jwt(JSON Web Token)

组成

JSON Web Tokens consist of three parts separated by dots (.), 每部分用 base64 压缩

  • Header: token 类型; 签名算法(例如 sha256) 

    {
      "alg": "HS256",
      "typ": "JWT"
    }

  • Payload: 包含许多claim(可以理解为各种字段)

    {
      "sub": "1234567890",
      "name": "John Doe",
      "admin": true
    }

  • Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. 

    HMACSHA256(
      base64UrlEncode(header) + "." + base64UrlEncode(payload),
      secret
    )

最后将三部分分别 base64 然后用.连接

example:xxx.yyy.zzz, xxx是 header 部分的 base64url 编码, yz 同理

工作原理

At its core, a JWT is a mechanism for verifying the authenticity of some JSON data.

使用 jwt, 服务端不需要存储任何状态, 客户端的状态都存在 jwt 中, 每次与服务器沟通都发送 jwt, 即让客户端维持状态

如此一来, 在用户登录后的请求时, 服务端不需要再数据库中查询用户相关信息, 只需要根据 jwt 就可以了

Users would log in with their credentials. The server authenticates the user, often by checking the entered credentials against a database. Upon successful login, the server creates a JWT containing user information and a signature to verify its authenticity. The server sends the JWT to the client. Then, each subsequent request from the client includes the JWT. The server validates the token’s signature to ensure it hasn’t been tampered with. The user’s identity and authorization details are extracted from the token, eliminating the need for constant database lookups.

(1)JWT 默认是不加密,但也是可以加密的。生成原始 Token 以后,可以用密钥再加密一次。

(2)JWT 不加密的情况下,不能将秘密数据写入 JWT。

(3)JWT 不仅可以用于认证,也可以用于交换信息。有效使用 JWT,可以降低服务器查询数据库的次数。

(4)JWT 的最大缺点是,由于服务器不保存 session 状态,因此无法在使用过程中废止某个 token,或者更改 token 的权限。也就是说,一旦 JWT 签发了,在到期之前就会始终有效,除非服务器部署额外的逻辑。

(5)JWT 本身包含了认证信息,一旦泄露,任何人都可以获得该令牌的所有权限。为了减少盗用,JWT 的有效期应该设置得比较短。对于一些比较重要的权限,使用时应该再次对用户进行认证。

(6)为了减少盗用,JWT 不应该使用 HTTP 协议明码传输,要使用 HTTPS 协议传输。

RBAC (Role-Based Access Control)

RBAC0模型: 将一个或多个权限挂到角色下,在将一个或多个角色赋予用户,权限与角色的关系,角色与用户的关系,均是多对多的关系。

角色: 一般老师, 管理员老师

session

session_id expires data
xxxx int {}

A session creates a unique ID per user recorded on the user’s browser as a cookie and stores some information on that user in the server. Whenever that user makes a request, the server will match a user with the proper session data.

https://darifnemma.medium.com/how-to-store-session-in-mysql-database-using-express-mysql-session-ae2f67ef833e

express-mysql-session

Note Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.

rest api (Representational State Transfer)

principles:

  1. Uniform Interface: This implies that the same operations (GET, POST, PUT, DELETE) should be used uniformly across all resources.
  2. Stateless Interactions: No client context is stored on the server between requests. Each request from the client to the server must contain all the information needed to understand and complete the request.
  3. Client-Server Architecture: By separating concerns, this model improves the portability of the user interface across multiple platforms and scalability by simplifying server components.
  4. Layered System: Client requests might pass through several layers of intermediary servers (like proxies or gateways) that provide additional functionalities such as load balancing, shared caching, or encryption.
  5. Cacheability: As on the web, clients and intermediaries can cache responses. Responses must define themselves as cacheable or not, to prevent clients from reusing stale or inappropriate data.
  6. Code on Demand (optional): Servers can extend client functionality by transferring executable code, such as scripts, for temporary use.

数据库

schema

schema在数据库中表示的是数据库对象集合,它包含了各种对像,比如:表,视图,存储过程,索引等等。 一般一个用户对应一个集合,所以为区分不同集合就需给不同集合起名。用户的schema名就相当于用户名,并作为该用户缺省schema。所以schema集合看上去像用户名。

pool

createConnection 创建 Mysql 连接,每执行一次 connection.query 都是一个全新的连接,会造成一个资源的极大浪费,降低性能。

连接池是另外的一种执行方法,它一次性的创建了多个连接,然后根据客户端的查询,自动的 分发复用管理 这些连接。