feat: JWT Authenticator

[kenjis]

Needs #703
Needs to rebase after merging #194, #199

Add:

• Config\AuthJWT
• Authentication\Authenticators\JWT
• Filters\JWTAuth
• Authentication\JWTManager = service((jwtmanager)

How to Test/Use:

• feat: JWT Authenticator #195 (comment)
• https://github.com/kenjis/codeigniter-shield/blob/feat-jwt/docs/addons/jwt.md#jwt-authentication

Sample Test App:

• https://github.com/kenjis/ci4-shield-test/tree/test-jwt#how-to-test-json-web-token-jwt-authentication
• kenjis/ci4-shield-test@0ef2d5d

TODO:

• login recording specification
• update docs

[MGatner]

This is looking awesome! I had no idea you were working on this, I would have guessed version 1.1 or 1.2.

[lonnieezell]

It's great to see a JWT implementation coming! Thanks for this.

However, I do have a couple of concerns with the current implementation.

1. Choice of implementation. Why choose Firebase's implementation? I think the best reason is probably that it's backed by Google, but according to the the JWT site, it doesn't provide the most complete implementation. That might not be all bad, though. Honestly, I kind of had it in mind that if we ever included JWT we'd roll our own since the implementation of a JWT is pretty straight-forward. Not sure if that's worth considering to remove the reliance on a third-party libs changes, etc.

2. I think you may have over-architected it. I've commented on a few classes along the way, but in general I think we should strive for as simple of an architecture as the library allows.

This would also require updating all docs and adding new docs.

I don't think we'll be able to get this one in before the initial release.

[kenjis]

I don't think we'll be able to get this one in before the initial release.

There are some parts of this feature that require consideration of specifications.
I think it will take some time.

[kenjis]

Why choose Firebase's implementation?

I googled CodeIgniter4 jwt, and found most tutorials use Firebase implementation.
And it is commonly used in my country. So first of all, I chose it.

But I know it doesn't provide the most complete implementation, so I made it replaceable.

[datamweb]

It is also commonly used in my country.

[kenjis]

I don't remember much of the implementation as a lot of time has passed, but I think the implementation itself was done in one way or another.

If there is someone who wants to try JWT, please test. Of course code reviews are also welcome.
I am going to run the code and see if this really works.

[MGatner]

My only JWT CI4 project currently uses Myth and I've had issues installing Shield alongside because they have some conflicting services and factories. I know some community members have been keen on this - maybe check the forums for volunteers?

[kenjis]

Good idea! I've posted the forum.

[hainm0912]

it finished? how to use this branch?

[kenjis]

This should work. You can get the code from my repository:
https://github.com/kenjis/codeigniter-shield/tree/feat-jwt

[kenjis]

how to use this branch?

Update your composer.json:

--- a/composer.json
+++ b/composer.json
@@ -7,7 +7,8 @@
     "require": {
         "php": "^7.4 || ^8.0",
         "codeigniter4/framework": "^4.0",
-        "codeigniter4/shield": "^1.0@beta"
+        "codeigniter4/shield": "dev-feat-jwt",
+        "firebase/php-jwt": "^6.2"
     },
     "require-dev": {
         "fakerphp/faker": "^1.9",
@@ -36,5 +37,11 @@
         "slack": "https://codeigniterchat.slack.com"
     },
     "minimum-stability": "dev",
-    "prefer-stable": true
+    "prefer-stable": true,
+    "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/kenjis/codeigniter-shield.git"
+        }
+    ]
 }

Run composer update.

[miguel-rn]

What is the status on JWT authentication?

Any TODOs I could help with?

[kenjis]

Rebased to resolve conflicts.

[kenjis]

What is the status on JWT authentication?

The implementation was finished. I need to write docs.

Any TODOs I could help with?

Testing and review. As you see, no one has approved this PR yet.

[kenjis]

@MGatner @datamweb Can you review?

[datamweb]

@kenjis will try to do today.

[datamweb]

Question, how can the site administrator make the tokens expire in general? (I think he should change the secret code. If so, I'd prefer you explain it in the documentation.)

And the next question is there a way to expire the token for a specific user?

Please update the README file, the reference to support JWT is good.

[kenjis]

Question, how can the site administrator make the tokens expire in general? (I think he should change the secret code. If so, I'd prefer you explain it in the documentation.)
And the next question is there a way to expire the token for a specific user?

Tokens are to be validated by defining the conditions that make it invalid.

If you want to invalidate tokens to a specific user, you can do it by specifying the user ID and issued at.

Also, as you say, If you change the key, all tokens signed with that key will be invalidated.

[datamweb]

@kenjis, thanks, everything seems to be working fine now.

[kenjis]

@datamweb Thank you for the detailed review!

[kenjis]

@MGatner Can you approve? Without your approve, I cannot merge this.

[kenjis]

Thank you all!