Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,240 --> 00:00:04,270 In this lecture, we're going to explore what JSON Web tokens are. 2 00:00:04,590 --> 00:00:07,880 We're finished with the authentication system for the application. 3 00:00:08,400 --> 00:00:11,370 One word I brought up often is the word token. 4 00:00:11,670 --> 00:00:11,940 What? 5 00:00:11,940 --> 00:00:12,710 Our tokens. 6 00:00:12,810 --> 00:00:13,780 How do they work? 7 00:00:14,010 --> 00:00:16,890 These are the questions I want to answer in this lecture. 8 00:00:17,190 --> 00:00:19,320 Let's start with what Web tokens are. 9 00:00:19,950 --> 00:00:24,180 Tokens are encoded strings that hold your data plain and simple. 10 00:00:24,330 --> 00:00:28,290 If you were to look at a token, all you would see is random gibberish. 11 00:00:28,500 --> 00:00:34,250 Despite its appearance, it's one of the most effective and popular methods for authenticating a user. 12 00:00:34,590 --> 00:00:38,550 They're used to transport data between the client and the server. 13 00:00:39,150 --> 00:00:43,760 One of the most significant advantages of tokens is that they're digitally signed. 14 00:00:44,010 --> 00:00:46,530 Let's say a hacker is able to get a hold of one. 15 00:00:46,800 --> 00:00:51,210 They may be able to read the data, but they won't be able to make changes to it. 16 00:00:51,480 --> 00:00:54,960 Any changes to the token will automatically invalidate it. 17 00:00:55,260 --> 00:00:59,460 This mechanism limits the damages one can do if they steal a token. 18 00:00:59,880 --> 00:01:02,970 In our case, tokens are assigned by Firebase. 19 00:01:03,180 --> 00:01:06,840 We don't have to worry about encoding or decoding tokens. 20 00:01:07,110 --> 00:01:09,840 The SDK handles most of this process. 21 00:01:10,140 --> 00:01:16,050 Even if a hacker is able to grab a token, they'll have a hard time decoding the data unless they have 22 00:01:16,050 --> 00:01:16,800 the signature. 23 00:01:17,130 --> 00:01:19,950 On top of that, tokens expire in an hour. 24 00:01:20,280 --> 00:01:24,300 This system makes it undesirable for most malicious users. 25 00:01:26,160 --> 00:01:27,910 We've learned what tokens are. 26 00:01:28,170 --> 00:01:34,340 Let's move on to discussing how tokens are created, tokens are generally generated on the back end. 27 00:01:34,560 --> 00:01:38,670 It's not something you would create on the front end, but you can if you want to. 28 00:01:39,030 --> 00:01:45,060 In the resource section of this lecture, I provide a link to the official JSON Web Tokens site. 29 00:01:45,390 --> 00:01:48,630 It has every resource you'd ever want on tokens. 30 00:01:48,870 --> 00:01:51,440 Web tokens aren't just for JavaScript. 31 00:01:51,720 --> 00:01:54,860 You can use it with almost any programming language available. 32 00:01:55,350 --> 00:01:59,670 If we were to scroll down, we'd find a playground for creating tokens. 33 00:01:59,910 --> 00:02:02,430 Tokens are broken down into three sections. 34 00:02:02,700 --> 00:02:04,710 The first section is the header. 35 00:02:05,130 --> 00:02:08,910 This section is where we can store meta information about a token. 36 00:02:09,240 --> 00:02:11,450 It's an object with two properties. 37 00:02:11,730 --> 00:02:13,650 There's the algorithm and the type. 38 00:02:14,040 --> 00:02:18,060 The algorithm is the formula used to encode the web token. 39 00:02:18,420 --> 00:02:21,240 There's no official algorithm for Web tokens. 40 00:02:21,390 --> 00:02:24,420 You can use any of the hundreds of algorithms out there. 41 00:02:24,720 --> 00:02:27,570 The type is the type of token being created. 42 00:02:27,810 --> 00:02:33,890 Ninety nine percent of the time this will be set to JWT for JSON Web tokens. 43 00:02:34,380 --> 00:02:36,510 The next section is the payload. 44 00:02:36,810 --> 00:02:38,880 This is the contents of the Web token. 45 00:02:39,090 --> 00:02:40,980 It's an object filled with data. 46 00:02:41,280 --> 00:02:45,810 You can store any type of data you'd like from addresses to passwords. 47 00:02:46,110 --> 00:02:48,960 There's no limit as to how much data can be stored. 