Using JWT in laravel 5.1 api

Question

I'm trying to implement a nice JWT based api, so I have already read loads of documentation about JWTs and how they work, but I can't figure out a few things:

1. When the user logs in to the app, do I pass user details via JWT ? For example, the name, email and user permissions .

2. Do I need to pass everything via JWT ? For example, getting the page specific data from the database or getting all blog posts or something similar to that.

3. How do I find out on back-end whether the user has a permission to do this action or not? How can I get the user details from the token?

4. I'm using Tymon/JWT-Auth library in this case and here is a little demonstration of how my application works at the moment:

   1. User sends a post request to api/authenticate route, which logs the user in and returns a JWT token as json along with the user details - name , email and permissions . So the data returned from the server looks like this:

   { "token": "blablabla", "user": { "email": "testin@test.com", "name": "Test User", "permissions": [ "can_edit_posts", "can_delete_users" ] } }

   JWT is stored in a global variable in javascript called token . The user data is stored in a user object.

   2. User goes to the let's say blogs page. This page sends a GET request to the server, that retrieves all the posts: /blogs?token=[THAT_GLOBAL_VARIABLE_HERE]
   3. The server returns the list of all the posts.
   4. The global token variable is updated with whatever is in the Bearer key in the header.

Is this the correct way of doing it?

Answer 1

您必须将令牌附加到称为Authorization的特殊http标头中，例如使用以下模式：

headers('Authorization: JWT aer5a4era456f4asrgt1aer46a');