JWT (JSON Web Token) for Craft CMS assists in issuing and claiming tokens. The intent is to issue a token which, at a later time, can be claimed and used to perform various actions.
The life of a JWT is defined upon creation and
To learn more about JWT visit JWT.IO
This plugin requires Craft CMS 3.0 or later.
Simply run the following command from your project root:
composer require flipboxfactory/craft-jwt
Once the plugin is included in your project, navigate to the Control Panel, go to Settings → Plugins and click the “Install” button for the JWT Plugin.
The craft.jwt
template variable provides access to the entire JWT plugin. To access the services, you may use:
Identity Service:
{% set token = craft.jwt.identity.issue(currentUser) %} {# To generate a token (store the identity) #}
{% set claim = craft.jwt.identity.claim(token|trim) %} {# To claim a token (retrieve the identity) #}
Route Service:
{% set token = craft.jwt.route.issue('action/path') %} {# To generate a token (store the action path) #}
{% set claim = craft.jwt.route.claim(token|trim) %} {# To claim a token (retrieve the action path) #}
Common usages of this plugin are as follows:
Making calls to your own API is a great candidate for JWT Identity tokens. The flow works something like this:
let jwt = '{{ craft.jwt.identity.issue(currentUser) }}'
/**
* @inheritdoc
*/
public function behaviors()
{
return \craft\helpers\ArrayHelper::merge(
parent::behaviors(),
[
'authenticator' => [
'authMethods' => [
\flipbox\craft\jwt\filters\JwtHttpBearerAuth::class
]
]
]
);
}
A full example of the Authentication filter implementation can be found in our RESTful API for Craft CMS
Perhaps a user needs to access a protected page or file download. To circumvent exposing the url publicly, issue a JWT Route token.
{% set token = craft.jwt.route.issue(['templates/render', {'template': '_protected/template'}], currentUser)
{# the link will automatically render the template #}
<a href="https://github.com/flipboxfactory/craft-jwt/blob/master/{{ actionUrl("jwt/route", {jwt: token|trim}) }}">View Protected Page</a>
{% set asset = craft.assets.one() %}
{% set token = craft.jwt.route.issue(['assets/thumb', {'uid': asset.uid, width: 100, height: 100}], currentUser) %}
<a href="https://github.com/flipboxfactory/craft-jwt/blob/master/{{ actionUrl("jwt/route", {jwt: token|trim}) }}">Download Protected File</a>
Note: It's important to note that in the File Download example, we're also passing the currentUser
param when generating
the token. As a result, when the action is processed we're assuming the identity of the user who issued the token prior to performing the action. This means a user
doesn't have to be logged in to Craft.
JWTs created by this plugin are technically JWS (JSON Web Signature) tokens. The contents of a token can be easily decoded and viewed using tools such as jwt.io. It is important NOT to store sensitive data in a token. The Craft 'security key' is used to sign each token; ensuring the contents have not been tampered with.
A token is valid for
Please see CONTRIBUTING for details.
The MIT License (MIT). Please see License File for more information.