API安全驗證之JWT(JSON WEB TOKEN) OLCMS
阿新 • • 發佈:2018-10-31
假如www.olcms.com/getUserInfo
獲取使用者資訊,你怎麼知道當前使用者是誰?有人說登陸時候我把他UID
寫入session
了,如果是API介面,沒有session
怎麼辦,那麼就需要把UID
帶到引數裡面,如果直接帶裡面,安全怎麼辦?所以我們需要加密成別人看不懂的字串,這就是JWT(JSON WEB TOKEN)
,你可以把它理解為微信SDK中的access token
(其實本身就是一樣的東西).JWT加密和解密你自己寫也行,不過沒有必要重複造輪子,我們在github
上搜一下jwt
,我搜到一個lcobucci/jwt
,看起來用的人也挺多,好,下來我們大概用tp來演示下
下載tp3.2.3
安裝lcobucci/jwt
新建composer.json
{
"name": "olcms jwt demo",
"description": "just a jwt demo with tp",
"type": "demo",
"keywords": ["jwt","tp"],
"homepage": "https://www.olcms.com/",
"license": "Apache2",
"authors": [
{
"name": "olcms",
"email": " [email protected]"
}
],
"require": {
"lcobucci/jwt" : "*"
}
}
composer update
composer安裝看 https://www.olcms.com/2015
開啟index.php
,在載入tp前載入comoposer
的自動載入
//composer
require 'vendor/autoload.php';
// 引入ThinkPHP入口檔案
require './ThinkPHP/ThinkPHP.php';
生成和使用jwt
IndexController.class.php
namespace Home\Controller;
use Think\Controller;
use Lcobucci\JWT\Builder;
class IndexController extends Controller {
public function index(){
$token = (new Builder())
->set('uid', 1) // Configures a new claim, called "uid"
->getToken(); // Retrieves the generated token
echo $token; // The string representation of the object is a JWT string (pretty easy, right?)
}
}
瀏覽器訪問,我們看到生成的jwteyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1aWQiOjF9.
重新整理一下,發現什麼?沒變,恩,不夠安全,我們再修改下程式碼
namespace Home\Controller;
use Think\Controller;
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Signer\Hmac\Sha256;
class IndexController extends Controller {
public function index(){
$signer = new Sha256();
$token = (new Builder())
->set('uid', 1) // Configures a new claim, called "uid"
->setExpiration(time() + 3600)
->sign($signer, 'olcms') // creates a signature using "testing" as key
->getToken(); // Retrieves the generated token
echo $token; // The string representation of the object is a JWT string (pretty easy, right?)
}
}
生成的jwteyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsImV4cCI6MTQ2MDYwNjk0Mn0.GdbEXStqQR-5zofQVmorrB4U3yuyCYDdX-jFu58dPpY
每次重新整理也變- -
從jwt中獲取資訊
namespace Home\Controller;
use Think\Controller;
use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Lcobucci\JWT\Parser;
class IndexController extends Controller {
public function index(){
$signer = new Sha256();
$token = (new Builder())
->set('uid', 1) // Configures a new claim, called "uid"
->setExpiration(time() + 3600)
->sign($signer, 'olcms') // creates a signature using "testing" as key
->getToken(); // Retrieves the generated token
echo $token; // The string representation of the object is a JWT string (pretty easy, right?)
//從jwt獲取資訊
$token = (new Parser())->parse((string) $token); // Parses from a string
echo $token->getClaim('uid'); // will print "1"
}
}