๐จ๐ป๐ฑ๐ฒ๐ฟ๐๐๐ฎ๐ป๐ฑ๐ถ๐ป๐ด ๐๐ ๐๐ ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐
HMAC stands for Hash-based Message Authentication Code. It verifies two things: integrity and authenticity.
It ensures your message did not change during transit. It also proves the sender holds the secret key. Developers use it for API authentication, tokens, and digital signatures.
Think of a sealed envelope. You and the receiver use a special wax seal. Only you two know how to make that specific seal. If a hacker opens the letter and changes a word, the seal breaks. They cannot replace the seal without the secret method.
The Problem with Unprotected Tokens:
If you use a simple Base64 encoded token, anyone can:
- Decode the token.
- Change the expiration date.
- Re-encode it.
- Trick your system.
The Solution with HMAC:
You combine your data with a secret key to create a unique signature.
- Create your data (user ID and expiration).
- Combine the data with your secret key using a hashing algorithm like SHA256.
- Attach this signature to your token.
When the receiver gets the token, they perform the same calculation using their copy of the secret key. If the new signature matches the one in the token, the data is safe. If they do not match, the token is invalid.
This process prevents users from tampering with their own permissions or identity.
Source: https://dev.to/determinado96/um-resumo-sobre-o-padrao-de-seguranca-hmac-3okj