We Keep Coding

Is it necessary to use a JWT token when logging in to Angular 6 and PHP web app

About the login step at Angular 6:
If I did it as the following:
Send username and password to PHP;
Server code check user if exists;
If really exists, we will send a json array again to Angular containing username and user role
Save them in localstorage
And when user try to navigate through the app, we will check these credentials using canActivate guard service.
Do we need to use JWT too to set a token or isn't necessary ?

Its not compulsory to use JWT, If your application requires extra
mission critical security use it.
Using JWT protects data from unwanted modifications before its received by the server. The unwanted modifications may be made by someone intercepting the data or from the user itself .
JWT just sends data to server in encoded format along with signature. So, that modification become little tough or even if made, data is not accepted by server as signature validation fails.
Sample JWT data passed :
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 // header
.eyJrZXkiOiJ2YWwiLCJpYXQiOjE0MjI2MDU0NDV9 // payload
.eUiabuiKv-8PYk2AkGY4Fb5KMZeorYBLw261JPQD5lM
Sample plain/json data
{
"username": "hello",
"full_name" : "Jason Bourne"
}
Here, you can easily see and modify the data passed, and in JWT you can't.

Yes! you need, because :
The token-based authentication systems allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without entering their username and password at each request. Once their token has been obtained, the user can use the token to access specific resources for a set time period.
JWT (pronounced 'jot') is a token based authentication system. It is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature. The JWT is a self-contained token which has authentication information, expire time information, and other user defined claims digitally signed.
Source: JWT (JSON Web Tokens) Are Better Than Session Cookies
more info: JWT
introduction: this link
Implementation example: php-authorization-jwt-json-web-tokens

It is not neccessary, but may come in handy.
If you have single application working on a single webserver you could skip JWT completely and just have a cookie autentication mechanism, so that each JavaScript call to the webserver contains your authentication cookie so your backend can respond with proper user data.
JWT comes in handy though when you have more servers involved. Think of SSO service acting as a glue between multiple related sites, like StackOverflow and others. You just pass the JWT token and each server can safely assume the data was not tampered with and have immediate access to the user's identity, some basic details etc.

OAuth 2 token of MailChimp API call

I am developing an application from where I would like to create Campaign with list. The application flow is like this, User will click a Button then user will redirected to MailChimp login page, User will come back to my site after Logged in where URL is http://127.0.0.1:8000/home?code=f0f6949c8b5286c38a90aa4820776e14.This code is Authorization Code.
Now I would like to fetch Lists of that specific user who is logged in few moments ago. I can fetch my Lists using API key, but I need users Lists, I don't know users API key.
How can do that ?
I think I need OAuth 2 token of MailChimp API call to fetch User's Lists. How can I get OAuth 2 token of MailChimp API call ?
Thanks

From the MailChimp documentation (source: http://developer.mailchimp.com/documentation/mailchimp/guides/how-to-use-oauth2/)
How to Use OAuth2
For developers integrating platforms that require clients to access MailChimp’s servers, we recommend using OAuth2 for authorization. OAuth2 is a secure option that allows third-party applications to access a server without passing user credentials or API keys.
Before You Start
Here are some things to know before you begin the OAuth2 process.
Our server implements v10 of the OAuth2 specification, and supports Web Server Flow.
On the server side, OAuth2 is pure HTTPS, so we recommend using HTTPS for your redirect_uri.
We don’t expire tokens, so you won’t need to use refresh_token.
Register Your Application
When you’re ready to begin, register your application with MailChimp:
In your MailChimp account, navigate to the Account page.
In the account drop-down menu, click Extras, and choose API Keys.
Under the “Developing an App?” heading, click Register and Manage Your Apps.
Click Register an App.
In the fields provided, input your application’s information and click Create.
When creation is successful, you’ll see an Application created message appear, and more information at the end of your form, including the Client_ID and Client Secret. Do not share the Client_ID and Client Secret.
On this screen, you don’t need to save or change the information. Click Update or Cancel to go back to the Registered Apps page, or close the window.
Endpoints
OAuth2 exposes three specific endpoints, and one for metadata.
authorize_uri
https://login.mailchimp.com/oauth2/authorize
access_token_uri
https://login.mailchimp.com/oauth2/token
redirect_uri
Client-side, made available to the browser in use.
metadata
https://login.mailchimp.com/oauth2/metadata
Note
We support wildcards for the redirect_uri so you can provide
data-center-specific information for proper API calls. Wildcards work
as long as the redirect_uri appears to be a user-registerable domain
under a top level domain. For example, if you enter https://co.uk/ as
a redirect_uri, wildcard support won’t work. If you enter
https://mydomain.co.uk/, wildcard support will work. Domain detection
is based on these criteria.
A redirect_uri will also override the path portion of a URL, as well.
For example, a redirect_uri set to https://test.example.com/oauth.php
means that any URI starting with either test.example.com or
*.test.example.com will work (i.e.: https://test.example.com/somethingelse.php is valid).
Flow
To start your application’s connection to MailChimp, start by sending the user to the authorize_uri.
The user will input their username and password to approve your application. “Remember Me” cookies aren’t permitted here.
After the user authorizes your application, our server will redirect your user back to the redirect_uri, along with a code you can exchange for an access_token. The code is valid for 30 seconds.
Your application should then make an out-of-band request to the access_token_uri using the code our server provided.
Our server returns an access_token, which completes the official OAuth2 flow.
To complete the MailChimp flow, make another RESTful request using an OAuth2 client to the metadata_uri.
Our server will return a datacenter string, API endpoint, and login URL, as described in the following list.
dc:
The data center string, like us1, us2. If your API wrapper is data center aware, use access_token-dc as a standard API key.
api_endpoint:
Use https://{dc}.api.mailchimp.com. If you your API wrapper isn’t datacenter-aware, use this API endpoint and the access_token as your API key.
login_url:
https://login.mailchimp.com
Note
The access_token is used as an API key. Users don’t have access to these keys because they are tied directly to your
application. But, the user can de-authorize your application in
MailChimp, which removes and invalidates the token.
Configuration information
User-Specific configuration
client_id
635959587059
client_secret
0da3e7744949e1406b7b250051ee1a95
redirect_uri
http://192.168.1.8/oauth/complete.php
MailChimp standard OAuth2 configuration
authorize_uri
https://login.mailchimp.com/oauth2/authorize
access_token_uri
https://login.mailchimp.com/oauth2/token
base_uri
https://login.mailchimp.com/oauth2/
MailChimp custom configuration
metadata_uri
https://login.mailchimp.com/oauth2/metadata

