PHP REST API: JWT Authentication Explained

Hey everyone! Today, we're diving deep into PHP REST API JWT (JSON Web Token) authentication. If you're building APIs and want a secure way to handle user authentication, this is for you. We'll break down what JWT is, how it works, and how to implement it in your PHP REST API. Buckle up; it's going to be a fun ride!

What is JWT Authentication?

So, what's all the buzz about JWT? In a nutshell, JWT authentication is a method for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. Think of it like a digital passport. It contains information about the user (like their ID and roles) and is signed in such a way that the server can verify its authenticity.

Why Use JWT?

Why bother with JWT in the first place? Well, there are several advantages:

Stateless Authentication: Unlike traditional session-based authentication, JWT is stateless. This means the server doesn't need to store user session data. This simplifies scaling and makes it easier to handle multiple servers.
Security: JWTs are signed, which means the server can verify the token hasn't been tampered with. This makes it more secure than simply passing user credentials around.
Cross-Origin Resource Sharing (CORS): JWTs work well with APIs that need to be accessed from different domains, making them perfect for modern web applications.
Performance: Because the server doesn't need to look up session information in a database, JWT authentication can be faster than traditional methods.

How JWT Works?

Let's break down the JWT process:

Authentication: The user provides their credentials (username and password). The server validates these credentials.
Token Generation: If the credentials are valid, the server generates a JWT. This token contains user information (payload) and is signed using a secret key.
Token Delivery: The server sends the JWT back to the client. This token is usually stored in the client's local storage or a cookie.
Subsequent Requests: For every subsequent request to the API, the client includes the JWT in the Authorization header.
Token Verification: The server receives the JWT, verifies its signature, and extracts the user information. If the token is valid, the request is processed; otherwise, it's rejected.

Setting Up Your PHP Environment

Before we jump into the code, you'll need a few things:

PHP: Make sure you have PHP installed on your system (version 7.2 or higher is recommended).
Web Server: You'll need a web server like Apache or Nginx to serve your API.
Composer: Composer is a dependency manager for PHP. You'll need it to install the JWT library.
Database (Optional): If you want to store user data, you'll need a database like MySQL or PostgreSQL.

Installing the JWT Library

The first step is to install the php-jwt library using Composer. Open your terminal and run:

composer require firebase/php-jwt

This will download and install the necessary files for working with JWT.

Creating Your PHP REST API

Alright, let's get our hands dirty and build a simple PHP REST API. We'll create endpoints for user registration, login, and a protected resource.

Project Structure

Here's a basic project structure to get us started:

/api/
├── config.php
├── auth/
│   ├── register.php
│   ├── login.php
│   └── logout.php
├── models/
│   └── User.php
├── routes.php
├── index.php
└── .htaccess

config.php: Database connection details and secret key.
auth/register.php: Handles user registration.
auth/login.php: Handles user login and JWT generation.
auth/logout.php: Handles user logout.
models/User.php: User model to interact with the database.
routes.php: Defines API routes.
index.php: Entry point for all API requests.
.htaccess: For URL rewriting.

Configuration (config.php)

Let's create our config.php file:

<?php

// Database Configuration
$db_host = 'localhost';
$db_name = 'your_database_name';
$db_user = 'your_db_user';
$db_pass = 'your_db_password';

// JWT Secret Key
$jwt_secret = 'YOUR_SECRET_KEY'; // Replace with a strong, random key

// Database connection
try {
    $pdo = new PDO("mysql:host=$db_host;dbname=$db_name", $db_user, $db_pass);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch(PDOException $e) {
    echo "Connection failed: " . $e->getMessage();
    die();
}

?>

Important: Replace YOUR_SECRET_KEY with a strong, unique secret key. Keep this key secret! It's used to sign and verify your JWTs.

User Model (models/User.php)

This is a simple model to interact with the database. We'll use it to create, read, and validate users.

<?php

class User {
    private $pdo;

    public function __construct($pdo) {
        $this->pdo = $pdo;
    }

    public function createUser($username, $password) {
        $hashed_password = password_hash($password, PASSWORD_DEFAULT);
        $stmt = $this->pdo->prepare("INSERT INTO users (username, password) VALUES (:username, :password)");
        $stmt->execute([':username' => $username, ':password' => $hashed_password]);
        return $this->pdo->lastInsertId();
    }

    public function getUserByUsername($username) {
        $stmt = $this->pdo->prepare("SELECT * FROM users WHERE username = :username");
        $stmt->execute([':username' => $username]);
        return $stmt->fetch(PDO::FETCH_ASSOC);
    }

    public function validatePassword($password, $hashedPassword) {
        return password_verify($password, $hashedPassword);
    }
}
?>

Registration (auth/register.php)

This script handles user registration. It receives the username and password, hashes the password, and saves the user to the database.

