Vladimir Dyuzhev, author of MockMotor

Vladimir Dyuzhev
MockMotor Creator

Complete JWT Auth Service on MockMotor


Let's create a JWT Auth service on top of Mockmotor. Just for the fun of it.

What is JWT?

I have quite a long blog post about JWT. Please read it.

What Do We Need from JWT Auth Service?

Our JWT service should have two operations:

Authenticate Operation

This is the first operation a client calls. This operation should:

1 Reads user credentials (id and password) from the request
2 Verifies the credentials against the DB (mock accounts)
3 Generates a time-limited token for the user

The token payload should have the user’s id and some useful information, for example, ACL, embedded.

Verify Operation

This operation checks that the token is presented and still valid:

1 Takes a token from the Authorization: Bearer header
2 Verifies the token’s integrity
3 Verifies the token’s expiration time
4 Decodes the token and gives the caller the id and ACL list

Let’s start!

Step 1. Create a Dedicated Environment

We should have a separate environment for our JWT Auth service. We’re going to use mock accounts for storing user’s credentials. While we could mix the account fields used for JWT with account fields used by other services, it is a bit messy. It is much cleaner to create a new environment.

Step 2. Create a JWT Auth Service

This is an obvious step. We’re building a service, so we create a mock service. Duh.

Once we saved the service, MockMotor gave it new permanent port numbers: 20008 (HTTP) and 20009 (HTTPS).

Step 3. Create User Accounts

Now we need to decide who can get our tokens.

We plan that the users call JWT Auth service with their credentials. For example, like this:

POST https://127.0.0.1:20009/auth HTTP/1.1

{
	"login":"john",
	"password":"password1"
}

Once the service receives this request, it should find the mock account for this login and compare the password on record with the one in the request.

Hence we need to store at least login and password values.

Then the service needs to create a JWT token, placing ACLs into its payload. So we need to store acl too.

The token must be time-limited, and the limit should be configurable per user. Let’s store ttl then.

And, finally, it’s no good if all users share the same secret for JWT. Hence we should have a secret field in the mock account.

Let’s define mock account properties:

Step 4. Create Users

Now let’s create a couple of users (mock accounts).

Let’s have user john with password password1 and secret secret1, with ttl of 10s and acl of read|write:

And let’s have user jane with password password2 and secret secret2, with ttl of 15s and acl of read|write|delete.

This is how the whole list of users looks:

Yes, the passwords are in cleartext. MockMotor is not a PROD system, but a test one. Passwords in mock accounts are not real passwords to anything valuable, so there is no point in making them obfuscated.

Step 5. Create the Authenticate Operation

Now, the most fun part.

Let’s add a response that generates a token.

What happens here?

1 The request must use HTTP POST.

2 The request must use the relative URI of /auth. For instance, https://127.0.0.1:20009/auth.

3+4 The response selects a mock account where login property matches the request login field.

5 However, if the mock account is not found, the response continues its execution. This is to generate the HTTP 401 response.

6 In the payload script, we check if the account is not found, or found but with different password, and set the payload to an empty string if that is true. That is the response body for HTTP 401.

7 We prepare the JWT header. We’re going to use the HS256 signature.

8 We calculate the expiration time as the number of seconds in the account.ttl property from now. Note we must have to use parseInt() - the account properties are strings, and JS is very weird when it adds strings to a number.

9 We prepare the payload of JWT. It contains the account login (so we can use it during the /verify call), expiration time (this is one of the standard JWT fields) and acl, which are ACLs taken from the account.

10 Now we encode the JWT token using the account-stored secret: account.secret.

11 We form the response payload containing the token, ACLs and the expiriation time. We only need to send the token back, and the rest is added just for debug.

12 HTTP status is set to 401 if the mock account is not found or its password is not matching the stored value. We could have compared the output to the empty string as well. I just copy-pasted the condition from the first line of the payload because I’m lazy. If the account is found and the passwords match, the status is 200.

