feat: latest lesson content improvments

gitcommitshow · gitcommitshow · commit 1e3053acc4a8 · 2022-05-23T13:45:56.000+05:30
diff --git a/public/images/banner.png b/public/images/banner.png
diff --git a/views/demo/home.ejs b/views/demo/home.ejs
@@ -1,16 +1,18 @@
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/kognise/water.css@latest/dist/dark.min.css">
-<h2>✓ You've been successfully authenticated!</h2>
-<p style="width:70%;"><br/><br/>
+<strong>✓ You've been successfully authenticated!</strong>
+<h2>Method 1: Send JWT in request parameters</h2>
+<p style="width:70%;">
     In this request, we sent token via request URI parameter<br/>
-    GET /demo/protected-endpoint?<b>access_token</b>=mF_9.B5f-4.1JqM HTTP/1.1<br/><br/>
+    <code>GET /demo/protected-endpoint?<b>access_token</b>=mF_9.B5f-4.1JqM HTTP/1.1</code><br/><br/>
     > <a href="https://tools.ietf.org/html/rfc6750#section-2.3" target="_blank">Read about standards to follow while sending token via URI Query Parameter</a><br/><br/>
     Let's learn about more secure ways to send the token to the authorization server.<br/>
 </p>
-<form method="POST" action="/demo/protected/web-form" enctype="application\/x-www-form-urlencoded"><input name="access_token" type="hidden" value="<%= token %>" /><input type="submit" value="Click to send token in form body"></input></form>
+<h2>Method 2: Send JWT in form body</h2>
 <p> 
     > Input Parameter Name: access_token<br/>
     > Content-Type: application/x-www-form-urlencoded<br/>
-    > <a href="https://tools.ietf.org/html/rfc6750#section-2.2" target="_blank">Read about standards to send token via form-encoded body parameters</a>
+    <form method="POST" action="/demo/protected/web-form" enctype="application\/x-www-form-urlencoded"><input name="access_token" type="hidden" value="<%= token %>" /><input type="submit" value="Click to send token in form body"></input></form>
+    <br/>
 </p>
 
 <br/><br/><br/><br/><br/><br/>
diff --git a/views/demo/tokenInBody.ejs b/views/demo/tokenInBody.ejs
@@ -1,12 +1,13 @@
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/kognise/water.css@latest/dist/dark.min.css">
-<h2>✓ You've been successfully authenticated!</h2>
-<p style="width:70%;"><br/><br/>
+<strong>✓ You've been successfully authenticated!</strong>
+<p style="width:70%;">
     In this request, we sent the token in the form body<br/>
     > <a href="https://tools.ietf.org/html/rfc6750#section-2.2" target="_blank">Read about standards to send token via form-encoded body parameters</a><br/><br/>
     There are other ways to send token to authorization server as well. 
     Next, lets's explore
 </p>
-<a id="apiReqBtn" href="#!" onclick="javasctipt:requestProtectedAPI()">Send token in request header now</a>
+<h2>Method 3: Send JWT in request header</h2>
+<button><a id="apiReqBtn" href="#!" onclick="javasctipt:requestProtectedAPI()">Click to send token in request header</a></button>
 <small id="apiReqResponse" style="font-weight:bold;background-color:grey;color:#ffffff;margin-left:16px;"></small><br/><br/>
 <script>function requestProtectedAPI(){
     console.log("Going to request API")
@@ -45,7 +46,8 @@ Pragma: no-cache
 > <a href="https://tools.ietf.org/html/rfc6750#section-2.1" target="_blank" style="opacity:0.7;">Read about standards to send token via request headers</a>
 <br/><br/><br/><br/>
 <b>And there are more ways to send token to authorization server</b><br/>
-<a href="/lesson/jwt-in-web-cookies">Next: Sending token in cookies</a><br/><br/>
+<h2>Method 4: Send JWT in cookies</h2>
+<a href="/lesson/jwt-in-web-cookies">Next: Send JWT in cookies</a><br/><br/>
 
