I'm trying to implement a nice JWT
based api, so I have already read loads of documentation about JWTs
and how they work, but I can't figure out a few things:
When the user logs in to the app, do I pass user details via JWT
? For example, the name,
email and user permissions
.
Do I need to pass everything via JWT
? For example, getting the page specific data from the database or getting all blog posts or something similar to that.
How do I find out on back-end whether the user has a permission to do this action or not? How can I get the user details from the token?
I'm using Tymon/JWT-Auth
library in this case and here is a little demonstration of how my application works at the moment:
post
request to api/authenticate
route, which logs the user in and returns a JWT
token as json
along with the user details - name
, email
and permissions
. So the data returned from the server looks like this: { "token": "blablabla", "user": { "email": "testin@test.com", "name": "Test User", "permissions": [ "can_edit_posts", "can_delete_users" ] } }
JWT
is stored in a global variable in javascript called token
. The user data is stored in a user object.
blogs
page. This page sends a GET
request to the server, that retrieves all the posts: /blogs?token=[THAT_GLOBAL_VARIABLE_HERE]
Bearer
key in the header. Is this the correct way of doing it?
您必须将令牌附加到称为Authorization的特殊http标头中,例如使用以下模式:
headers('Authorization: JWT aer5a4era456f4asrgt1aer46a');
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.