PHP RESTful Webservice with Slim Framework, Authentification needed or against statelessness?

I'm writing a RESTful Webservice with the Slim Microframework and use GET for reading data from a mysql database (select query) and also POST/PUT/DELETE for insert/update/delete rows in the database.
My question is now, is this not a big security issue if everybody is able to write or delete data in the database? But how could I prevent this, I thought the ST in REST stands for state transfer (so the webservice is stateless), which is a contradiction to a state like being logged in or not. And if I would pass some login data with the client which is allowed to write in the database, couldn't a bad guy catch the logindata and fake requests with it and for example delete all entries?
So, whats the normal way to go with this, the only Slim Framework examples I had found always show the route examples, but not how to secure it.
Are there also some opportunities in the Slim Framework to implement this what I need? It should be as easy as possible and the request should be responded nearly as quick as without an authentification or similar. There are no sensitive data like passwords, for me it would be enough that not everybody with a cURL commandline tool can delete all rows or things like that.
Would be great if anybody could explain me what to do and/or give some examples. I also need to know, what I maybe will need to change at the clients which are allowed to send the requests.
Lots of thanks.

Each request has to be authenticated and authorised.
People often get tied up with the word 'stateless'. This really just means that from one request to the next, the RESTful service has no prior knowledge of the users state.
BUT, the service is obviously allowed to be aware of the authenticated user that has just made a request, else how would it decide if it should allow access?
Therefore, you can 'store' the authenticated user in some variable during each request. Then it's up to you how you use this information to authorize the request.
I like to keep it simple and have all my users as a resource in my URI chain. They make requests like users/{username}/someresource.
I authenticate using http basic authentication (over SSL) and authorise based on the URI. If the request failed authentication, its a 401 Unauthorized Request. If the URI {username} and authenticated {username} do not match, the request is a 403 forbidden. If it is authenticated and authorized, the request is allowed (http code dependant on http verb)
Now that's the web service covered, now on to the web service client. This of course HAS to store state, otherwise your user would have to log in every time they make a request.
You simply store the users session in the application (as per normal session management) with the addition that you store the username and password (encrypted of course) in the session. Now every time a request is made, your web service client needs to retrieve the username and password, and send it with the request to your web service.

It will be stateless, in the sense that there won't be a session or a cookie, really. You'd normally issue out a key that would be required for INSERT/UPDATE/DELETE.
It is then up to you to pass the key with each request and to determine when a key should expire.

It would be as safe as normal http authenticated sessions. These use a cookie etc to authenticate the connected user to the stored session state.
A stateless service would be no different - the token is passed to the service just as a token is stored in a cookie for normal http. If you are worried about sniffing (IE man in the middle attacks) you would secure the link via SSL.
The authentication token generated by the service would be encrypted and would include a salt which is also verified on the server for each request. You could also limit the session time to suit your paranoia, and also check changes in source IP, user agent etc and expire the user's token if these change.

