+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: General (https://forum.codeigniter.com/forumdisplay.php?fid=1)
+--- Forum: Lounge (https://forum.codeigniter.com/forumdisplay.php?fid=3)
+--- Thread: JWT for APIs (/showthread.php?tid=68282)
JWT for APIs - ciadvantage - 06-19-2017
I am thinking of using JWT (Json Web Token) for some of my APIs functions. Any opinions about this approach?
Basically I pass a token along with the request to server and the token needed to be decoded and response is back!
Regards
RE: JWT for APIs - PaulD - 06-20-2017
I think this is the way you should do it. IMHO, as long as the token is refreshed on every request processing, like the way CSRF works. So a first request is made to log in, once authorised a token is issued which you have assigned to that user, which is good for one request. If an old token or an unrecognised token is sent, the current authorised user associated with that token should be logged out and authentication required again.
I think that is the way it should work. I know traditionally the token is time limited, but I think a single use token is better. The double token method with one to get new tokens and a second token that time validates is a pain.
There are lots of ways you can do this. I am certainly no expert at it or security so take my opinions with a pinch of salt :-)
Paul.
RE: JWT for APIs - ciadvantage - 06-20-2017
Thanks Paul
Here is how I actually implemented : the request is sent along with encoded token. Server then decodes token and verify if the valid param is qualified for a response
For me obviously, only trusted client can have the passphrase to encode it , likewise on server end. I just tried to think deep if I have security hole anywhere along
the path. JWT is much alike with API keys method.
Thanks
RE: JWT for APIs - PaulD - 06-23-2017
The best way to really check security is to build your site as best you can, and then pay for a security professional (or a few) to take a look. However there are some free scans, that while not 100% thorough of course, can still show up common problems. There are some great suggestions for this on this stack overflow question: https://stackoverflow.com/questions/339603/how-can-i-check-website-security-for-free
Be prepared though. Some of the suggestions on here will really pull your site apart :-)
Best wishes,
Paul.
RE: JWT for APIs - ciadvantage - 06-24-2017
Thanks Paul. Yeah so far I am very much selective on what to changes on current projects. One breakdown change can halt the production!
Though many tests carried on before production but I occasionally catched the odds that happens on production but the development never
faced that!
Appreciate the suggestions!
Cheers