48 00:02:48,960 --> 00:02:50,310 And it's OK in this. 49 00:02:50,310 --> 00:02:56,700 Scalability is another advantage to using tokens they're encoded, which will compact them into a small 50 00:02:56,700 --> 00:02:57,240 string. 51 00:02:57,690 --> 00:03:03,780 This compactness allows for a lot of data to be transferred without having to worry about overloading 52 00:03:03,780 --> 00:03:04,600 the request. 53 00:03:05,250 --> 00:03:07,470 The last section is the signature. 54 00:03:07,830 --> 00:03:11,880 The signature is used to verify the contents of the web token. 55 00:03:12,300 --> 00:03:15,420 The signature is the most critical part of a token. 56 00:03:15,810 --> 00:03:17,970 It's calculated with a few things. 57 00:03:18,210 --> 00:03:23,670 First, the header is encoded with base64 after it is added. 58 00:03:24,000 --> 00:03:28,170 This is to separate the next part of the signature, which is the payload. 59 00:03:28,470 --> 00:03:31,560 The payload is also encoded with base64. 60 00:03:32,100 --> 00:03:35,660 One less dot is added to the last part of the signature. 61 00:03:36,030 --> 00:03:39,690 This value is the most important part, which is the secret key. 62 00:03:40,080 --> 00:03:42,480 The secret key can be anything you want. 63 00:03:42,840 --> 00:03:45,300 The playground allows you to modify it. 64 00:03:45,570 --> 00:03:47,130 Suppose you were to change it. 65 00:03:47,340 --> 00:03:51,870 The encoded token to the left changes as well as an extra measure. 66 00:03:51,900 --> 00:03:55,470 You do have the option of encoding it with base sixty four. 67 00:03:56,040 --> 00:03:59,190 In the end, every part is concatenated together. 68 00:03:59,460 --> 00:04:03,780 The concatenated string is hashed with the algorithm you set in the header. 69 00:04:04,170 --> 00:04:06,060 The result is added to the token. 70 00:04:06,750 --> 00:04:09,510 We have the opportunity to play around with this. 71 00:04:09,630 --> 00:04:10,590 Let's do so. 72 00:04:10,770 --> 00:04:14,490 Inside the payload, we're going to add a property called admen. 73 00:04:14,790 --> 00:04:16,230 We'll set it to false. 74 00:04:18,680 --> 00:04:24,560 We are creating a property for determining if we have administrative permissions and this example, 75 00:04:24,680 --> 00:04:28,900 I set the admin property to false to indicate I'm not an admin. 76 00:04:29,270 --> 00:04:33,010 Now, let's say I'm a malicious user who's trying to become an admin. 77 00:04:33,290 --> 00:04:36,410 I would have to modify the token if I'd want to do that. 78 00:04:37,010 --> 00:04:41,810 From what we've learned, we know that the middle section is where the payload data is. 79 00:04:42,140 --> 00:04:48,140 The playground highlights this for us by changing the text color to purple, all copy of the encoded 80 00:04:48,140 --> 00:04:50,180 string that holds the payload data. 81 00:04:52,760 --> 00:04:59,660 After copying it, let's head over to Base64 Decode Dawg, and provide a link to it in the resource 82 00:04:59,660 --> 00:05:04,910 section of this lecture, paste the payload into the first box and decode it. 83 00:05:07,540 --> 00:05:13,480 This tool will give us access to the object that was decoded, we'll find that the admin property is 84 00:05:13,480 --> 00:05:14,910 still set to false. 85 00:05:15,190 --> 00:05:20,290 If I want to give myself admin permissions, I'll need to change this to true. 86 00:05:22,900 --> 00:05:25,480 Then I'll copy the entire object. 87 00:05:27,970 --> 00:05:34,570 At the very top of the site, I'm going to switch from decode to encode all paste the object into the 88 00:05:34,570 --> 00:05:36,220 first box and encode it. 89 00:05:38,840 --> 00:05:41,360 We've given ourselves admin permissions. 90 00:05:41,510 --> 00:05:47,770 The last step is to update the token with the modified payload, copy the payload into your clipboard, 91 00:05:48,020 --> 00:05:53,220 then we'll head back to the token playground's inside the encoded string. 92 00:05:53,270 --> 00:05:57,410 We're going to replace the second section with the newly encoded string. 93 00:05:58,940 --> 00:06:04,940 This trick may look like it at work, but it doesn't looking below will receive an error stating that 94 00:06:04,940 --> 00:06:06,560 the signature is invalid. 