Skip to content
/ govtech-stack-conf Public

This repository is created for Govtech STACK 2018 - Token based stateless authentication

6 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stacygohyunsi/govtech-stack-conf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
client
client
 
 
images
images
 
 
server
server
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
ex-2.png
ex-2.png
 
 
index.js
index.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

stack-conf-exercises

The code is written in ReactJS, NodeJS and Express for STACK Developer Conference 2018.

Exercise 1

Make a GET call to the /verifytoken endpoint.

Setup

  • git clone this library
  • Navigate to the root folder of the project
  • Restore dependencies with npm install
  • Run npx nodemon
  • The server will be running on http://localhost:9000/

Todo

  1. Use Postman (https://www.getpostman.com/) tested with v6.3.0 to make a GET request http://localhost:9000/verifytoken

You should get the error: No Authorisation header with Bearer token found.

Should look like this:

todo step 1

  1. The server is expecting an authorisation header with a JWT. Get the jwt from bit.ly/jwt-ex-1 which is under the Encoded part

Like this: todo step 2

  1. Copy the JWT and add a Authorisation header: Bearer {JWT} to your request

Should look like this: todo step 3

You should get the error: Oops, you are NOT authorised to view this page because: invalid signature

  1. Seems like the secret is wrong. Paste the correct secret into jwt.io to regenerate a new JWT

  2. Use the correct JWT to make the request again

You should get the error: Oops, you are NOT authorised to view this page because: jwt expired

  1. Seems like the jwt has expired. Adjust the exp field in jwt.io and try again.

  2. You should get Congrats, you are authorised to view this page.

Exercise 2

This repo contains a Ticket Purchasing Interface (localhost:3000) and a Ticketing Machine (authorisation server at localhost:9000) which creates a JWT token (embeded in a ticket).

To enter the Amusement Park, the user needs to pass the correct JWT generated by the Ticketing Machine (on your local machine) to the Amusement Park Gantry (hosted online) in order to be allowed access through the gantry.

In this exercise, you will generate and sign your own jwt locally using this library (https://github.com/auth0/node-jsonwebtoken) and use it to make a request to the Amusement Park Gantry server at stack-conf-jwt.herokuapp.com/api/park/entries.

Diagram of JWT as session token

Setup

  • git clone this library (if you have not already done so)

Setup Ticketing Machine Server

  • Open a terminal in the root folder
  • Restore dependencies with npm install
  • Run npx nodemon to start the ticketing machine server
  • The ticketing machine will be running on http://localhost:9000/

Setup Ticket Purchasing Interface

  • Open a new terminal and cd client
  • Restore dependencies with npm install
  • Then run npm start to run the client interface
  • Access the client interface on http://localhost:3000/

Structure

  • ~/client contains the Ticket Purchasing Interface app and frontend assets
  • ~/server contains the Ticketing Machine express server and its apis

Todo

Help fix the broken ticketing machine for an amusement park.

2a) Add Missing Token Signing Configurations

  1. Update the code in routes/create.js with JWT configuration options to be:

    • algorithm - HS384
    • expiresIn - 1 hour

    To find out how to add the options required, reference the readme of our JWT library used.

    This ensures that we are using HS384 algorithm to sign the JWT and that the JWT should expire in 1 hour.

  2. Start ticketing server (http://localhost:9000) and visit http://localhost:3000 to view create ticket page

  3. Click Create Ticket to generate a ticket. You should be able to see your ticket generated.

Like this: Create Ticket

2b) Test out your Generated Token

  1. Test out your generated ticket against the amusement park gantry system (source at https://github.com/yuhong90/stack-jwt-demo-server). By clicking 'Insert Ticket into Gantry', We make an API request to stack-conf-jwt.herokuapp.com/api/park/entries.

  2. We should get an error which says that certain claims are missing.

2c) Add Missing Token Payload Claims

  1. Fix it by configuring the correct claims in the code payload:

    • Issuer - 'stackconf-auth-service'
    • Audience - 'stackconf-api-service'
    • Subject - 'yourname'
    • Type: 'vip-ticket'

    Hint 1: Check out the registered claims section of the open standards of JWT on how to define a registered claim in your payload. Alternatively, you may also use the helpful signing options provided by the JWT library used in this exercise.

    Hint 2: One of the claims is a private claim and require manual adding to token payload.

  2. Click ‘Insert Ticket into Gantry’ to send your JWT token and gain entry to the amusement park.

Food for thought - Questions to think about:

  1. How do I use a private/public key pair instead of using HMAC? What would have to change?
  2. What happens if the expiration time is longer/shorter?
  3. What happens if i want to revoke the access?

Some useful reads:

About

This repository is created for Govtech STACK 2018 - Token based stateless authentication

Topics

jwt stateless

Resources

Readme
Activity

Stars

6 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages