介绍 JSON Web Tokens (JWT) 📜
JSON Web Tokens (JWT) 是一种用于安全地在各方之间以 JSON 对象传输信息的紧凑且自包含的方式。在 Node.js 中,jsonwebtoken 包被广泛用于创建和验证 JWTs。本文将展示 jsonwebtoken 的基本和高级用法。😃
基本使用 🛠
安装
首先,安装 jsonwebtoken 包:
npm install jsonwebtoken
创建令牌
要创建 JWT,使用 sign 方法。你需要一个密钥和一个对象有效载荷。
const jwt = require('jsonwebtoken');
const secretKey = 'your-256-bit-secret';
const payload = { username: 'exampleUser' };
const token = jwt.sign(payload, secretKey);
console.log(token); // JWT 令牌 🎉
验证令牌
要验证令牌并检索有效载荷,请使用 verify 方法。
try {
const decoded = jwt.verify(token, secretKey);
console.log(decoded); // 解码后的有效载荷 😎
} catch (error) {
console.error('无效的令牌 😞');
}
高级使用 🔍
设置过期时间
为了提高安全性,为令牌设置过期时间。
const tokenWithExpiry = jwt.sign(payload, secretKey, { expiresIn: '1h' });
console.log(tokenWithExpiry); // 1 小时过期的令牌 ⏳
异步签名和验证
为了更好的性能,特别是在复杂操作或高负载环境中,使用 sign 和 verify 的异步版本。
异步创建令牌
jwt.sign(payload, secretKey, { expiresIn: '2h' }, (err, token) => {
if (err) {
console.error('令牌生成中的错误 🚨');
} else {
console.log(token); // 异步生成的令牌 🌟
}
});
异步验证令牌
jwt.verify(token, secretKey, (err, decoded) => {
if (err) {
console.error('无效的令牌 🚫');
} else {
console.log(decoded); // 异步解码的有效载荷 👍
}
});
处理错误
正确处理验证过程中可能出现的错误,例如令牌过期或签名不匹配。
jwt.verify(token, secretKey, (err, decoded) => {
if (err) {
switch (err.name) {
case 'TokenExpiredError':
console.error('令牌过期 🕒');
break;
case 'JsonWebTokenError':
console.error('无效的令牌 😡');
break;
// 处理其他类型的错误
}
} else {
console.log(decoded); // 解码的有效载荷 👌
}
});
总体代码
下面是一个demo用来演示上面的过程:
// Importing necessary libraries
const jwt = require('jsonwebtoken');
const express = require('express');
const cors = require('cors');
// Secret key for JWT signing and verification
const secretKey = 'your-256-bit-secret';
// Payload to be included in the JWT
const payload = { username: 'exampleUser' };
// Creating a JWT token
const token = jwt.sign(payload, secretKey);
// Function to verify the JWT token
const verify = (_token) => jwt.verify(_token, secretKey, (err, decoded) => {
const rst = {};
if (err) {
// Handling different types of JWT errors
switch (err.name) {
case 'TokenExpiredError':
console.error('令牌过期 🕒'); // Token expired
rst.code = 403;
rst.error = '令牌过期 🕒';
break;
case 'JsonWebTokenError':
console.error('无效的令牌 😡'); // Invalid token
rst.code = 401;
rst.error = '无效的令牌 😡';
break;
// Add cases for other errors if necessary
}
} else {
console.log(decoded); // Decoded payload of the token
rst.code = 200;
rst.msg = decoded;
}
return rst;
});
console.log(token); // Log the generated JWT token
// Initialize Express application
const app = express();
// Enable CORS and body parsing middleware
app.use(cors());
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
// Middleware for logging request bodies
app.use((req, res, next) => {
console.log('Testing whether the middleware works', req.body);
next();
});
// Route to get the index page
app.get('/index', (req, res) => {
const _r = {
token,
};
res.status(200).json(_r); // Send the JWT token as a response
})
// Route to handle POST requests on '/test'
app.post('/test', (req, res) => {
const { token } = req.body;
// Verify the provided token
const _r = verify(token);
// Respond with the result of the verification
res.status(_r.code ?? 200).json(_r);
})
// Start the server on port 7777
app.listen(7777, () => console.log('Server is running on port 7777'));
结论
jsonwebtoken 包是 Node.js 中处理 JWTs 的强大工具。无论你是刚开始还是希望实现更多高级功能,理解如何创建和验证令牌对于安全的应用程序开发至关重要。始终确保你的密钥受到保护,并优雅地处理与令牌相关的错误,以构建健壮的应用程序。祝你使用 JWTs 编码愉快!🚀👨💻👩💻
附录
curl -X POST http://localhost:7777/test \
-H "Content-Type: application/json" \
-d '{"name": "testName"}'
English version: Mastering JSON Web Tokens in Node.js 🚀
Introduction to JSON Web Tokens (JWT) 📜
JSON Web Tokens (JWT) is a compact and self-contained way for securely transmitting information between parties as a JSON object. In Node.js, the jsonwebtoken package is widely used for creating and verifying JWTs. This article will guide you through the basics and advanced usage of jsonwebtoken, complete with code examples. 😃
Basic Usage 🛠
Installation
First, install the jsonwebtoken package:
npm install jsonwebtoken
Creating a Token
To create a JWT, use the sign method. You'll need a secret key and an object payload.
const jwt = require('jsonwebtoken');
const secretKey = 'your-256-bit-secret';
const payload = { username: 'exampleUser' };
const token = jwt.sign(payload, secretKey);
console.log(token); // JWT token 🎉
Verifying a Token
To verify a token and retrieve the payload, use the verify method.
try {
const decoded = jwt.verify(token, secretKey);
console.log(decoded); // Decoded payload 😎
} catch (error) {
console.error('Invalid token 😞');
}
Advanced Usage 🔍
Setting Expiration
For enhanced security, set an expiration time for the token.
const tokenWithExpiry = jwt.sign(payload, secretKey, { expiresIn: '1h' });
console.log(tokenWithExpiry); // Token with 1-hour expiry ⏳
Asynchronous Sign and Verify
For better performance, especially with complex operations or in high-load environments, use the asynchronous versions of sign and verify.
Asynchronous Token Creation
jwt.sign(payload, secretKey, { expiresIn: '2h' }, (err, token) => {
if (err) {
console.error('Error in token generation 🚨');
} else {
console.log(token); // Asynchronously generated token 🌟
}
});
Asynchronous Token Verification
jwt.verify(token, secretKey, (err, decoded) => {
if (err) {
console.error('Invalid token 🚫');
} else {
console.log(decoded); // Asynchronously decoded payload 👍
}
});
Handling Errors
Properly handle errors that might occur during verification, such as token expiration or signature mismatch.
jwt.verify(token, secretKey, (err, decoded) => {
if (err) {
switch (err.name) {
case 'TokenExpiredError':
console.error('Token expired 🕒');
break;
case 'JsonWebTokenError':
console.error('Invalid token 😡');
break;
// handle other types of errors
}
} else {
console.log(decoded); // Decoded payload 👌
}
});
Conclusion
The jsonwebtoken package is a powerful tool for handling JWTs in Node.js. Whether you're just starting or looking to implement more advanced features, understanding how to create and verify tokens is crucial for secure application development. Always ensure your secret key is protected and handle token-related errors gracefully for robust applications. Happy coding with JWTs! 🚀👨💻👩💻
