Make sure you include this package as part of your Laravel project. You can do so by running the composer command from below.
composer require babicaja/jwt-4laravel
First register the service provider with the artisan vendor:publish
command. This will ensure all the bindings are in place and it will copy the default configuration file to your app's config folder.
php artisan vendor:publish // Choose JWT4L\Providers\JWTServiceProvider from the list
Inspect the newly created config/jwt.php
file. For now, you can leave it as it is (don't forget to change the secret
key for production). Details about the configuration are covered in this section.
Now everything is in place and you can start using the JWT for Laravel's functionality. Easiest way to see it in actions is using the Token
Facade provided by the package, and through artisan tinker
. If you are able to see a similar output as the one below, you are all set.
php artisan tinker Psy Shell v0.9.9 (PHP 7.3.6-1+ubuntu18.04.1+deb.sury.org+1 — cli) by Justin Hileman >>> Token::create() => "eyJ0eXAiOiJKV1QiLCJhbGciOiJzaGEyNTYifQ==.eyJpYXQiOiIyMDE5LTA3LTAyVDE1OjAyOjQ5LjkzMTQwMloiLCJleHAiOiIyMDE5LTA3LTAyVDE1OjE3OjQ5LjkzMTQ2M1oifQ==.fa0f19c3a2a444d72bb58feb54227677e52c65e35f3db21b31673520ddb16c86"
Out of the box the configuration file comes with default values which you can use as they are. You should probably change the secret
for any production code. You can set the values directly in the config/jwt.php
file or preferably by setting the appropriate .env
values.
config/jwt.php
<?phpreturn [
‘algorithm’ => env(‘JWT_ALG’, ‘sha256’), //hash_hmac_algos()
‘expires’ => env(‘JWT_EXP’, 15), // minutes
‘secret’ => env(‘JWT_KEY’, ‘secret’),
‘checks’ => [
\JWT4L\Checks\Structure::class,
\JWT4L\Checks\Signature::class,
\JWT4L\Checks\Expired::class
]
];
hash_hmac_algos()
. The algorithm defined here is used for signing and comparing the JWT signature.exp
claim is added to the Payload
section. The amount of minutes defined here will set the expire date from the moment of creation.algorithm
for signing and comparing the JWT signature.There are a few ways to use the JWT for Laravel package:
\JWT4L\Token\Generator
, JWT4L\Token\Validator
and \JWT4L\Token\Parser
Token Managers. This allows the user to create, validate and parse the JWT through one interface anywhere in the application.Example of Token Facade usage
$token = Token::create() // create a JWT
$payload = Token::payload($token) // retrieve the Payload section from the JWT
\JWT4L\Token\Generator
is responsible for JWT creationJWT4L\Token\Validator
validates the provided JWT against the Checks
\JWT4L\Token\Parser
does the parsing of JWTExample of Token Manager usage
<?phpnamespace App\Http\Controllers;
class TokenController extends Controller
{
public function generate(\JWT4L\Token\Generator $generator)
{
return response($generator->create());
}
}
JWTGuard
. Laravel’s Auth
will be automatically extended with this Guard but you need to manually configure it in the config/auth.php
config/auth.php
‘guards’ => [
‘web’ => [
‘driver’ => ‘session’,
‘provider’ => ‘users’,
],'api' => [ 'driver' => 'token', 'provider' => 'users', 'hash' => false, ], 'jwt' => [ 'driver' => 'jwt', 'provider' => 'users', ], ],
auth:jwt
middleware.Example of a route protected by the JWTGuard
Route::middleware(‘auth:jwt’)->post(‘/user’, function (Request $request) {
return $request->user();
});
JWTGuard
implementation. The Guard will try to extract the user identifier from the sub
(payload) claim of the provided token, so you should make sure that the logic responsible for token creation sets this claim as in the example bellow.Example of setting a custom claim
Token::withPayload([‘sub’=>‘user-identifier’])->create();
The package provides three JWT checks out of the box:
\JWT4L\Checks\Structure
verifies the expected header.payload.signature
structure\JWT4L\Checks\Signature
validates the hashed signature\JWT4L\Checks\Expired
checks has the token expiredYou can define your custom check by creating a class which implements the \JWT4L\Checks\CheckContract
interface and include it in the config/jwt.php
file.
app/Checks/Friday.php
<?phpnamespace app\Checks;
use Carbon\Carbon;
use JWT4L\Checks\CheckContract;class Friday implements CheckContract
{
/**
* Do necessary checks and throw a specific exception if conditions are not met.
*
* @param string $token
* @return void
* @throws mixed
*/
public function validate(string $token)
{
if (!Carbon::now()->isFriday()) throw new \Exception(“It’s not Friday”);
}
}
config/jwt.php
<?phpreturn [
‘algorithm’ => env(‘JWT_ALG’, ‘sha256’), //hash_hmac_algos()
‘expires’ => env(‘JWT_EXP’, 15), // minutes
‘secret’ => env(‘JWT_KEY’, ‘secret’),
‘checks’ => [
\JWT4L\Checks\Structure::class,
\JWT4L\Checks\Signature::class,
\JWT4L\Checks\Expired::class,
\App\Checks\Friday::class
]
];
Thanks for reading ❤
If you liked this post, share it with all of your programming buddies!
Follow me on Facebook | Twitter
☞ PHP with Laravel for beginners - Become a Master in Laravel
☞ Projects in Laravel: Learn Laravel Building 10 Projects
☞ Laravel for RESTful: Build Your RESTful API with Laravel
☞ Fullstack Web Development With Laravel and Vue.js
☞ Laravel 5.8 Ajax CRUD tutorial using Datatable JS
☞ Laravel 5.8 Tutorial from Scratch for Beginners
☞ Build RESTful API In Laravel 5.8 Example
☞ Login with Google in Laravel 5.8 App using Socialite Package
☞ Laravel PHP Framework Tutorial - Full Course for Beginners (2019)
#laravel #security #json #php #web-development