JSON Web Token (JWT) Authentication&CSRF (Cross-site Request Forgery)

Also on Strikingly:
https://site-4828247-981-6937.mystrikingly.com/blog/json-web-token-jwt-authentication-csrf-cross-site-request-forgery

前言

雖已完成 JSON Web Token (JWT) 登入驗證機制,但一段時間後很容易忘記,因此統整出框架和重要觀念。

MDN-HTTP is stateless, but not sessionless

HTTP is stateless: there is no link between two requests being successively carried out on the same connection.
每個 request 獨立,Server 端和 Client 端不保持連線狀態,因此雙方狀態無即時更新。

This immediately has the prospect of being problematic for users attempting to interact with certain pages coherently, for example, using e-commerce shopping baskets.

But while the core of HTTP itself is stateless, HTTP cookies allow the use of stateful sessions.

Using header extensibility, HTTP Cookies are added to the workflow, allowing session creation on each HTTP request to share the same context, or the same state.

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

This information can be verified and trusted because it is digitally signed.
JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Although JWTs can be encrypted to also provide secrecy between parties, we will focus on signed tokens.
Signed tokens can verify the integrity of the claims contained within it, while encrypted tokens hide those claims from other parties.
When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.

JWT-Debugger:觀察 Token 結構

Token 結構 (HPS)=1. Header+2. Payload+3. Signature

  1. Header (Base64URL 編碼機制,可反解):
    標記 token 的 (1) 類型、(2) Hash 雜湊函式名稱

安裝套件:1. jsonwebtoken、2. passport-jwt

1. jsonwebtoken (npm)

An implementation of JSON Web Tokens.

This was developed against draft-ietf-oauth-json-web-token-08. It makes use of node-jws.

2. passport-jwt (npm)

A Passport strategy for authenticating with a JSON Web Token.

This module lets you authenticate endpoints using a JSON web token.
It is intended to be used to secure RESTful endpoints without sessions.

JSON Web Token (JWT) 登入功能實作:架構&流程

POSTMAN (API 測試工具軟體)-JWT 登入測試成功

  1. Method:POST

CSRF (Cross-site request forgery) 攻擊

CSRF 運作原理&攻擊流程

CSRF 防禦機制:

  1. Referer Check

2–1. 純 Token 衍生 Server 端(Session) 效能問題&解法 (JWT)

1. Referer Check

Referer Check-參考資訊:手绘 10 张图,把 CSRF 跨域攻击、JWT 跨域认证说得明明白白的

2. Token

Token 登入機制相似 cookie-session,只是交換憑證為 Token。

(1) Token 存入 Session

Token 存入 Session-參考資訊:手绘 10 张图,把 CSRF 跨域攻击、JWT 跨域认证说得明明白白的

(2) Token 存入 Cookie

Token 存入 Cookie-參考資訊:手绘 10 张图,把 CSRF 跨域攻击、JWT 跨域认证说得明明白白的

2–1. 純 Token 衍生 Server 端(Session) 效能問題&解法 (JWT)

Token 可防禦 CSRF 攻擊,但衍生 Server 端(Session) 效能問題:

(1) 擴充性:
每個 Token 皆存入 Session 內,隨著用戶數增加,記憶體和費用成本上升。

(2) 維護性:
隨著用戶數增加,且若須整合不同 Server,架構變更複雜。

若 Web 有多子域,各子域使用不同 Server,而各 Server 須共享相同 Token,則須創造一個中心節點儲存 Token。

JWT 優點 (解決純 Token 問題)

Server 只負責產生&驗證 Token,不再將 Token 存入 Session 內。

因此,將 Server 原本的擴充和維護成本轉嫁分攤给所有 Client 端。

Equipped with web development, communication, and business analytical skills.