You found it first ⚡ 50% off any plan for 6 months, exclusive to new subscribers for a limited time only.

Join the Treehouse affiliate program and earn 25% recurring commission!

✨ Earn college credits in Cybersecurity, JS, HTML, CSS and Python

🌟 Dreaming of a bright future? 🎓 Ask about the Treehouse Scholarship program! 🚀

Well done!

You have completed Using Cookies and JWTs for Secure Authentication!

Sign up for Treehouse Back to Library

Preview

Sign up for Treehouse Continue

Decoding a JWT

3:27 with Alena Holligan

Now that we have a JWT created, we can pass that instead of our JSON encoded array. Although a JWT is JSON encoded, there is more to it, so we'll need to change our decode function.

Teacher's Notes
Questions?
Video Transcript
Downloads
Workspaces

Decode JWT

function decodeAuthCookie($prop = null)
{
  try {

    Firebase\JWT\JWT::$leeway=1;
    $cookie = Firebase\JWT\JWT::decode(
      request()->cookies->get('auth'),
      getenv("SECRET_KEY"),
      ['HS256']
    );
  } catch (Exception $e) {
    return false;
  }
  if ($prop === null) {
    return $cookie;
  }
  if ($prop == 'auth_user_id') {
    $prop = 'sub';
  }
  if (!isset($cookie->$prop)) {
    return false;
  }
  return $cookie->$prop;
}

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Now that we have a JWT created, we can pass that to our cookie, 0:00

instead of our JSON-encoded array. 0:06

Although a JWT is JSON-encoded, there's more to it than just JSON-encode. 0:14

So we'll need to change our decode function. 0:20

We'll start by setting the leeway, 0:25

Firebase\JWT\JWT::$leeway=1. 0:32

This will account for 0:40

when there is a clock skew of time between the signing and verifying servers. 0:42

Next, we can use the static method decode from the Firebase class. 0:47

Firebase\JWT\JWT::decode. 0:55

First we pass our auth cookie. 1:04

And then we pass the secret key, 1:11

getenv (SECRET_KEY). 1:16

And finally, an array of approved signing algorithms. 1:21

Since we signed the token with HS 256, that's the only 1:28

one we're going to use in our approved list, HS 256. 1:33

If there's any problem reading the JWT we want to return false. 1:38

To do this, let's wrap the decode in a try catch block. 1:43

Try, Catch, 1:49

Exception, And 2:02

if we catch an exception, we'll just return false. 2:09

Because we're using the sub, or the subject from the JWT RFC, we could either 2:13

change our call to the function or add an additional condition before our return. 2:19

Since auth_user_id makes more sense than sub, 2:25

I'm going to use that second option and add an additional check. 2:29

If prop equals auth_user_id, 2:35

Then I'm going to set prop equal to sub. 2:48

This will allow the next check to work to make sure that we actually have sub. 2:56

The rest of the decode function we can leave as is. 3:01

Let's give our new authentication a try. 3:05

Any time that you make changes to your JWT make sure you log out and 3:07

you log back in to make sure that cookie is saved properly. 3:13

And once again, everything still works. 3:23

You need to sign up for Treehouse in order to download course files.

Sign up

You need to sign up for Treehouse in order to set up Workspace

Sign up