This lesson will digitally sign the IBM Domino user information into a JWT which can then be sent from the server to the client.
This JWT can then be sent back from the client to the server and the role information within the JWT file can be decrypted to determine a users level of functional access.
Instructor: [00:01] The first thing we're going to do is install a new library in our Node server called JSON Web Token. We're then going to modify our user roles root. The first thing we're going to do is deconstruct the roles and user name from the response.
[00:14] For convenience, we're going to set an expiry on the JWT file of seven days. Remember, Domino is still doing the security role. Even if the user says they have a certain role, if they don't have access to the data, Domino will still reject it.
[00:30] We'll just have a date, which will be today. Expiry date, and pass it in the today date, and we're adding seven days. Our payload is going to be an object. The JWT library will have a signs method of that object.
[00:48] The first thing we're going to have is the user name, the roles, the expiry. This is a standard for JWT, EXP, and then we need a secret. For now, we're going to hard-code a secret in here. We'll use the secret to decode the JWT later on. We'll just use Egghead for now. Finally, we're going to send the JWT token back to the client.
[01:17] Let's see what that looks like. Firing up the browser to our local host with the index.html, so our service running. The first thing I'm going to do is log in so that we refresh our local token. We successfully logged in, and we got the Domino session ID stored in our local storage.
[01:37] Now if I call get user roles, what should happen is if I look in the console, we actually get back a nice long string. If I look at the network tab, this should probably be easy to see. Our response is a Base64-encoded string.
[01:53] JWT tokens are not protecting any sort of privacy. You shouldn't put anything secret in here, because if I go to another website here, which is called jwt.io, if I scroll up, and if I paste my token in, you can see on this side that actually, it's decrypted my JWT token.
[02:14] There is my name, and my roles. Just to be aware, do not store anything secret in your JWT token. The important thing is if I try and manipulate this Base64 in the client and send it back, my Node server will reject the token, and therefore not respect the roles that I'm trying to say I have.