This course will be retired on June 1, 2025.

Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

PHP User Authentication

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Building a JWT

4:52 with Alena Holligan

Our login system will utilize cookies to store information about our user, however, we will be using JWT’s that are signed with a secret key to make sure the cookie is not modified or falsified to get into the system.

Steps to Creating a .env file

  1. Preview your site in a browser again and copy the domain name from the url.
  2. In the 'inc' folder, create a new file named env.txt
  3. open the file and create 2 lines:
    SECRET_KEY= string_of_64_random_characters COOKIE_DOMAIN= url_from_step_1
    ** NOTE: Do NOT include the ending slash on the url **
  4. Close the file and rename env.txt to .env

is_admin?

$user['role_id'] == 1

This check if the users role id is equal to 1, meaning an admin, and returns true or false.

JWT Claim Details

Review JSON Web Tokens video

iss Issuer Who issues this claim?
sub Subject Who is the subject?
exp Expiration Time When this JWT expires
iat Issued At Seconds since epoch
nbf Not Before Seconds since epoch
is_admin Private Claim Data Is the user an Admin?

Additional Resources

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    There are a few parts to a job that we're going to use, 0:00
    the first of which is an expire time. 0:03
    We're going to use this time in a couple of places. 0:06
    So let's make it a variable, 0:08
    $expTime = time() + 3600. 0:13
    This says the expire time is in one hour. 0:18
    Now we need to create the .env file. 0:21
    Any file that starts with a period can be difficult to edit. 0:25
    Let's start by naming this env.txt. 0:29
    We'll put it in our inc folder. 0:32
    We can rename this once we're done. 0:39
    This is where you can define any environment variables that you want to 0:41
    access with a get env function or the _env variable. 0:45
    This file should contain any secret keys that you need for your application. 0:50
    In our case we need a secret key for our jobs to be signed. 0:54
    We'll add the following line SECRET_KEY = and 0:59
    then fill out a secret key with a string of 64 random characters. 1:05
    We also need to add the domain where our cookie will live. 1:09
    For this we can preview our site in the browser again. 1:18
    And we copy our URL. 1:23
    We don't want the HTTP at the beginning. 1:32
    Let's close this file and rename it. 1:37
    The last thing we need to do is to tell our application to load this file. 1:46
    So, let's open our Bootstrap file. 1:50
    We add $dotenv = 1:56
    new Dotenv/Dotenv. 2:01
    And the current directory. 2:08
    $dotenv load. 2:12
    This will tell the system where to find our dotenv file. 2:17
    Now let's go back to our do login file. 2:21
    We're ready to create our job. 2:25
    We're going to use the static method 2:31
    in code that lives in the class 2:36
    Firebase\JWT\JWT::encode. 2:40
    This method takes three properties, the data we want in our claim, 2:45
    the signing key, and the encryption algorithm. 2:51
    Our claims will contain a few items passed in an array. 2:54
    All of them but one, are part of the RFC for jots. 2:58
    You can see the details for each in the notes. 3:02
    Iss will equal request. 3:08
    GetBaseUrl. 3:15
    Our sub. 3:21
    Will equal a user id. 3:26
    Exp for expire will equal our expire time. 3:36
    Iat will equal time. 3:44
    This is the time stamp of when the jot is issued. 3:48
    Nbf will also equal time. 3:53
    This tells the jot that it cannot be used before the current time stamp. 3:58
    Is_admin. 4:05
    This is going to be set to the user role_id. 4:09
    After our claims, we can sign the jot with our secret key from our env file. 4:24
    And finally as a default we use 4:39
    the HS256 for our algorithm. 4:44
    Great, we now have a jot that we can set in a cookie. 4:48

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up