mirror of
https://github.com/ueberdosis/tiptap.git
synced 2024-12-24 09:27:49 +08:00
48 lines
3.1 KiB
Markdown
48 lines
3.1 KiB
Markdown
|
# Authentication in Collaboration
|
|||
|
|
|||
|
After setting up a collaborative editor in the installation guide, it's crucial to address authentication for longer-term use. The temporary JWT provided by Collaboration is only suitable for brief testing sessions.
|
|||
|
|
|||
|
### **Understanding JWT**
|
|||
|
|
|||
|
JWT, or JSON Web Token, is a compact, URL-safe means of representing claims to be transferred between two parties. The information in a JWT is digitally signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued. This digital signature makes the JWT a reliable vehicle for secure information exchange in web applications, providing a method to authenticate and exchange information.
|
|||
|
|
|||
|
### **Creating static JWT for testing**
|
|||
|
|
|||
|
For testing purposes, you might not want to set up a complete backend system to generate JWTs. In such cases, using online tools like http://jwtbuilder.jamiekurtz.com/ can be a quick workaround. These tools allow you to create a JWT by inputting the necessary payload and signing it with a secret key.
|
|||
|
|
|||
|
When using these tools, ensure that the "Key" field is replaced with the secret key from your [Collaboration settings](https://collab.tiptap.dev/apps/settings) page. You don’t need to change any other information.
|
|||
|
|
|||
|
Remember, this approach is only recommended for testing due to security risks associated with exposing your secret key.
|
|||
|
|
|||
|
## **Generating JWTs for production environments**
|
|||
|
|
|||
|
For production-level applications, generating JWTs on the server side is a necessity to maintain security. Exposing your secret key in client-side code would compromise the security of your application. Here’s an enhanced example using NodeJS for creating JWTs server-side:
|
|||
|
|
|||
|
```bash
|
|||
|
npm install jsonwebtoken
|
|||
|
```
|
|||
|
|
|||
|
```typescript
|
|||
|
import jsonwebtoken from 'jsonwebtoken'
|
|||
|
|
|||
|
const payload = {
|
|||
|
// The payload contains claims like the user ID, which can be used to identify the user and their permissions.
|
|||
|
userId: 'user123'
|
|||
|
}
|
|||
|
|
|||
|
// The 'sign' method creates the JWT, with the payload and your secret key as inputs.
|
|||
|
const jwt = jsonwebtoken.sign(payload, 'your_secret_key_here')
|
|||
|
// The resulting JWT is used for authentication in API requests, ensuring secure access.
|
|||
|
// Important: Never expose your secret key in client-side code!
|
|||
|
```
|
|||
|
|
|||
|
This JWT should be incorporated into API requests within the **`token`** field of your authentication provider, safeguarding user sessions and data access.
|
|||
|
|
|||
|
To fully integrate JWT into your application, consider setting up a dedicated server or API endpoint, such as **`GET /getCollabToken`**. This endpoint would dynamically generate JWTs based on a secret stored securely on the server and user-specific information, like document access permissions.
|
|||
|
|
|||
|
This setup not only enhances security but also provides a scalable solution for managing user sessions and permissions in your collaborative application.
|
|||
|
|
|||
|
Ensure the secret key is stored as an environment variable on the server, or define it directly in the server code. Avoid sending it from the client side.
|
|||
|
|
|||
|
A full server / API example is available [here](https://github.com/ueberdosis/tiptap-collab-replit/tree/main/src).
|