Build a Fullstack App with Vanilla JS and Go

Generating a JWT with Go

Maximiliano Firtman
Independent Consultant
Build a Fullstack App with Vanilla JS and Go

Lesson Description

The "Generating a JWT with Go" Lesson is part of the full, Build a Fullstack App with Vanilla JS and Go course featured in this preview video. Here's what you'd learn in this lesson:

Maximiliano explains the process of creating and using JSON Web Tokens (JWT) in Go by utilizing the golang-jwt library. He also demonstrates how to generate a token with user data, encrypt it using a secret key, and validate it.

Preview
Close

Transcript from the "Generating a JWT with Go" Lesson

[00:00:00]
>> Maximiliano Firtman: So to do that, we also need to create a web token. And for that, there is another package for go, because we are not going to do it manually from this, it's called Golang JWT, JSON web token, okay. So we are going to use that library because, I mean, we can do it manually, but again, we are encrypting, decrypting, but we don't wanna do it manually, okay?

[00:00:24]
So we are going to also install this as well. So following the readme, we are currently getting to the end of the course, so we are right now here at G6, so we need to also add this dependency. So I'm going to open a terminal.
>> Maximiliano Firtman: I'm gonna stop my server, add Golang JWT, there we are.

[00:00:59]
Now let's restart a sever there. And now we can create a token, okay and make it work. And now we need to go back to the server for a while, to make all the code to actually create the token and validate the token. And the idea will be, the token will be just a string, an encrypted data.

[00:01:22]
We will send that token after login, successful login, and after successful registration. And then the client will store that somewhere, so next API calls, it will also attach that token. So it will say, hey, this is me, this is me, I have credentials, this is me, that's how it works.

[00:01:43]
Now we need to create, we're going to create a new package for this, so with a new folder, not inside handlers, actually there. So let's call this token, and inside token, we're going to create actually 3 files, I mean, lemme just one file with three functions, we need three functions, so we just to separate this.

[00:02:06]
We actually encrypt the token remember that I mentioned that the JWT is encrypted, and the server knows the key. So the key is string, so the first thing that we will need to do is to actually get the JWT secret dot go. What's the secret, the key. And where are we going to store that, we can hard code it, or we can use dot m, remember dot m?

[00:02:41]
So I can add here another thing can be JWT secret for example. And we can put a string here, anything, the larger, the better. And you should store this safely. No one should access this anymore,. You can do random strings wherever, okay, where are websites that you can will give you a secret, we can even ask chatgpt for a secret.

[00:03:07]
I'm not sure if that's a good idea, but create a secret for JWT for me, anything that's the key, okay, that we will use to encrypt that token and decrypt that token when the client send us a token. Okay, so we need to get that, that that secret we can and we don't need, we can write this, get them.

[00:03:33]
We have already done this, so I will just get it from here, we have it. We've done this is pretty straightforward. It's reading from the environmental variable needs.
>> Speaker 2: That one needs a dot go extension.
>> Maximiliano Firtman: Yeah, you're right, not a dot o, a dot go and also it's complaining because I need to start always with the package.

[00:03:55]
And what I'm saving now, it's adding the logger and everything, and I'm receiving the logger because if we cannot read that, okay, we should log that we couldn't read that log, okay? So that's the first step, then we need to create a token. So we need to create another one for creation, can be creation dot go, and this is a code.

[00:04:20]
This case, we are using the library, it's not complicated, but let me show you how that works based on this, there we are, create JWT. So I'm receiving a user and a logger. The logger is for sending messages to the logger, so we need to create the JWT secret, okay, like this.

[00:04:40]
So this is that, I'm sorry, this is actually calling our get WT secret that we have here. It's reading the secret from the dot m, that's the secret. Then we integrate a new token with claims, I say, with what with claims. First, it needs the method that we are using to sign this.

[00:04:59]
It had to do with internals of the cryptography, it doesn't matter, and then we have claims. What's the claim, this is data that we will save in the token, and then we will encrypt it. So that is known as a claim from the JWT spec, right? In this case, I'm saving the user ID, the user email, and the name and the expiration, 72 hours, you can change that.

