DEV Community

Cover image for #30DaysOfAppwrite : JWT Support in Appwrite
Torsten Dittmann for Appwrite

Posted on • Updated on

#30DaysOfAppwrite : JWT Support in Appwrite

Intro

#30DaysOfAppwrite is a month-long event focused on giving developers a walk-through of all of Appwrite's features, starting from the basics to more advanced features like Cloud Functions! Alongside, we will also be building a fully-featured Medium clone to demonstrate how these concepts can be applied when building a real-world app. We also have some exciting prizes for developers who follow along with us!

What is a JWT

JWT (JSON Web Token) is a standard used to create access tokens for an application. It works this way: the server generates a token that certifies the user identity and sends it to the client. The client will send the token back to the server for every subsequent request, so the server knows the request comes from a particular identity.

A well-formed JWT consists of three concatenated Base64 url-encoded strings, separated by dots (.):

  • Header: contains metadata about the type of token and the cryptographic algorithms used to secure its contents.
  • Payload: contains verifiable security statements, such as the identity of the user and the permissions they are allowed.
  • Signature: used to validate that the token is trustworthy and has not been tampered with.

JWT

This architecture proves to be very effective in modern Web Apps, whereafter the user is authenticated, we perform API requests either to a REST or a GraphQL API.

Anyway, it is not always recommended to use JWTs for sessions. Using a regular server-side session combined with Cookies is usually much more efficient and less prone to data exposure.

So, why do we need a JWT then?

In the modern web, you will often have several entities communicating with each other. Certain features will naturally be restricted and require some sort of authorization mechanism. At Appwrite we use Cookies for the client-side to communicate with the backend.

Using a JWT, you will be able to authorize the user on the Server-Side within a Cloud Function, Microservice, or SSR.

Create a JWT

Version 0.8 of Appwrite introduced JWT, and it's really easy to generate using the Web or Flutter SDK. Because JWTs are used for authentication and authorization - we can only generate them when we are authenticated.

Web

appwrite.account.createJWT().then(response => {
    console.log(response); // Success
}, error => {
    console.log(error); // Failure
});
Enter fullscreen mode Exit fullscreen mode

Flutter

account.createJWT().then((response) {
    print(response);
}).catchError((error) {
    print(error.response);
});
Enter fullscreen mode Exit fullscreen mode

The createJWT() method will receive an object like this:

{
  jwt: "eyJhbGciOiJIUzI1NiIsInR5cCI6I..."
}
Enter fullscreen mode Exit fullscreen mode

This JWT will be valid for 15 minutes and can only be generated 10 times every 60 minutes per user account.

JWT with Server SDK

Now that we can get our hands on a JWT, we can use it to do actions on the server on behalf of a user without needing to log in or provide an API Key.

For demonstration, let's try to get our current user with a Node.js script:

mkdir appwrite-jwt-test
cd appwrite-jwt-test
npm init -y
Enter fullscreen mode Exit fullscreen mode

Now add node-appwrite as a dependency:

npm install node-appwrite
Enter fullscreen mode Exit fullscreen mode

Create index.js file and put in the following content:

const appwrite = require('node-appwrite');
const client = new appwrite.Client();
const account = new appwrite.Account(client);

client
    .setEndpoint("[ENDPOINT]") // Your API Endpoint
    .setProject("[PROJECT_ID]") // Your project ID
    .setJWT("[INSERT_JWT_HERE]") // Your users JWT
;

account.get().then(r => console.log(r));
Enter fullscreen mode Exit fullscreen mode

Remember to fill out the endpoint, project ID, and JWT. Keep in mind that a JWT is only valid for 15 minutes after generation.

Now we can execute this file with node index.js, and if everything goes well, we should see our user's object 👏

JWT With Cloud Functions

Remember from Day 23 that users can execute Cloud Functions over the Rest API? If a user does this, the Cloud Function will be passed a JWT in the APPWRITE_FUNCTION_JWT environment variable by default for the user who executed the function.

This way, we don't even have to create a JWT from the client-side and pass it around 🎉

JWT With SSR

With release 3.0.0 of the Web SDK for Appwrite, we have refactored it to be isomorphic. This is important in the ecosystem of JavaScript - since, with the rising popularity of SSR, libraries need to work in the Browser - as well as on the Server Side with Node.js.

That's why we have added the setJWT(jwt) method, found in the Server SDK, to the Web SDK as well - which allows developers to use the same SDK for Client and Server Side actions with Frameworks like Next.js, Nuxt.js and Svelte Kit.

Credits

We hope you liked this write-up. You can follow #30DaysOfAppwrite on Social Media to keep up with all of our posts. The complete event timeline can be found here

Feel free to reach out to us on Discord if you would like to learn more about Appwrite, Aliens, or Unicorns 🦄. Stay tuned for tomorrow's article! Until then 👋

Discussion (2)

Collapse
exadra37 profile image
Paulo Renato

Thanks for this great explanation of how Appwrite supports JWTs.

I am left with one doubt... Do you support the validation of JWTs issued by third party's?

Collapse
eldadfux profile image
Eldad A. Fux

Because Appwrite is the Auth provider, a 3rd party authentication is not possible. Appwrite can only verify the JWT against users created on your Appwrite project.