13 And finally, we add some delay to look legit. Ideally, we should add a longer delay for HTTP 401 to prevent brute-force attacks, but this is a project for fun, not for trenches.

Save it and let’s try it.

Request:

POST https://127.0.0.1:20009/auth HTTP/1.1
Content-Type: application/json
Content-Length: 45
Host: 127.0.0.1:20009
Connection: Keep-Alive

{
	"login":"john",
	"password":"password1"
}

Response:

HTTP/1.1 200 OK
Date: Wed, 18 Mar 2020 03:16:32 GMT
Content-Type: application/json;charset=utf-8
X-MockMotor-Delay: 300
Transfer-Encoding: chunked

{"acl":["read","write"],"exp":1584501402958,"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY2wiOlsicmVhZCIsIndyaXRlIl0sImxvZ2luIjoiam9obiIsImV4cCI6MTU4NDUwMTQwMn0.9HwAXSD-OkT1vUFbWWrU7j8uqmoSxIFZ3mTPXHDouqI"}

You can take this token to https://jwt.io for validation. Provide the secret password1 and it validates:

What if We Provide a Wrong Password?

Wrong password, unknown user or missing login field - all produce HTTP 401:

POST https://127.0.0.1:20009/auth HTTP/1.1
Content-Type: application/json
Content-Length: 39
Host: 127.0.0.1:20009
Connection: Keep-Alive

{
	"login":"vlad",
	"password":"any"
}

HTTP/1.1 401 Unauthorized
Date: Wed, 18 Mar 2020 00:05:16 GMT
Content-Type: application/json;charset=utf-8
X-MockMotor-Delay: 300

Step 6. Create the Verify Operation

Alright, now let’s add a response that verifies the token.

What happens here?

1 The request can use any HTTP method.

2 The request must use the relative URI of /verify. For instance, https://127.0.0.1:20009/verify.

3+4 The response selects a mock account where login property matches the login field from the JWT payload. We decode the payload with a null password, meaning we can’t verify the signature, but we don’t have to do it at that point, we just need to get the claimed login.

5 If a mock account with the provided login is not found, the response continues its execution. This is to generate the HTTP 401 response.

6 In the payload script, we check if the account is not found, and set the payload to FAIL message if that is true. That is the response body for HTTP 401.

7 We decode JWT with the secret from the mock account and save any errors into the error variable. Note that token expiration is also reported as an error.

8 If no decoding errors found, we have verified the token. We form the OK response.

9 Otherwise, we form a FAIL response and provide some debug information.

10 We set the status to 401 if the mock account is not found or there are any errors verifying the token. Otherwise, the status is 200.

11 And finally, we add some delay for gravity.

Testing the Verification

A successful response looks like this:

HTTP/1.1 200 OK
Date: Wed, 18 Mar 2020 03:26:19 GMT
Content-Type: application/json;charset=utf-8
X-MockMotor-Delay: 500
Transfer-Encoding: chunked

{"jwt":{"payload":{"acl":["read","write","delete"],"login":"jane","exp":1584501994},"header":{"typ":"JWT","alg":"HS256"}},"error":null,"status":"OK"}

and once the token is expired, the response changes to:

HTTP/1.1 401 Unauthorized
Date: Wed, 18 Mar 2020 03:26:39 GMT
X-MockMotor: BUILDNUMBER
Content-Type: application/json;charset=utf-8
X-MockMotor-Delay: 500
Transfer-Encoding: chunked

{"jwt":{"payload":{"acl":["read","write","delete"],"login":"jane","exp":1584501994},"header":{"typ":"JWT","alg":"HS256"},"error":"The Token has expired on Tue Mar 17 23:26:34 EDT 2020."},"error":"The Token has expired on Tue Mar 17 23:26:34 EDT 2020.","status":"FAIL"}

Let’s Test it All

I’ve made a SoapUI project that tests this service. You can download and try it. It runs against the MockMotor Demo installation.