A simple REST API that uses JWT Authentication
- Spring Boot
- Spring Security
java-jwt
library- H2 Database
- Java 11
- Gradle
bcrypt
password hashing
- Users register for an account in the
/signup
endpoint
- a valid user will return a response code of
200
and payload that looks like{ "Username": "username_of_created_user" }
- an invalid user will return a response code of
400
and payload that looks like
{
"Error": "some_error_with_account_creation_attempt"
}
- Users will attempt to sign in at the
/token
endpoint
- request payload:
{ "username": "someuser" "password": "notarealpassword" }
- an invalid login will have a response code of
400
and payload of{ "error": "Invalid username or password" }
- a valid attempt will have a response code of
200
, will return an HttpOnly cookie containing the JWT, and have a payload with the key"token"
and a value containing the JWT- The payload here is only for one time use and should not be stored beyond that
- Requests with the cookie to protected endpoints will now work until either the user logs out or the JWT expires
- Both the cookie and JWT are set to expire after 30 minutes
- This can be changed in the
jwt.maxage.seconds
value inapplication.properties
file
- This can be changed in the
- The JWTFilter will read the JWT from the cookie and reject any invalid JWTs
- User logs out from
/logout
endpoint or the JWT expires
- Logout will add the JWT to a "blacklist" of tokens that can no longer be used
JWT_SCRT
needs to be set to any string before running the app
- Linux/Mac:
export JWT_SCRT=[secretkey]
- replace
[secretkey]
with any string
- replace
- in a production app, it's better to use keys than a secret password, but this demo is only for learning purposes
- may replace this with keys in the future