ManyDesigns Portofino 4
php-jwt
Our great sponsors
ManyDesigns Portofino 4 | php-jwt | |
---|---|---|
1 | 16 | |
178 | 9,204 | |
-0.6% | 0.5% | |
7.7 | 6.3 | |
16 days ago | 27 days ago | |
Java | PHP | |
GNU General Public License v3.0 or later | BSD 3-clause "New" or "Revised" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ManyDesigns Portofino 4
php-jwt
-
Understanding user authentication on web and API
So basically if the login is successfull I have to create a JWT token (with something like this library) with the userID inside and send it via `setcookie()` for web or in a JSON response to the API client and consider it the long lived refresh token.
-
What is the best way to implement in-app purchases without a third-party service?
This depends on the library you end up downloading for the platform of your choosing. Some of the parts I explained above will be handled by the library for example in my case I decoded signedTransactionInfo using firebase/php-jwt. This has the added benefit of always checking the validity of the signature which was omitted in the manual method.
- Weekly "ask anything" thread
-
API Tokens: A Tedious Survey
> Why all the hate for JWTs?
> Just pick a crypto scheme and the JWT is just an encoding that makes it easier to use.
That's not what JWT is, but I can understand why someone would be misled into believing that.
JWT isn't just an encoding format, it also includes a crypto algorithm negotiation protocol that lets the attacker choose the algorithm. Even if you strictly allow-list which algorithm you want to support, you can accidentally bypass this control in many libraries if you suppor the `kid` (key ID) header. [1]
It also allows attackers to completely strip the security. [2] [3]
Put shortly, JWT is a gun aimed directly at your foot. That's why there's so much hate for JWTs.
[1] https://github.com/firebase/php-jwt/issues/351
[2] https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...
- Possible security issue involving the Firebase JWT library for PHP (Algorithm Confusion with Key IDs)
-
PASETO v2.0.0 released! (Lengthy release notes)
We opened https://github.com/firebase/php-jwt/issues/351 to disclose an immediate finding from a casual review of their code.
-
Demystifying JWT: How to secure your next web app
php-jwt: a high-quality JWT library for PHP maintained by Firebase.
What are some alternatives?
PHP OAuth 2.0 Server - A spec compliant, secure by default PHP OAuth 2.0 Server
Ratchet - Asynchronous WebSocket server
Fast Route - Fast request router for PHP
fusionauth-jwt - A simple to use Java 8 JWT Library. Verify, Sign, Encode, Decode all day.
paseto - Platform-Agnostic Security Tokens
Traduora - Ever® Traduora™ - Open Translation Management Platform
Halite - High-level cryptography interface powered by libsodium
bubble - bubble 旨在为项目快速开发提供一系列的基础能力,方便使用者根据项目需求快速进行功能拓展。已将所有 JAR 包都推送至中央仓库,也会为每个版本的升级改动列出详细的更新日志
Hasura - Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
poxa - Pusher server implementation compatible with Pusher client libraries.
sysPass - Systems Password Manager
KeeWeb - Free cross-platform password manager compatible with KeePass