<?php

require_once '../config.php';
require_once '../models/User.php';

header('Content-Type: application/json');

$userModel = new User($pdo);

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $input = json_decode(file_get_contents('php://input'), true);

    if (isset($input['username']) && isset($input['password'])) {
        $username = $input['username'];
        $password = $input['password'];

        try {
            $userId = $userModel->createUser($username, $password);
            if ($userId) {
                http_response_code(201);
                echo json_encode(['message' => 'User registered successfully']);
            } else {
                http_response_code(500);
                echo json_encode(['message' => 'Failed to register user']);
            }
        } catch (PDOException $e) {
            http_response_code(500);
            echo json_encode(['message' => 'Registration failed: ' . $e->getMessage()]);
        }
    } else {
        http_response_code(400);
        echo json_encode(['message' => 'Username and password are required']);
    }
} else {
    http_response_code(405);
    echo json_encode(['message' => 'Method not allowed']);
}

?>

Login (auth/login.php)

This script handles user login and generates a JWT upon successful authentication.

<?php

use Firebase\JWT\JWT;

require_once '../config.php';
require_once '../models/User.php';
require_once '../vendor/autoload.php';

header('Content-Type: application/json');

$userModel = new User($pdo);

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $input = json_decode(file_get_contents('php://input'), true);

    if (isset($input['username']) && isset($input['password'])) {
        $username = $input['username'];
        $password = $input['password'];

        $user = $userModel->getUserByUsername($username);

        if ($user && $userModel->validatePassword($password, $user['password'])) {
            $payload = [
                'iss' => 'your_domain.com', // Replace with your domain
                'aud' => 'your_domain.com', // Replace with your domain
                'iat' => time(),
                'exp' => time() + 3600, // Token expires in 1 hour
                'uid' => $user['id'],
                'username' => $user['username'],
            ];

            $jwt = JWT::encode($payload, $jwt_secret, 'HS256');

            http_response_code(200);
            echo json_encode(['token' => $jwt]);
        } else {
            http_response_code(401);
            echo json_encode(['message' => 'Invalid credentials']);
        }
    } else {
        http_response_code(400);
        echo json_encode(['message' => 'Username and password are required']);
    }
} else {
    http_response_code(405);
    echo json_encode(['message' => 'Method not allowed']);
}

?>

Important: Replace your_domain.com with your actual domain or the domain you want to associate with the JWT.

| Read Also : AutoNation Hyundai Hours Near You: Find Them Now!

Logout (auth/logout.php)

For a stateless system like this, the logout process is simple. We don't need to invalidate the JWT on the server because the client just discards it. To log out, the client simply removes the token from its storage (e.g., local storage or a cookie).

<?php

header('Content-Type: application/json');

// In a stateless system, logout is handled by the client.
http_response_code(200);
echo json_encode(['message' => 'Logged out successfully']);

?>

Routes (routes.php)

This file defines the API endpoints and maps them to the corresponding files.

<?php

$uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$method = $_SERVER['REQUEST_METHOD'];

// Define routes
$routes = [
    '/api/register' => ['POST' => 'auth/register.php'],
    '/api/login' => ['POST' => 'auth/login.php'],
    '/api/logout' => ['POST' => 'auth/logout.php'],
    '/api/protected' => ['GET' => 'protected.php'],
];

if (isset($routes[$uri]) && isset($routes[$uri][$method])) {
    require_once $routes[$uri][$method];
} else {
    http_response_code(404);
    echo json_encode(['message' => 'Route not found']);
}

?>

Protected Route (protected.php)

This is a sample protected route that requires a valid JWT to access.

