Code 401 Class 33 Reading Notes
JSON Web Tokens
JSON Web Token(JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
When are they useful?
- Authorization: Most common scenario, allows the user to access routes, services, and resources that are permitted with that token.
- Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. This ensures that you can be sure the senders are who they say they are.
Structure
- Header: Typically consists of two parts, the type of token, which JWT, and the signing algorithm being used.
- Payload: Contains claims, which are statements about entity and additional data.
- Registered claims: These are a set of predefined claims which are not mandatory but recommended.
- Public claims: Can be defined at will by those using JWTs. They should be defined in the IANA JSON Web Token Registry, or as a URI that contains a collision resistant namespace.
- Private claims: Custom claims to share information between parties that agree on using them and are neither registered or public claims.
- Signature: Takes the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
——————————–
DRF JWT Authentication
pip install djangorestframework_simplejwt
: installs the recommended library by the DRF developers.- settings.py
REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [ 'rest_framework_simplejwt.authentication.JWTAuthentication', ], }
- urls.py ` from django.urls import path from rest_framework_simplejwt import views as jwt_views
urlpatterns = [ # Your URLs… path(‘api/token/’, jwt_views.TokenObtainPairView.as_view(), name=’token_obtain_pair’), path(‘api/token/refresh/’, jwt_views.TokenRefreshView.as_view(), name=’token_refresh’), ] `
——————————–
Django Runserver Is Not Your Production Server
Do NOT USE THIS SERVER IN A PRODUCTION SETTING> It has not gone through security audits or performance tests.
- The server started with
runservers
is not guaranteed to be performant (it’s very slow), and it hasn’t been built with security concerns in mind. - Production Stack: Usually consists of multiple components, each designed and built to be really good at one specific thing. Fast reliable and very focused.
- Django uses
uwsgi.py
file, which contains a function to be called by the application server. This function gets a Python object representing the incoming request.- This function calls your code, and produces a response object which is passed to the WSGI server. There the response is translated into a HTTP response and is passed back to the web server, which finally delivers it to the user.
——————————–