Shulou(Shulou.com)06/02 Report--

This article mainly explains "how jsonwebtoken generates and parses token". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how jsonwebtoken generates and parses token".

I wrote an article about token: a simple understanding of the Token mechanism, the token algorithm designed by itself, using a random algorithm, resulting in token can not reverse decryption. So I used redis to store token. When the frontend calls API, I need to carry token for authentication. The token is valid for 48 hours. But we have said: sessionid needs space to store, but token does not need to store user information on the server. So can we successfully generate a token for the user and return it to the client? when the front end carries token to call API, we can directly parse the token to see whether the user data can be parsed to determine whether the user has interface permission. In fact, a npm package provided by NodeJS: jsonwebtoken can realize the generation of token and reverse decryption of user data. Let's take a look at how jsonwentoken works.

First, install an express-generator globally, and the command is:

Npm install-g express-generator

Then use express-generator to quickly build an express project with the following command:

Express express_demo

Then enter the project and install the dependencies required by the express project, the command is:

Cd express_demo & & npm install

After the project has been successfully built here, we can take a look at the project structure:

First, create common.js under util, which mainly places common public methods. At present, I only have two public methods: paramAll (used to obtain parameters from the front end) and encryPassword (MD5 encryption of password stitching strings).

You can see that the first line imports the crypto dependency, which is needed for MD5 encryption, so let's install the dependency first with the command:

Npm install-save-dev crypto

Then create bootloader.js under util, mainly encapsulating several global functions, which are used to output test data and return data to the front end.

Then open config.js and configure jsonwebtoken to generate the secret,secret required for token as the encryption key, which cannot be disclosed to others.

Next, we are on the right track. We have been talking about using jsonwebtoken to generate token. Of course, we first install jsonwebtoken with the following command:

Npm install-save-dev jsonwebtoken

Next, let's write an interface that is the generation of offline token, and our interface implementation is implemented under router. First open router/users.js and import some of the files we just wrote at the top of the file:

Next, we implement the interface to generate token through jsonwebtoken by combining the basic information of the user with the key secret we set:

Pass parameters to the front end of the past through the paramAll () we just encapsulated, and the password is private data, so MD5 encryption is done through the encapsulated encryPassword (). Then combine secret to generate token through jsonwebtoken.sign (info, secret, options) encryption. Let's take a look at the interface effect:

You can see that we have successfully converted the user information into token. Let's take a look at how to reverse parse the user data and parse the usage of token:

Jsonwebtoken.verify (token, secret, callback)

We implement an interface to parse the user token to obtain the user information:

One thing to note here: if token parsing fails or token has expired, err will be returned, and data will be returned only if the user data is parsed correctly. We can take a look at the effect:

You can see that we have successfully parsed the user data, and then we can see how we can use jsonwebtoken to parse token in a real API interface. First of all, we mentioned that the security of the interface generally uses signatures, and the signature rules still use the rules that I have been using:

1. Assemble the parameters required by the API plus the current timestamp parameter time,time to form a json object with a millisecond value. two。 Sort all the parameters in the form of key=value in the order of ASCII to get waitSign. 3. Encrypt the waitSign with MD5 to get signParam.4. Convert the signParam to pure lowercase to get the final signature sign.

Next, we first encapsulate the signature generation algorithm into a public method and put it in the common.js:

Database operations are inevitable for the API interface, so let's encapsulate the database operations. First configure the database configuration information in config.js:

Next, create a db folder in the root directory of the project, and create a mysql.js under db to encapsulate the operation of adding, deleting, modifying and querying the database, first encapsulating the method of initializing and releasing the connection pool:

Then encapsulate one user to insert update data, and one to query the data:

Here we also sealed the database, we began to write API to achieve user login, login successfully generated token. Let's look at the code for the implementation:

In fact, the login logic can be divided into three steps:

1. Encrypt the parameters according to the decryption rules to generate the signature sign2. The signature verification is successful, and the database verifies whether the account password matches 3. Token generated by account password matching is returned to the front end together with user information.

I encapsulated the database operation under the users.js under the dao layer, and let's take a look at the logic code for logging in to the database:

The login logic is completed here. Let's take a look at the call effect of the API:

If the call is successful, a token will be generated and returned to the front end together with the user information. We also implement an interface to query the user's personal credit information. When calling API, the frontend needs to carry token to verify personal information.

This API is also divided into three steps:

1. Encrypt the parameters according to the decryption rules to generate the signature sign2. Signature verification is successful. Parsing token verifies whether the parsed user account is consistent with the account passed by the user. Verify that the database operation is performed successfully and the user's integral data is returned to the front end.

Similarly, if we encapsulate the database operation under dao/users.js, we can look at the database logic:

Let's take a look at the effect of API calls:

You can see that we successfully parsed token to get user information and query the user's credit information.

In fact, in the company's front-end interaction, basically we also use the signature sign + token + timestamp verification method. This article also reproduces the whole process of the development interface. In order to improve the maintainability of the code, we encapsulate some common methods, which increases more possibilities for subsequent product iterations.

The source code of this article and the previous encryption and decryption algorithm have been uploaded to the cloud. Download the link:

Https://gitee.com/mqzuimeng/test_code.git thank you for your reading, the above is the content of "how jsonwebtoken generates and parses token". After the study of this article, I believe you have a deeper understanding of how jsonwebtoken generates and parses token, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.