HTTP
If a JWT is intercepted, can the attacker see what's inside the payload?
Yes, a JWT is easily decoded by using the JWT decode() method. This is why it is very important not to use JWT to transmit any sensitive information!
What is the difference between PUT and PATCH?
`PUT` is an HTTP method that is intended to completely replace a particular resource while `PATCH` is meant to only alter a specific part of that resource.
What is a JWT?
a JWT (JSON Web Token) is a method used for authenticating HTTP requests in web applications. The JWT is encoded and signed, making it an effective tool for validating authentication in an application.
What does safe mean for HTTP methods? Which HTTP methods are safe?
An HTTP method is considered "safe" when it can be executed multiple times with the same result -and - not affect the actual state of the server. Only `GET` and `HEAD` methods are "safe" because the other idempotent verbs -do - actually alter the state of the server, even if the result is the same.
What does idempotent mean for HTTP methods? Which HTTP methods are idempotent?
An HTTP method is considered idempotent if it can be executed multiple times with the same result. The HTTP methods that are idempotent are `GET`, `HEAD`, `PUT`, and `DELETE`.
What are some differences between Web Sockets and HTTP?
HTTP is a pretty big protocol with a lot of information in the body and headers that gets passed back in forth while websockets are much smaller. Websockets, unlike HTTP are alse stateful, meaning they stay connected after a request has been made, enabling them to be much faster and allows for them to continuously display information to the user without another request having to be made. Examples of websocket uses are stock trading websites, chat applications or gaming applications.
How can you implement authentication with a JWT? Describe how it works at a high level.
On a high level, JWT authentication works by signing a token for a user that often has a few relevant details about the user (like username and admin status) in the payload. The token is signed with a secret key known only to the server and transmitted upon an initial registration or login. Then, with every subsequent request to the application, that JWT may be required to be sent along with the request in some fashion (whether it be in the request body, header, query string, etc.) in order to access a particular resource. The JWT is then verified, confirming the signature actually works with the server's secret key, then the user can proceed. Often, user information from the JWT payload may be stored in the session for the life of that request (or possibly longer) in order to determine that you are actually the current user and give you authorization to various resources accordingly.
What is one-way encryption?
One-way encryption is a form of encryption designed to hash a given string in such a way that it would be extremely difficult to reverse. This is essential in stopping nefarious people from reverse engineering the hashed string in order to read the original string.
What is the purpose of the Bcrypt algorithm?
The Bcrypt algorithm is intended to perform one-way encryption on a given password in order to create a new hashed password that Bcrypt can also validate as matching the original password. This is very useful when storing passwords for a user's login as it will allow us to hide the password from outsiders ( -and even from those holding the data -) while still being able to authenticate a user when they want to log in to the the application.
What is the signature portion of the JWT? What does it do?
the signature portion is the final segment of the JWT and is used to validate that the token is trustworthy. It is an encoded combination of the header, the payload, and a secret key and will allow the program to determine if a token is meant to actually be there since typically this secret key will only be known to the server and will be added when the token is signed and distributed ( -and consequently verified when the token is returned -).