[00:05:28]
It needs a time in Unix timestamp. So the amount of milliseconds that happened since 1st of January, 1970. But here you say this is now, plus 72 hours, so we can say days, okay, and you multiply these by, five days or things like that, okay, we have some constants there.

[00:05:55]
And then we sign the token with the secret, and that's the token string, and that's we are getting back. Okay, so that's how you create a JSON web token. And then we need another one, not for the creation, but actually for validation. So we have creation, and let's add validation also that.

[00:06:19]
I mean, it's pretty similar, but it's calling a different API, because for validation, we also need to get the secret, okay? So we need to get the secret, but what we're going to do, we're going to unsign the package, okay? And we're going to return the information. So validate JWT, it returns the token that is unencrypted, so you can actually go back there and get the data from there, okay, and we can get an email.

[00:06:56]
So it's interesting to see that we are actually saving users email in users' devices, but because it's encrypted, you cannot go and change it. Because why JSON web token, why not storing directly the email client side? So send me your email every time you wanna do something, and I trust you.

[00:07:16]
The problem is that I can go client side and change the email and then I can act as someone else because I can easily go and change my email and you will trust that it's me. So with JWT, we are also saving the email client side, but it's encrypted if you try to change that, I will recognize server side that.

[00:07:39]
That's wrong because when I unencrypt that, it's not gonna work. So that's the idea, okay, that's why the secret is so important, because the secret is the one that you open that. And if your users get access to your secret key, they will be able to open the JSON web token, change the email address, pack it again and send you another credential that is on you.

[00:08:04]
And your server will trust it, so we don't want that, okay, make sense? Okay, so now the next step, server side, is that we need to touch our two web services for authentication and creation. Also, to our handlers, when you have an account handler, remember that we do have an authentication response, we are also going to add here the token.

[00:08:34]
We can call it token or JWT token or something, that in the in the readme, I call it JWT. So let's stay with that name, there's gonna be a string, and for the JSON point of view, it's just going to be lowercase jwt. So now when I'm responding a registration or a login, I'm also sending you a JSON web token to the client, okay, so now.

[00:09:04]
>> Speaker 3: I think your JWT needs a closing quote.
>> Maximiliano Firtman: Yeah, you're right, so I have a typo here, I'm not closing, that will quote for there.
>> Maximiliano Firtman: So now, when we are registering here, when I'm creating the response, so what do I need to do? I need to also set that new property, and I'm going to get that from where?

[00:09:25]
So it's token dot create token, but when I'm trying this, I'm not seeing this, so be careful, because maybe it auto imported the wrong token. So let me go up and, yeah, it's important importing from go token, and I need to import from frontend masters dom com token, movies token, okay, so that's why it wasn't working.

[00:09:48]
So when you do this, be careful and check which one do you wanna import, I want mine. So now I will create JWT that needs a user. So I can create a user like this very quickly with, for example, the email. And that's the only thing that I actually need to validate the user.

[00:10:09]
But let's pass the name also just because I have it right now, like that. Also it needs a logger in case there is a problem with this.
>> Maximiliano Firtman: And I do have a logger there, let me adjust the parenthesis like this. So and also, I need to close the object.

[00:10:37]
Let me see, I'm missing something here. So it's giving me an error because this is Go, and in Go when you're doing multi-line initialization, you need the trailing comma, it's a mandatory trailing comma. If you don't want the trailing comma, you need to put everything in one line.

[00:10:55]
Okay, that's for registration, I also need to do, so that's because after registration, you are logged in. I don't wanna log in, I mean, you're already logged in. And authentication, we need to do something similar. So we are going to set JWT and from token, we're going to create the token.

[00:11:14]
We also need to create the user. Right now, we don't have the name, because we are logging in the user, we only have the email, which, I mean, it's enough, for us. And then you also need to pass the logger that I got from the outside, like so, and.

[00:11:38]
>> Maximiliano Firtman: Actually the email is coming for, from request, dot email, and that's all. So how do I know if this is working? Before going to the client, something that I can do is I can use postman. So if I go to postman, I can try to authenticate again and see what happens.

[00:11:56]
And I'm getting it, I'm getting a 200.
>> Maximiliano Firtman: And if I look at the answer, I have the success, the message, and I do have the JSON web token. So it's actually sending me encrypted inside, we have the expiration, and also, we have our own email address.

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now