JWT token practice and problem solving

Catalog

One token Interface modification

Two   token Valid for

3、 ... and During the class token Not overdue

Four The old version APP Don't break down

5、 ... and Password change ,token invalid

6、 ... and Issued by 、 The contract token Interface security

7、 ... and token Issue controllable

8、 ... and  token Certified interface pressure test

---

JWT Realization token authentication Tells the story of JWT Some basic concepts , Use JWT token The advantages and disadvantages of and the problems needing attention in use . This chapter is mainly about the use of JWT token Problems encountered in the process and solutions .

One token Interface modification

token What is it? ？token It's issued when the user logs in .

Transform the scene ： The Intranet has some interfaces through  token To get user information , This is not reasonable .

I understand it ： token It's used to authenticate users , It should be transferred between external networks ; All kinds of business should be transferred between intranet id.

Solution ： Getting user information should use user_id. Now that I can get it token, explain token After the certification service , The certification service will return user_id.

Two   token Valid for

We're generating access_token、refresh_token The expiration date will be set when the application is completed , hypothesis  access_token Valid for 2 Hours ,refresh_token by 24 Hours . Testers can't wait while testing functions

2 Hour or 24 Hours! , So how to solve , The validity period is too long ？ In order to improve the test efficiency , Make it  access_token、refresh_token It's all configurable , for instance 1 Minutes expired 、5 It's OK to expire in minutes .

3、 ... and During the class token Not overdue

The company has a business scenario where students have classes , How to make sure that the students are in class token invalid 、 It won't happen ？ Once occurred token invalid 、 It's easy to have a bad user experience when you log out , There are all kinds of complaints .

The root cause of this problem is during class token invalid , In this case, we just need to make sure that token It doesn't fail during class , For example, we can set token The failure time is in the early morning . The kids go to sleep in the early morning .

Four The old version APP Don't break down

In awarding JWT token When , There will be  JWT token、 The old token Problems at the same time ; And JWT token There is a renewal process , The old token There is no . because APP Login is using h5 page , If it's awarded JWT token,

once JWT token Be overdue , Go through the renewal process ,APP It's easy to break down . How can we guarantee APP It doesn't collapse ？ Just make sure that APP The old version is the old one token、 New version issued JWT token. So how to guarantee ？ Because login is h5 

page , Front end version control , The back end cooperates with the front end JWT token、 The old token, That is to say, the front end tells me to send JWT token, I'll send it out JWT token; The front end told me to send the old token, I'll give it to you token.

5、 ... and Password change ,token invalid

because JWT token It's distributed , That is to say, if you don't do anything else , Password change ,JWT token It won't work . How can I guarantee the password change ,JWT token Failure ？

The initial assumption is to put the password in JWT token Of payload Inside , This way is equivalent to exposing the password to the outside, there is a certain risk . Later I thought it was JWT token Add a password change timestamp , What does that mean ？

Let's say that the JWT token The version is v1, The user changed the password tomorrow , After login version JWT token The version is v2, be v2 Previous version v1 All of them will be invalid . such , To change the password , JWT token invalid .

6、 ... and Issued by 、 The contract token Interface security

Issued by token、 The contract token The two interfaces are sensitive interfaces , How to ensure the security of these two interfaces ？ In other words, calling these two interfaces requires a white list .

Here we use the interface API Signature and verification mechanism . Only specific services can call our issuance token、 The contract token Two interfaces .

7、 ... and token Issue controllable

Because it was awarded JWT token, How to ensure that the risk is controllable ？ First , We aim at token The distribution made a switch , It can be issued at any time token Function offline ;

secondly , In order to advance a little bit JWT  token , We aim at mobile （userId）-> appId Do it .

8、 ... and  token Certified interface pressure test

Because it is JWT token, And the pressure of certification service is very high , In order to ensure the stability of the system , This needs to be certified JWT token Interface pressure test .