Search code examples
phplogictoken

Validating token when client returns to server

I am developing an API using PHP and got the authentication part, I'm using token authentication.

This is the logical sequence I want to implement.

  1. User Requests Access with Username / Password
  2. Application validates credentials
  3. Application provides a signed token to the client
  4. Client stores that token and sends it along with every request
  5. Server verifies token and responds with data

Example of use

user informs email and password, {"email":"[email protected]", "senha":"123"}

I then send a token eiy@omlo3

whenever it accesses the API then it passes me that token

how will I know if this token is valid or not? will I have a function to validate the valid token? What is the logic to do this? to know if the token is valid

Solution

  • You could use the JWT (JSON Web Token) standard to learn more about this process. JSON web tokens are broken up into three parts all separated by a period:

    header.payload.signature

    The header is created by making claims about the token, for example its type and algorithm used:

    $header = json_encode(['type' => 'JWT', 'algorithm' => 'HS256']);

    More information on the difference between the signing algorithms

    The payload contains important information that is used by the application, for example an identifier for a user. It can also contain other information like the expiration, issuer, etc:

    $payload = json_encode([
    'user_id' => 56,
    // set expiration to 2 hours from now etc
]);

    These can then by encoded with the base64_encode() and hash_hmac() functions.

    The signature is a special part. It is a concatenation of the header and payload, with an appended "secret". The secret is a string that is only known by you and your application. Adding this to your token "signs" it, and makes it so that you're the only one that can properly validate it. This might be a good site to generate a "secret".

    You would store the secret in a secure place outside of your publicly accessible folder, and retrieve it when needed (dotenv libraries are great for this). Those are all appended together and encoded to create your token and give to the client.

    When you receive the token to validate, you can explode it into three parts since each is separated by a period, and then validate each piece to your liking. For example if you received a token you could do the following: 

    // validate token in header.payload.signature format
$token = explode('.', $token);

$header = $token[0]; // header should be first
$payload = $token[1]; // payload should be second
$signature = $token[2]; // signature should be third

    Remember the signature is a hash of the header, payload, and secret. So you could decode this, and compare it to $token[0] and $token[1] to ensure that the token was not tampered with, and finally make sure that the secret matches as well.

    Reference: How to Create a JSON Web Token Using PHP