JWT Token

Introduction

JWT or Json Web Token is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

Common used when a frontend application is developed with ReactJS, Angular JS, VueJS and others. The Backend will provide a REST API to provide dynamic data application.

Usually an API Rest will stay in a different subdomain of the website, which implies configuration of CORS (Cross-Origin Resource Sharing).

This will happen because browsers can block the use of services and other types of resources at external addresses in order to prevent attacks to obtain confidential data.

How to enable CORS in Netuno

In the user Netuno application just change the file 📂 server/core/_request_url.js

The following code can be used:

var httpHeaderOrigin = _header.getString("Origin", "null")

if (httpHeaderOrigin == 'https://www.my-app.com'
    || httpHeaderOrigin == 'http://localhost'
    || httpHeaderOrigin == 'http://localhost:3000') {
    _header.response.set("Access-Control-Allow-Origin", httpHeaderOrigin)
    _header.response.set("Access-Control-Allow-Methods", "GET,PUT,POST,DELETE,OPTIONS")
    _header.response.set("Access-Control-Allow-Headers", "content-type,x-requested-with,authorization")
    _header.response.set("Access-Control-Allow-Credentials", true)
}

Pay attention that in the above code if will retrench the 'Headers' according to the original address(Origin).

Just remember to adjust for the address you are going to use.

In this case, all the services and addresses of your application will support CORS Headers.

CORS - only for Specific Services

If the user wants to increase the security level by activating the Headers only for specific services, then use the same code logic but in the file:

📂 server/core/_service_config.js

Instead of the file:

📂 server/core/_request_url.js

Activation and Setup

To activate and configure JWT Token on your Netuno application will be needed to make a file edition on the configure application folder, related to user environment, see below:

📂 config/_development.json
📂 config/_production.json

Enter and adjust the following parameters:

    ...
    "jwt": {
        "enabled": true,
        "secret": "@MyComp1exSecr3t",
        "access_expires": 60,
        "refresh_expires": 1440,
        "algorithm": "HS512"
    },
    ...

In the secret parameter, place a complex and random character string as it is the key that will guarantee the security of the JWT Token encryption.

The expression parameters defined in minutes, as example:60 equals 1 hour and 1440 equals one day.

The following mechanisms are supported in the algorithm:

ECDSA com SHA-2: ES256, ES384 ou ES512
HMAC com SHA-2: HS256, HS384 ou HS512
RSASSA-PSS com SHA-2: PS256, PS384 ou PS512
RSASSA-PKCS1 com SHA-2: RS256, RS384 ou RS512

How to obtain Token Access

To obtain Token Access, Netuno offers the service _auth which will validated th authentication, if Auth successful, return Access Token and Refresh Token.

This Token access can be obtained as can be seen below 👇

How To Access Token

As an example in how to obtain Token Access from fetch:

let token = null;

yield fetch("http://localhost:9000/services/_auth", {
    method: 'post',
    headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    },
    body: JSON.stringify({
        username: payload.username,
        password: payload.password,
        jwt: true
    })
}).then((response) => {
    if (response.status != 403) {
        raiseInvalidLogin();
        return null;
    }
    if (response.status != 200) {
        console.log(`Autenticação falhou com o status ${response.status}`);
        raiseRequestFailed();
        return null;
    }
    return response.json();
}).then((res) => {
    token = res;
}).catch((error)=> {
    console.log(error);
    raiseConnectionError();
});

if (token && token.result === true) {
    console.log(`Meu Acccess Token: ${token.access_token}`);
    console.log(`Meu Refresh Token: ${token.refresh_token}`);
    sessionStorage.setItem("token", JSON.stringify(token));
}

If you notice token will be stored in Session Storage so it is recommended to use the sessionStorage instead of localStorage when sensible data.

How to manage Token Access

To run scheduled services, as they require previous authentication in Netune applications, you should pass Token Access in the HTTP protocol Header:

Authorization: Bearer eyJhbGciOiJIUzU...

Example of how to run a scheduled service done through the frontend using fetch:

const token = JSON.parse(sessionStorage.getItem("token"));

let data = null;

yield fetch("http://localhost:9000/services/meu-servico-programado-a-medida", {
    method: 'post',
    credentials: 'include',
    headers: {
        'Authorization': `${token.token_type} ${token.access_token}`,
        'Content-Type': 'application/json'
    },
    body: JSON.stringify({
        meuParametro1: '...',
        meuParametro2: '...'
    })
}).then((response) => {
    if (response.status != 200) {
        console.log(`Serviço falhou com o status ${response.status}.`);
        raiseRequestFailed();
        return null;
    }
    return response.json();
}).then((res) => {
    data = res;
}).catch((error)=> {
    console.log(error);
    raiseConnectionError();
});

if (data === true) {
    console.log(`Dados de resposta do meu serviço:`, data);
}

Please Note that the HTTP Headers in the Authorization parameter is used as token_type and the access_token obtain by the object JWT Token stored in sessionStorage.

Demo Application

Graphical Interface

Database

Services