 <br/><br/><br/><br/><br/><br/>
 <footer>
diff --git a/views/home.ejs b/views/home.ejs
@@ -1,10 +1,25 @@
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/kognise/water.css@latest/dist/dark.min.css">
 <h1>JWT Authentication Demo</h1>
+<h3>Learn JWT by reverse engineering & debugging</h3>
+<img src="/images/banner.png" style="width: 100%;height: auto;" />
+
 <br/><br/>
-This is a tutorial with live demo to show how jwt authentication can be implemented using node.js, express, jsonwebtoken. 
+<p>This is an interactive tutorial to learn about JWT by reverse engineering. By the end of this tutorial, you’ll learn what a JWT is and how you can implement authentication using JWTs in your app.
 <br/>We'll start with examples and then reverse engineer by deconstructing each part.
-<br/><br/>
+</p>
+<p>
+<strong>Prior Knowledge Expected</strong><br/>
+I am expecting you to have a very high-level overview of following concepts but I will also make sure to link necessary learning resources wherever you need them
+<ul>
+<li>HTML forms and cookies</li>
+<li>HTTP web requests</li>
+<li>Public-key cryptography (no need to learn the math, just learn what it does)</li>
+<li>Base64 encoding (no need to learn the math)</li>
+</ul>
+</p>
+<strong>Time Required: 15 mins</strong>
 
+<br/><br/>
 <details>
     <summary>Topics Covered</summary>
     <div>
@@ -21,7 +36,7 @@ This is a tutorial with live demo to show how jwt authentication can be implemen
 </details>
 
 <br/><br/>
-<a href="/jwt">Next: Create JWT token</a>
+<a href="/jwt">Next: How does a JWT look like?</a>
 <br/><br/><br/><br/><br/><br/>
 
 <footer>
diff --git a/views/jwt/create/success.ejs b/views/jwt/create/success.ejs
@@ -12,11 +12,22 @@
 </ul>
 > <a href="https://tools.ietf.org/html/rfc7520#section-4.1.2" target="_blank" style="opacity:0.7;">Read about the signing operation</a>            
 <br/><br/>
-<a target="_blank" href="/verify/<%= token %>">Server can verify this token</a> 
+<a target="_blank" href="/jwt/verify/<%= token %>">Server can verify this token</a> 
 with secret key(for HMAC algorithm) or the public key(for RSA algorithm)<br/>
 <br/><br/>
-<h3>Let's put the token to some use now</h3>
-<a href="/demo/protected?access_token=<%= token %>">Next: Access resource protected with this token</a>
+<h3>Let's put this token to some use now</h3>
+<p style="font-weight: 300;">
+We created this example token to be used to authenticate a user. Let’s send this token to a backend server which holds private files of users.
+<br/>There are 4 ways you can send JWT to backend
+<ol>
+    <li>In request parameters</li>
+    <li>In a form body</li>
+    <li>In request headers</li>
+    <li>In cookies</li>
+</ol>
+</p>
+
+<a href="/demo/protected?access_token=<%= token %>">Next: Send JWT in request parameters</a>
 <br/><br/><br/><br/>
 <a href="/jwt/form" style="opacity:0.7;">Create a new token with different algorithm</a><br/><br/>
 <a href="/">Go Home</a><br/>
diff --git a/views/jwt/index.ejs b/views/jwt/index.ejs
@@ -6,27 +6,79 @@
 <span id="token-part-payload" style="color:blue;"><%= token.split(".")[1] %></span><span style="font-weight:bold;font-size:120%;">.</span>
 <span id="token-part-signature" style="color:green;"><%= token.split(".")[2] %></span>
 </div>
-<br/><br/>
+<br/>
+<p>
+This is a practical example of a JWT
+<br/>Wow, it looks garbage!
+<br/>Sure it does look like garbage, but it is not. In the next few minutes, you’ll see how easy it is to turn this garbage into useful information.
+</p>
 <h3>Token schema</h3>
 <p>Did you notice two dots(.) in the token? These dots (.) separate 3 important parts of the token</p>
 
