Here is an example of how you could use JavaScript and PHP to implement JWT-based access control:
- The client (JavaScript) sends a login request to the server (PHP) with a username and password.
- The server verifies the credentials and, if they are valid, generates a JWT that contains a payload with the user’s information and a secret key.
- The server sends the JWT back to the client.
- The client stores the JWT in a cookie or local storage and uses it to authenticate subsequent requests to the server.
- When the client makes a request to a protected resource, it sends the JWT in the
Authorization
header. - The server (PHP) verifies the JWT using the secret key and grants or denies access to the protected resource based on the information contained in the JWT.
Here is some sample code that demonstrates how this could work in practice:
// Send login request to the server async function login(username, password) { const response = await fetch('/login', { method: 'POST', body: JSON.stringify({ username, password }), headers: { 'Content-Type': 'application/json' }, }); const data = await response.json(); if (data.success) { // Store JWT in a cookie or local storage localStorage.setItem('jwt', data.jwt); } return data; } // Make a request to a protected resource async function getProtectedResource() { const response = await fetch('/protected-resource', { headers: { 'Authorization': `Bearer ${localStorage.getItem('jwt')}`, }, }); const data = await response.json(); console.log(data); }
<?php use \Firebase\JWT\JWT; // Verify the JWT and grant or deny access to the protected resource function authenticate($jwt) { try { // Decode the JWT using the secret key $decoded = JWT::decode($jwt, $secretKey, array('HS256')); // If the JWT is valid, return the user's information return $decoded->user; } catch (\Exception $e) { // If the JWT is invalid, return an error return array('error' => $e->getMessage()); } } // Handle login request if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_SERVER['PATH_INFO'] === '/login') { // Verify the username and password $username = $_POST['username']; $password = $_POST['password']; if (verifyCredentials($username, $password)) { // If the credentials are valid, generate a JWT $payload = array( 'user' => array(