Building a JWT4:52 with Alena Holligan
Our login system will utilize cookies to store information about our user, however, we will be using JWT’s that are signed with a secret key to make sure the cookie is not modified or falsified to get into the system.
Steps to Creating a .env file
- Preview your site in a browser again and copy the domain name from the url.
- In the 'inc' folder, create a new file named env.txt
- open the file and create 2 lines:
SECRET_KEY= string_of_64_random_characters COOKIE_DOMAIN= url_from_step_1** NOTE: Do NOT include the ending slash on the url **
- Close the file and rename env.txt to .env
$user['role_id'] == 1
This check if the users role id is equal to 1, meaning an admin, and returns true or false.
JWT Claim Details
Review JSON Web Tokens video
|iss||Issuer||Who issues this claim?|
|sub||Subject||Who is the subject?|
|exp||Expiration Time||When this JWT expires|
|iat||Issued At||Seconds since epoch|
|nbf||Not Before||Seconds since epoch|
|is_admin||Private Claim Data||Is the user an Admin?|
There are a few parts to a job that we're going to use, 0:00 the first of which is an expire time. 0:03 We're going to use this time in a couple of places. 0:06 So let's make it a variable, 0:08 $expTime = time() + 3600. 0:13 This says the expire time is in one hour. 0:18 Now we need to create the .env file. 0:21 Any file that starts with a period can be difficult to edit. 0:25 Let's start by naming this env.txt. 0:29 We'll put it in our inc folder. 0:32 We can rename this once we're done. 0:39 This is where you can define any environment variables that you want to 0:41 access with a get env function or the _env variable. 0:45 This file should contain any secret keys that you need for your application. 0:50 In our case we need a secret key for our jobs to be signed. 0:54 We'll add the following line SECRET_KEY = and 0:59 then fill out a secret key with a string of 64 random characters. 1:05 We also need to add the domain where our cookie will live. 1:09 For this we can preview our site in the browser again. 1:18 And we copy our URL. 1:23 We don't want the HTTP at the beginning. 1:32 Let's close this file and rename it. 1:37 The last thing we need to do is to tell our application to load this file. 1:46 So, let's open our Bootstrap file. 1:50 We add $dotenv = 1:56 new Dotenv/Dotenv. 2:01 And the current directory. 2:08 $dotenv load. 2:12 This will tell the system where to find our dotenv file. 2:17 Now let's go back to our do login file. 2:21 We're ready to create our job. 2:25 We're going to use the static method 2:31 in code that lives in the class 2:36 Firebase\JWT\JWT::encode. 2:40 This method takes three properties, the data we want in our claim, 2:45 the signing key, and the encryption algorithm. 2:51 Our claims will contain a few items passed in an array. 2:54 All of them but one, are part of the RFC for jots. 2:58 You can see the details for each in the notes. 3:02 Iss will equal request. 3:08 GetBaseUrl. 3:15 Our sub. 3:21 Will equal a user id. 3:26 Exp for expire will equal our expire time. 3:36 Iat will equal time. 3:44 This is the time stamp of when the jot is issued. 3:48 Nbf will also equal time. 3:53 This tells the jot that it cannot be used before the current time stamp. 3:58 Is_admin. 4:05 This is going to be set to the user role_id. 4:09 After our claims, we can sign the jot with our secret key from our env file. 4:24 And finally as a default we use 4:39 the HS256 for our algorithm. 4:44 Great, we now have a jot that we can set in a cookie. 4:48
You need to sign up for Treehouse in order to download course files.Sign up