13 0
8 followers
Viewed: 150 342 times
Version: 2.0
Category: Tutorials
Tags: auth, authentication, jwt
Written by: Allan Jensen
Last updated by: Allan Jensen
Created on: Jun 7, 2021
Last updated: 2 years ago
Update Article
Revert to #1 | Revert to #2

Revisions

View all history