How Trongate's Token System Works
The Trongate framework incorporates a built-in token system designed to facilitate authorization and authentication. Currently, this system operates in a database-driven manner, necessitating a connection to a MySQL database for full functionality.
System Overview
Trongate's token system is based on three primary modules, each corresponding to a database table. These components are essential for managing token-based authorization and authentication:
- trongate_user_levels: Defines various user levels within the application.
- trongate_users: Stores user credentials and associated information.
- trongate_tokens: Manages the generation, storage, and validation of authentication tokens.
The following diagram illustrates the relationships between these three tables:
Guiding Principles
To effectively utilize Trongate's token system, adhere to the following principles:
- User Levels: Define all required user levels in the trongate_user_levels table. For instance, roles such as 'admin' or 'member' should be specified.
- User Records: Ensure each user is represented in the trongate_users table to enable authentication and authorization.
- Token Generation: Upon successful login (e.g., valid username and password), generate a token and store it in the trongate_tokens table.
- Token Storage: The generated token may be stored on the user’s device for future interactions.
- Access Requests: When accessing secured endpoints, the user must submit the token (e.g., via an HTTP request header) or allow Trongate to retrieve a valid token from their device.
- Token Validation: Trongate will authenticate the user by validating the token and either grant or deny access based on its validity.
- Token Expiration: All tokens have an expiration date. Trongate automatically purges expired tokens from the trongate_tokens table.
Database Integration
In a typical scenario, such as a private members' website, the 'members' table might include fields like 'first_name', 'last_name', and 'email'. For integration with Trongate’s token system:
- Add a new entry to the trongate_user_levels table, such as 'member'.
- Create corresponding entries for each member in the trongate_users table.
- Include a trongate_user_id field in the 'members' table, linking it to the appropriate 'id' from the trongate_users table.
Note that the trongate_user_levels, trongate_users, and trongate_tokens tables do not include a 'password' field. Instead, user passwords are securely stored (hashed) in the 'members' table or equivalent. This separation of concerns allows Trongate’s token system to focus solely on token management, while password storage is handled securely within the user-related tables.
All of the components described above connect members to Trongate's token-based security system, providing considerable flexibility and security.
Future-Proof Flexibility
The mechanism described is designed to be both flexible and future-proof. Notably:
Trongate does not need to manage the specifics of the login process for tokens to function effectively. Whether users authenticate via traditional username/password methods or alternative mechanisms, Trongate’s role remains to manage and validate tokens. This abstraction makes Trongate an appealing choice for developers working with mobile and web applications that require secure API endpoints.
Token Management
Trongate’s responsibilities regarding tokens include generation, validation, and management of expiration. Significant events that might trigger token generation include:
- Clicking on a confirmation link
- Receiving a payment
- Subscribing to a service
- Landing on a welcome page
- Creating a new account
- Completing a set of questions
As a developer, you define which events warrant token generation. From Trongate’s perspective, the focus is on token creation, validation, and removal of expired tokens.
This overview provides a detailed understanding of Trongate’s token system. For further insights, we will explore how these components function together in the next section.