2. Slim Framework
Micro Webservice Framework
Welcome
Slim is a PHP micro framework that helps you
quickly write simple yet powerful web applications
and APIs.
At its core, Slim is a dispatcher that receives an
HTTP request, invokes an appropriate callback
routine, and returns an HTTP response. That’s it.
Why use Slim ?
● Restful framework available
● Good document
● Provides this kind of micro framework should have
and nothing more
● Very large following
● Easy to learn
1
3. Slim Framework
Micro Webservice Framework
PSR 7 and value objects
The PSR 7 interface provides these methods to
transform Request and Response objects
Dependency Container
Slim uses dependency container to prepare, manage, and
inject application dependencies
2
Middleware
You can run code before and after your Slim application to
manipulate the Request and Response objects as you see fit.
This is called middleware.
Request and Response
When you build a Slim app, you are often working directly
with Request and Response objects.
These objects represent the actual HTTP request
received by the web server and the eventual HTTP
response returned to the clients
4. Slim Framework
Micro Webservice Framework
3
Why should you want to do this ?
● Protect your app (XSS)
● Authenticate
● API Logging
6. Json Web Token
Micro Service Framework
What is JSON Web Token ?
● JSON Web Token (JWT) is an open standard (RFC
7519) that defines a compact and self-contained
● A way for securely transmitting information between
parties as a JSON object.
● This information can be verified and trusted because
it is digitally signed.
5
When should you use JSON Web Token
● Authentication: once the user is logged in, each subsequent
request will include the JWT
● Information Exchange: JWT are a good way of securely
transmitting information between parties
7. Json Web Token
Micro Service Framework
Which is the JSON Web Token structure ?
● Header: The header typically consists of two parts:
○ The type of the token (JWT)
○ The hashing algorithm (HMAC, SHA256, RSA…)
● Payload: Contains three types of claims
○ Reserved: iss (issuer), exp (expiration), sub (subject)...
○ Public: These can be defined at will by those using JWTs
○ Private: Information between parties
● Signature:
○ The encoded header
○ The encoded payload
○ A secret
○ The algorithm and sign
6
8. Json Web Token
Micro Service Framework
Putting all together
● The output is three Base64 strings separated by dots
● The claims body is the best part! It can tell:
7
9. Json Web Token
Micro Service Framework
How do JSON Web Token work ?
● In Authentication, when the user successfully logs
in using his credentials, a JWT will be returned and
must be saved locally (local storage, but cookies
can be also used)
● In Authorization, whenever the user wants to
access a protected route or resource, it should send
the JWT, typically in the Authorization header
● This is a stateless authentication mechanism as the
user state is never saved in the server memory
● As JWT are self-contained, all the necessary
information is there (reducing the need of going
back to the database)
8
11. Json Web Token
Micro Service Framework
What we are most concerned about ?
● Sessions: Every time a user is authenticated, the server will need to create a record somewhere on our server
● Stateless: NOT storing any information about our user on the server
● Scalability: Since sessions are stored in memory, this provides problems with scalability (replicating servers)
● CORS (Cross Origin Resource Sharing): AJAX calls from another domain (mobile devices)...problems with forbidden
requests
● CSRF (Cross Site Request Forgery): execute unwanted actions
● Compatibility: Mobile and Easy to use for public API
● Transmission: size, local storage, when… ?
10
12. Json Web Token
Micro Service Framework
Cookies
● Typically very small (4k hard limit)
● Sent with every request to domain
● Cookie specific storage
● Very difficult across domains
● Subject to CSRF attacks
● Less support for mobile, can’t user for external API
requests
● Contains a session id
● Requires a database lookup on every request
● Server-side sessions (requests to hit same server)
● Scaling difficult
11
JWT
● Can get larger depending on info stored (8k soft limit)
● Only sent when necessary
● LocalStorage or SessionStorage
● Works from any domain
● Not subject to CSRF
● Standard for mobile auth, Easy to use for public API
● Contains verified user information
● No db lookups required
● state is stored on client
● Scales easily
13. Json Web Token
Micro Service Framework
JWT Things to Remember
● Base64 is NOT secure
● Encrypt sensitive info
● The best claims body (iss, exp, sub, jti, iat…)
● Keep your secret key SECRET
12