<?php

use Firebase\JWT\JWT;

require_once 'config.php';
require_once 'vendor/autoload.php';

header('Content-Type: application/json');

// Get the authorization header
$authHeader = $_SERVER['HTTP_AUTHORIZATION'] ?? null;

if (!$authHeader || strpos($authHeader, 'Bearer ') !== 0) {
    http_response_code(401);
    echo json_encode(['message' => 'Unauthorized: No token provided']);
    exit;
}

$token = substr($authHeader, 7); // Remove 'Bearer '

try {
    $decoded = JWT::decode($token, $jwt_secret, ['HS256']);
    // Access user information from the decoded token
    $userId = $decoded->uid;
    $username = $decoded->username;

    http_response_code(200);
    echo json_encode(['message' => 'Protected resource accessed', 'user' => ['id' => $userId, 'username' => $username]]);

} catch (Exception $e) {
    http_response_code(401);
    echo json_encode(['message' => 'Unauthorized: Invalid token', 'error' => $e->getMessage()]);
}

?>

Index (index.php)

This is the main entry point of your API. It includes the routes.php file.

<?php

require_once 'routes.php';

?>

.htaccess

This file is used to rewrite URLs so your API looks clean. Place this file in your /api/ directory.

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /api/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . index.php [L]
</IfModule>

Testing Your API

Now that your API is set up, let's test it! You can use tools like Postman or curl to send requests to your API endpoints.

Registration

Send a POST request to /api/register with the following JSON payload:

{
    "username": "testuser",
    "password": "password123"
}

If successful, you should get a 201 Created response with a success message.

Login

Send a POST request to /api/login with the following JSON payload:

{
    "username": "testuser",
    "password": "password123"
}

If successful, you should get a 200 OK response with a JSON payload containing the JWT:

{
    "token": "YOUR_JWT_TOKEN_HERE"
}

Accessing the Protected Resource

Take the JWT you received from the login endpoint.
Send a GET request to /api/protected.
Include the JWT in the Authorization header like this:

Authorization: Bearer YOUR_JWT_TOKEN_HERE

If the token is valid, you'll receive a 200 OK response with a success message and the user's information. If the token is invalid or missing, you'll get a 401 Unauthorized error.

Advanced Topics and Best Practices

Okay, guys, we've got the basics down, but let's level up our knowledge with some advanced topics and best practices to make your PHP REST API JWT authentication even more robust and secure. Here are some key considerations:

Token Expiration and Refresh

Token Expiration: As you saw, JWTs should have an expiration time (the exp claim). This limits the window of opportunity for an attacker if a token is compromised. A common practice is to set a relatively short expiration time (e.g., 15-30 minutes).
Token Refresh: To keep the user logged in without requiring them to re-enter their credentials frequently, implement a token refresh mechanism. When the current JWT expires, the client sends a request (usually using a refresh token) to get a new JWT. This is often done by issuing a refresh token alongside the initial JWT.
Refresh Token Storage: Be very careful about how you store refresh tokens. Don't store them in local storage in the browser, as they are susceptible to XSS attacks. Store refresh tokens in secure HTTP-only cookies.

Token Revocation

Token Revocation: Implementing token revocation allows you to invalidate a token before it expires. This is useful if a user's account is compromised or if the user logs out. You can achieve this by storing a list of revoked tokens on the server or using a database.
Database or Cache: For token revocation, you can store revoked tokens in a database or a cache (like Redis). When a request comes in, check if the token is in the revoked list.

HTTPS

Always Use HTTPS: Seriously, always use HTTPS to encrypt the communication between the client and the server. This prevents the JWT from being intercepted during transmission.

Input Validation

Validate All Input: Always validate user input to prevent vulnerabilities like SQL injection and cross-site scripting (XSS) attacks. Sanitize user inputs before using them in database queries or generating responses.

Security Best Practices

Secret Key Management: Protect your JWT secret key. Never hardcode it in your code. Use environment variables or a configuration file that's not accessible from the web. Also, regularly rotate your secret key.
Rate Limiting: Implement rate limiting to prevent brute-force attacks on your login endpoint.
CORS Configuration: Configure Cross-Origin Resource Sharing (CORS) correctly to control which origins can access your API. Only allow the origins you trust.
Error Handling: Handle errors gracefully and avoid leaking sensitive information in error messages. Provide helpful but non-revealing error messages to the client.
Regular Security Audits: Regularly review your code and conduct security audits to identify and fix vulnerabilities.

Conclusion: Securing Your PHP REST API

So there you have it, folks! You've learned how to implement PHP REST API JWT authentication, from the basics to some advanced considerations. This method is a powerful tool for securing your APIs and creating a great user experience. Remember to prioritize security best practices, and always keep learning and improving. Implementing JWT is a great step toward building secure and scalable APIs. Now go build something amazing!

I hope you found this guide helpful. If you have any questions, feel free to ask in the comments below. Happy coding!