jwt-api

JWT API: A Comprehensive Project Overview

Introduction

The JWT API project is designed to demonstrate how to implement JSON Web Token (JWT) authentication and authorization using ASP.NET Core 7 from the ground up. This project is particularly beneficial for developers who want to understand the intricacies of user authentication and secure API communications.

Key Features

The JWT API offers a variety of features that ensure secure and effective authentication processes:

• User Registration: Users can register by providing a valid email and password.
• Password Hashing: Safeguards user passwords using secure hashing methods.
• Role-Based Authorization: Allows different roles to access specific resources, enhancing security.
• Token-Based Authentication: Users can log in by creating an access token.
• Token Refresh: Enables users to obtain new access tokens when the current ones expire.
• Revoking Tokens: Tokens can be revoked to ensure they are not used maliciously.

Frameworks and Libraries

The functionality of the JWT API is powered by several well-known libraries and frameworks:

• Entity Framework Core: Facilitates data access and manipulation.
• AutoMapper: Streamlines mapping between domain entities and resource classes.

Testing the API

Using Swagger

To aid testing, the project integrates with Swagger, providing an intuitive interface to visualize and test API routes. After running the application, navigate to /swagger to view detailed API documentation.

Using Postman

For more comprehensive API testing, tools like Postman can be employed. The following steps demonstrate how to use Postman with the JWT API:

1. Clone the repository and set up the environment:

   $ git clone https://github.com/evgomes/jwt-api.git
   $ cd jwt-api/src
   $ dotnet restore
   $ dotnet run
   

2. Creating Users: Post a request to http://localhost:5000/api/users with a JSON payload containing an email and password.

   {
     "email": "[email protected]",
     "password": "123456"
   }
   

3. Requesting Access Tokens: Post user credentials to http://localhost:5000/api/login to receive an access token and details about its expiration.

   

Accessing Protected Data

The JWT API provides different endpoints for users based on their roles:

• Common Users: Access http://localhost:5000/api/protectedforcommonusers.
• Administrators: Access http://localhost:5000/api/protectedforadministrators.

A valid access token is required in the authorization header:

Authorization: Bearer your_valid_access_token_here

Should a user with insufficient privileges attempt to access an admin-only endpoint, they receive a 403 - Forbidden response.

Refreshing Tokens

To keep users logged in, the API offers a token refresh mechanism. Users can request a new access token by providing a valid refresh token and email:

{
  "token": "your_valid_refresh_token",
  "userEmail": "[email protected]"
}

Revoking Tokens

Tokens can be revoked for security or user sign-out purposes via a POST request to http://localhost:5000/api/token/revoke.

{
  "token": "valid_refresh_token"
}

This results in a 204 No Content response.

Conclusion

This JWT API project aims to assist developers in implementing secure authentication and authorization within their own projects. By leveraging JSON Web Tokens, the project emphasizes security and ease of use. For any questions, suggestions, or contributions, developers are encouraged to engage with the project through issues or pull requests.