 <b><code>{<span style="color:red;">header</span>}.{<span style="color:blue;">payload</span>}.{<span style="color:green;">signature</span>}</code></b><br/>
 <ol>
-    <li><b>Header</b>: Metadata about the cryptography methods e.g. Algorithm, Token type.
-    <br/>Encoded with base64UrlEncode, can easily be decoded by anyone who has access to token.
-    <br/><span>Let's <a href="javascript:alert(window.atob(document.getElementById('token-part-header').textContent))">decode header</a> with browser's <code>atob()</code> method</span>
+    <li><b>Header</b><code style="color: red; font-size: 80%;margin-left: 12px;">eyJhbGciOiJSU....</code>
+        <br/>This part is the metadata about the cryptography methods used for signature(the last part of this token)
+            e.g. The Cryptography Algorithm, Token type, etc.
+        <p style="font-weight: 300;">
+            <span style="font-weight: 200;opacity: 80%;">What! Where? It is not readable.</span>
+            <br/>Hold on! The header is encoded with <code>base64UrlEncode</code>, and can easily be decoded by anyone without any additional information other than the token itself. Let's decode this header with browser's <code>atob()</code> method.
+            <br/><br/><button><a href="javascript:alert(window.atob(document.getElementById('token-part-header').textContent))">Click to decode header</a></button>
+            <br/>(This will show you the decoded header in plain text)
+                    
+            <br/><br/>👉 Takeaway: The header can be decoded by anyone. It’s not garbage for anyone.
+        </p>
+    </li>
+    <li><b>Payload</b><code style="color: blue; font-size: 80%;margin-left: 12px;">eyJkYXRhIjoiSSB....</code>
+        <br/>Actual data we want to exchange via this token e.g. userId
+        <p style="font-weight: 300;">
+            This is also encoded with <code>base64UrlEncode</code>. Just like the header, let's decode payload as well with browser’s <code>atob</code> method.
+            <br/><br/><button><a href="javascript:alert(window.atob(document.getElementById('token-part-payload').textContent))">Click to decode payload</a></button>
+            <br/>This will show you the decoded payload in plain text
+            <br/><br/>👉 Takeaway: The payload can be decoded by anyone. It’s not garbage for anyone.
+        </p>
     </li>
-    <li><b>Payload</b>: Actual data we want to exchange e.g. userId.
-    <br/>This is also encoded with base64UrlEncode. <span>Let's <a href="javascript:alert(window.atob(document.getElementById('token-part-payload').textContent))">decode payload</a></span>
+    <li><b>Signature</b><code style="color: green; font-size: 80%;margin-left: 12px;">RmT_mo6_TjjTiuv....</code>
+        <br/>To verify sender or ensure message integrity
+        <p style="font-weight: 300;">
+            Can be verified by anyone if they know a secret/publicKey. But changing data(spoofing) is not possible.
+            <br/><br/><span style="font-weight: 200;">What do you need to verify a token's integrity?</span>
+            <br/>You need something more than just the token. You need to know a public key corresponding to the private-key used during the creation of this token. 
+            <br/><br/>Because I am the creator of this example token that I just showed you. I used an algorithm called <code>RSA256</code> where I used a pair of public/private keys for this token.
+            <br/>Now, I’m sharing the public key with you, now you go ahead and verify JWT integrity with this public key.
+            <br/><br/><button><a target="_blank" href="/jwt/verify/<%= token %>">Verify this JWT now</a> </button>
+        </p>
     </li>
-    <li><b>Signature</b>: To verify sender or ensure message integrity. Can be verified by anyone if they know secret/publicKey. But changing data(spoofing) is not possible.</li>
 </ol>
 