I recently ran into similar problem. As recommended by people here, I have decided to go with OAuth Authentication.
I am using HybridAuth A php wrapper for OAuth and out of the box sign in solution for Facebook, Twitter, Google, LinkedIn, etc.

Securing a REST API and Slim Framework

I am fairly new to REST APIs, and I realize there are quite a few questions already posted. However, perusing these has actually left me more confused on how to handle this.
I have created a REST API using Slim Framework which I am simply using to transfer data. I won't be using user logins or authentication, so I believe to secure this I just need a system that using a public key and a private key, but I am just not sure.
If anyone has insight on the correct / most secure way to do this, or any tutorials / resources that would be great. Any help is appreciated.

You can use SSL to encrypt data in transit.
But SSL is just encryption; server-side ssl does not do authentication of the client, nor authorization. You can think of authorization as answering the question is the caller allowed to do what he is asking?. Authentication establishing the identity of the caller or Authentication is usually a necessary first step for doing authorization. Sometimes you don't need "the whole identity" - you just need to ascertain a particular aspect. For example, an automated washroom gate would not need to know who you were, but only if you were male or female in order to ascertain identity. In the same way, some services don't care who you are; they will allow access if you are calling from a particular network (ip whitelist) or if you carry a special token.
To allow the server to distinguish between authorized and unauthorized calls you have some options:
IP whitelist. If you know the IP address of the app or agent which will call your service, you can specify that in your service implementation. The service can check the IP of incoming requests and reject those that are not on the whitelist. This is sort of "implicit" authorization based on the caller's address.
a secret token, that the app provides in each call. You said you didn't want to do authentication, but this is a form of authentication. You might call it a "bearer token". Anyone who bears this token gets authorization. In your server you'd check the value of the token and reject any calls that don't match the well-known value. This works much like the IP whitelist except the token is explicitly passed, and does not have any relation to the network address.
a token + key pair. This is like a username / password, but it can be used to authenticate the app. Use this to provide the identity of the app itself. Check on the service side as above.
a username / password. To authenticate the user of the app.
You may want to combine these to produce the solution you want. In other words, the client request needs to be from the right I address, and needs to have a token/key for the app, and a username/password for the user, in order to be considered "authorized".

Ajax post request security

I am developing a mobile application using PhoneGap which will communicate with a server(PHP) via ajax requests.
On the server side(PHP)
Something like https://example.com/retrieveData.php
will get the user id via $_POST['user_id'] and return some sensitive information about the user as JSON.
And on the client side(PhoneGap-Javascript)
that JSON output will be parsed and will be used in the application.
My concern is that if someone steals this url ( https://example.com/retrieveData.php ), he can manually send fake post requests and can steal the returned user information?
How can I secure this communication?

My concern is that if someone steals this url ( https://example.com/retrieveData.php ), he can manually send fake post requests and can steal the returned user information?
You are right to be concerned. Anybody can send a message to that URL, and get the result unless you check some part of the request that authorizes the request.
For example, you could authenticate to check that the request comes from the user and then authorize the request based on the idea that the user should have access to that info.
Alternatively, you can authorize based on something that only a valid requestor would know via a shared secret and rely on the https part of that URL to prevent shared secrets from becoming public. You give out the secret to trusted partners, and when you generate a web form via PHP (also protected via HTTPS), you include a hidden input containing the shared secret. This is how XSRF protection typically works.
You should think about the following:
Who should legitimately be able to reach this page? Logged-in users interacting via your phone app, partners who can protect a secret, web API users?
What credentials do they have for using other parts of your server? Log-in cookies? XSRF tokens? Partner tokens?
What parts of your app are sent only over secure channels like https?
If all of (1) is satisfied by some subset of credentials in (2) and those credentials are only ever sent over (3) then you just need to check (2) in your page. Otherwise, you need to rework your application architecture until that is true.
OWASP has a Guide to Authorization that might come in handy and they also have a number of pages on reviewing authorization code but most of the examples are not PHP specific.

Of course he can send any post request he wants. The only possible way to get around this is with authentication that the server knows about, i.e. the client has to send you something hard to guess and that starts a session in the server.

As other answers suggests, following is the strategy to make your webapp more secure :-
The most basic rule, use secured protocol(https)
Authenticate
your user through username and password
Most of the
features/operations of your app primarily must require user to be get
authenticated.
Apart from authentication, Maintain Access Control
List for your app, which decides authorities each user role
have(Assuming that you divides your users into different roles).
Prior to performing any operation on behalf of user, check if user is
authorized to do so.
Don't rely only on client-side validation.
Perform validation at server side also.
Send csrf_tokens along
with your response, along with session cookies.
Never send any
confidential information in cookies.
Hope it helps.