95 00:06:06,830 --> 00:06:11,240 On the right side, you'll find that the payload was correctly decoded. 96 00:06:11,490 --> 00:06:14,230 It has the admin properties set to true. 97 00:06:14,720 --> 00:06:17,810 The problem is that the payload and signature don't match. 98 00:06:18,020 --> 00:06:20,420 The signature is based on the payload. 99 00:06:20,750 --> 00:06:24,690 We'll need to update the signature if we want this to be a valid token. 100 00:06:25,400 --> 00:06:29,550 This is where the problem begins in order to create a new signature. 101 00:06:29,600 --> 00:06:31,070 We'll need to know the secret. 102 00:06:31,340 --> 00:06:34,360 The problem is that I don't know what the secret is. 103 00:06:34,640 --> 00:06:40,910 I may know what the header algorithm and payload are, but without the secret, I will have a hard time 104 00:06:40,910 --> 00:06:42,460 creating a fake signature. 105 00:06:42,830 --> 00:06:46,790 Therefore, I'm unable to generate a fake token to fool the back end. 106 00:06:47,420 --> 00:06:50,840 The secret is considered the most crucial part of a token. 107 00:06:51,140 --> 00:06:56,120 Even if a hacker can decode everything, it can be hard to spoof a token without the secret. 108 00:06:58,720 --> 00:07:03,670 This topic leads us to one final concern is it possible to steal a token? 109 00:07:03,850 --> 00:07:05,290 The answer is yes. 110 00:07:05,590 --> 00:07:09,670 It's not uncommon for people to sign in online at public locations. 111 00:07:09,860 --> 00:07:13,440 You shouldn't do this, but it does happen in these cases. 112 00:07:13,450 --> 00:07:16,330 Someone can monitor the network and steal a token. 113 00:07:16,960 --> 00:07:19,470 This issue is not exclusive to tokens. 114 00:07:19,660 --> 00:07:24,140 Anything that needs to be sent between the client and server can be stolen. 115 00:07:24,490 --> 00:07:28,130 This includes passwords, cookies, sessions, et cetera. 116 00:07:28,480 --> 00:07:31,180 So how do we prevent hackers from doing so? 117 00:07:31,810 --> 00:07:33,340 The answer is quite simple. 118 00:07:33,370 --> 00:07:40,570 SSL, SSL or TLC is a standard for encrypting data when it's sent between the client and server. 119 00:07:40,960 --> 00:07:44,940 Installing a certificate is a job handled by backend developers. 120 00:07:45,280 --> 00:07:47,730 Therefore, not much of a concern for us. 121 00:07:48,070 --> 00:07:52,900 There are hosting services that offer SSL certificates along with installation. 122 00:07:53,260 --> 00:07:57,060 It's vital that you have SSL enabled on your application. 123 00:07:57,730 --> 00:08:02,860 You'll have to anyway because Google will penalize you for not having an SSL certificate. 124 00:08:03,190 --> 00:08:05,290 It's a standard to have one nowadays. 125 00:08:05,500 --> 00:08:07,320 I always recommend grabbing one. 126 00:08:07,750 --> 00:08:12,510 There are premium certificates, but free certificates will do just fine. 127 00:08:12,910 --> 00:08:15,040 There isn't an excuse not to use one. 128 00:08:15,400 --> 00:08:20,680 I won't be going over how to install a certificate because it's beyond this course's scope. 129 00:08:20,950 --> 00:08:22,780 It's more of a backend sort of thing. 130 00:08:25,170 --> 00:08:31,230 We're finished with talking about tokens, they're a reliable method of transporting data between the 131 00:08:31,230 --> 00:08:32,650 client and the server. 132 00:08:33,030 --> 00:08:39,659 One last thing I want to show you where you can find this token firebase generates in the application 133 00:08:39,659 --> 00:08:44,880 panel of the developer tools navigate to the indexed DB storage. 134 00:08:47,350 --> 00:08:54,610 Under the table of values, select the firebase off, throw in the value column, Firebase will store 135 00:08:54,610 --> 00:08:57,010 an object with information about the user. 136 00:08:57,370 --> 00:09:02,360 The property we're interested in is the token manager property. 137 00:09:02,770 --> 00:09:07,260 This property is where Firebase is storing the token for validating the user. 138 00:09:07,510 --> 00:09:10,090 It's accessible to you in case you ever need it. 13249