+<br/>Ok, now you understand how does a JWT look like, but...
+<h2>What can JWTs be used for?</h2>
+<p style="font-weight: 300;">
+JWTs can be used as a digital claim issued by one party, which another party can verify for integrity.
+    <ul>
+        <li>Typical usage of JWTs are</li>
+        <li>To prove whether a user is logged in or not</li>
+        <li>To prove whether a user is authorized to perform admin actions or not</li>
+    </ul>
+    What’s more interesting?
+    <strong>In order to verify JWT integrity, the other party(one that verifies) does not need to communicate with the first party(one that created JWT)</strong>. Well, assuming the first party has shared the public key with the other party already. 
+    <br/>So what if I leverage this to create a system as following
+    <ol>
+        <li>A computer verifies user identity(e.g. username/password) and issues JWTs to the users. Let’s call it an “identity server”</li>
+        <li>Another computer that takes requests for users’ protected resources, let’s call it “application server”. It asks for JWT along with the request. This computer(application server) verifies the JWT and makes sure that the JWT was not tampered with</li>
+        <li>And then the above “application server” uses JWT payload data to decide whether to give access to a particular resource or not. Essentially allowing the access to users as “identity server” wanted (remember the identity server created the JWT in step 1, at that time, it had also put in the access related necessary info in the JWT)</li>
+    </ol>
+
+    This is a typical example of authentication/authorization using JWTs and the interesting thing here is that you separated the work related to identity vs work related to actual user resources. You don’t need to rely on a single central system any more to effectively do this and thus can scale and manage in a better way.
+</p>
+
+Let’s see this system in action
+
 
-<a target="_blank" href="https://jwt.io/introduction/">Read more..</a><br/>
+<!-- <a target="_blank" href="https://jwt.io/introduction/">Read more..</a><br/> -->
 
 <br/><br/>
-<a href="/jwt/verify/<%= token %>">Next: Verify JWT.</a><br/>
+<a href="/jwt/form">Next: Create a JWT</a><br/>
 
 <br/><br/><br/><br/><br/><br/>
 <footer>
diff --git a/views/lesson/jwtCookies.ejs b/views/lesson/jwtCookies.ejs
@@ -1,5 +1,7 @@
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/kognise/water.css@latest/dist/dark.min.css">
-<h2>Lesson : Authentication workflow for web using cookies as token store</h2>
+<h2>Method 4: Send JWT in cookies</h2>
+In this lesson, we will demo a typical authentication workflow for web using cookies as token store
+<br/><br/>
 <a href="#!" onclick="openSignInWindow('/demo/authorize','login')">1. Login to get the token</a>
 <script>
     let windowObjectReference = null;
@@ -71,9 +73,9 @@ function requestProtectedAPI(){
 3. <a href="/demo/user" style="opacity:0.7;">User data link accessible via token in authorization header with fall back to cookies</a>
 <br/><br/>
 4. <a href="/demo/logout">Logout</a>
-<br/><br/><br/><br/>
-<a href="https://tools.ietf.org/html/rfc6265" target="_blank" style="opacity:0.7;">Read about securely storing cookies</a>
 <br/><br/>
+🔗 <a href="https://tools.ietf.org/html/rfc6265" target="_blank" style="opacity:0.7;">Read about securely storing cookies</a>
+<br/><br/><br/><br/>
 <a href="/lesson/token-transmit-method-comparison">Next: Choosing best method to send tokens to auth server</a>
 <br/><br/><br/><br/>
 
diff --git a/views/lesson/transitMethodComparison.ejs b/views/lesson/transitMethodComparison.ejs
@@ -1,12 +1,13 @@
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/kognise/water.css@latest/dist/dark.min.css">
 <h2>So, which method is the best to send tokens to authorization server?</h2>
 <br/>
-<p>
+<p style="font-weight: 300;">
 For APIs, the recommended approach is to send token in authorization header as per Oauth RFC (Bearer Token).<br/>
 For web, it's debatable how to send and store the token, considering the possible attacks(e.g. XSS, CSRF, etc.) vs Performance.<br/>
 <br/>
 <b>So now, we can generate token, we can send it to server to access the protected resource, verify if the token is valid.<br/> But how do we implement logout?</b><br/>
 </p>
+<br/>
 <a href="/lesson/implementing-logout">Next: Implementing logout</a><br/><br/>
 
 <br/><br/><br/><br/><br/><br/>
