Configuration

In this section, you will need to take the following steps before signing in to your application:

  • Generating Jwt Keys
  • Auth configuration for Local Environment
  • Configuration of SQL Auth Table
  • Configuration of Token Renewal Times
  • Configuration of Token Validity
  • Configuration of Jwt Authentication Middleware
  • Login Test

Generating JWT Keys

  1. Generate random 16 character srtring for encryption.iv key. You can use online random.org to generate.
  2. Generate a encryption.secret_key for token encryption:
echo base64_encode(openssl_random_pseudo_bytes(32)); // ewQrCBs/3Mp7RKgtbjd4jjdOJLY8uyENcmKcssQnvWE=
  1. The jwt encoder uses two public and private keys, private_key when signing tokens and public_key when reading tokens. Perform the following operation in any php file.
$keyPair = sodium_crypto_sign_keypair();
$publicKey = base64_encode(sodium_crypto_sign_publickey($keyPair));
$privateKey = base64_encode(sodium_crypto_sign_secretkey($keyPair));

echo $publicKey."\n";  // W9JHddARm1iwrIV+DhlQ1t0vGxWwgwVTHyHpjq6n4L8=
echo $privateKey."\n"; // KXgCiGnLLkYI/j/uGOgmSn5P9lATSZcd/p86azEgwW1b0kd10BGbWLCshX4OGVDW3S8bFbCDBVMfIemOrqfgvw==

You must regenerate keys in each project to avoid causing security risks in your application.

You must define the key you created in the public_key and private_key fields as follows.

Token Configuration

config/autoload/local.php

// local.php
// 
'token' => [
    // Cookie encryption
    'encryption' => [
        'iv' => '', // generate random 16 chars
        'enabled' => false, // it should be true in production environment
        'secret_key' => '',
    ],
    // Public and private keys are expected to be Base64 encoded.
    'public_key' => '',
    // The secret keys generated by other tools may
    // need to be adjusted to match the input expected by libsodium.
    'private_key' => '',
    //
    // for strong security reason it should be less
    'session_ttl' => 15, // in minutes (TTL cannot be less then 10 minute)
    // you can reduce the time for higher security
    // for how long the token will be valid in the app.
    // in every "x" time the token will be refresh. 
    'token_validity' => 5, // in minutes
    // whether to check the IP and User Agent when the token is resolved.
    //
    'validation' => [
        'user_ip' => true,
        'user_agent' => true,
    ],
],
Key Description
encryption.iv Generate a random 16 character srtring. You can use online random.org to generate.
encryption.enabled Turns on/off the encryption feature of the token before it is sent to the user. It is strongly recommended that encryption be turned on in the production environment.
encryption.secret_key Generate a random secret password using this method. base64_encode(openssl_random_pseudo_bytes(32)); You should not share this password with anyone.
public_key Public and private keys are expected to be Base64 encoded. Look at above the example to create public keys.
private_key The secret keys generated by other tools may need to be adjusted to match the input expected by libsodium. Look at above the example to create private keys. You should not share this password with anyone.
session_ttl Determines the lifetime of the session. In other words, after the token is signed, how long the user will stay in the system is recorded in the cache. As long as the user's browser is open, this time is reset each time with automatic HTTP requests sent every 5 minutes. This ensures that users whose browsers are open remain in the system. When the browser is closed, the user session ends automatically as this cache time expires. The lifetime of the session should not be less than 10 minutes. Otherwise, your users' sessions may terminate at unexpected times. If you still want to reduce this time, you should reduce the VITE_SESSION_UPDATE_TIME time defined in the .env.* file of your frontend application.
token_validity It determines how long it takes for the tokens given to the user to be renewed. The shorter this time, the more your application security will increase, but less than 5 minutes may exhaust server and client resources.
validation.user_ip If the user's current IP address does not match the IP address stored in the token, the user is logged out.
validation.user_agent If the user's agent does not match the agent stored in the token, the user is logged out.

SQL Query Table

During login, App\Authentication\AuthenticationAdapter performs the SQL query based on the tablename, username and password columns defined in the configuration.

config/autoload/mezzio.global.php

// mezzio.global.php
// 
'authentication' => [
    'tablename' => 'users', 
    'username' => 'email',  // identity table column
    'password' => 'password', // password table column
    'form' => [
        'username' => 'username', // username form input name
        'password' => 'password', // password form input name
    ]
],

Make sure that your table named users exists in the database.

DROP TABLE IF EXISTS `users`;

CREATE TABLE `users` (
  `userId` varchar(36) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NOT NULL,
  `email` varchar(160) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL,
  `password` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL,
  `firstname` varchar(120) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL,
  `lastname` varchar(120) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL,
  `createdAt` datetime DEFAULT NULL,
  `active` tinyint(1) DEFAULT '0',
  `themeColor` char(7) DEFAULT NULL,
  PRIMARY KEY (`userId`) USING BTREE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 ROW_FORMAT=DYNAMIC;

/*Data for the table `users` */

INSERT INTO `users`(`userId`,`email`,`password`,`firstname`,`lastname`,`createdAt`,`active`,`themeColor`) VALUES 
(
    '21615870-4f89-4ab8-b91e-af6370a3089e',
    '[email protected]',
    '$2y$10$sXQiNPPK5TQFIORtQ4fxKex4GJkHMa7h5loGHB0Ea.fj4dQWlKZn.',
    'Demo',
    'Login',
    '2021-12-22 12:32:17',
    1,
    '#0a7248'
),
Sponsors
Your company logo can be here. Contact Us.