Using JWT in a Angular / Golang project

Question

I am having issues figuring out how to use JWT correctly for my project.

This is the situation:

I have a website where people can login via a twitch which gives me an oauth token, their username and more stuff depending on what I request. (this is what the authentication process looks like https://github.com/justintv/Twitch-API/blob/master/authentication.md )

In my database I have a few usernames that have an access level. For example level 500 meaning they can see the admin dashboard on my website or they can send POST requests from angular to change data.

My angular app has no access to the database obviously. I only want communication via an API provided by my go webserver.

What I am wondering is how do I make sure that the user who is trying to send a secure POST or GET is actually the user he says he is and has permission to execute the command he is doing.

Answer 1

A JWT is composed of 3 parts: the header (for "metadata" like the encryption algorithm used, etc), the claimes (which are the actual data stored in the token), and an HMAC (used to verify that the two parts above aren't tampered with).

In your case, when you user login, you should receive the oauth token, their username, etc. You can then use the username to get the associated user level, and stow everything in the claims of your own JWT that you will send back to the user. In subsequent requests, you just have to check that the token is valid (don't forget to give them a short ttl), and then you are sure that the user doing the request is the one it claims it is (mnemotechnic pun intended).