express-jwt icon indicating copy to clipboard operation
express-jwt copied to clipboard

Published 20 hours ago verified publisher icon auth0

UnauthorizedError even with a valid jwt

Open masrc opened this issue 7 years ago • 4 comments

Hey! I have a application that verify the jwt, but it's returning 401 even with a valid jwt being sent in the headers. Its a pretty simple code and it should works fine I guess.

this is the verify code

this.app.use(jwt({ secret: backendConfig.secret, 
      getToken: function fromHeaderOrQuerystring (req) { // just used for print the headers
      console.log(JSON.stringify(req.headers));
    }}).unless({path: ['/login']}));

and that is what is printed in my console when I print my req.headers

{"host":"localhost:8080","connection":"keep-alive","accept":"application/json, text/plain, */*","origin":"http://localhost:4200","authorization":"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtaWxlbmFAZ21haWwuY29tIiwiaXNzIjoiZXRtLWFwcCIsImlhdCI6MTUyMTQ1ODQ1MiwiZXhwIjoxNTIxNTQ0ODUyfQ.NZK8V2U6b1OoOSFrbF78gevqestTHY62KyJipkfGMNg","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","content-type":"application/json","referer":"http://localhost:4200/","acceptencoding":"gzip, deflate, br","accept-language":"pt-BR,pt;q=0.9,en;q=0.8,en-US;q=0.7","if-none-match":"W/\"2a981-AyrQe3IC+a8sIEudVFX7ELZ8+Jw\""}

I think that can be relationated with "authorization", with A in lowercase. This is the function where I'm setting the headers, its a interceptor

intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
        const authService = this.injector.get(AuthService);
        request = request.clone({
            setHeaders: {
                Authorization: `Bearer ${authService.getJWT()}`
            }
        });
        return next.handle(request);
    }

Have you any idea about how to make this work?

masrc avatar Mar 19 '18 13:03 masrc

Function fromHeaderOrQuerystring must return the token (just the token, not the Bearer part); could you fix it and retry?

sfragis avatar Apr 21 '18 20:04 sfragis

As @sfragis suggested you need to return the access token if you are using custom getToken function.

jwt({
	secret: config.secret,
	getToken: function (req) {
		if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
			return req.headers.authorization.split(' ')[1];
		return null;
	  }
});

devansvd avatar May 31 '18 13:05 devansvd

Hi,

I'm having the same issue, I was figure out what happen there and this it's issue:

Basically I send all parameters but the function only received the options and the token, but should be 3 parameters at least including the secret that was not separated of the options, so I guess there is a bug here.

image

image

And there is the error of "UnauthorizedError: secret or public key must be provided"

djom202 avatar Aug 23 '18 16:08 djom202

Is there a workaround? I am having this issue on one environment but not on another...

edit: nevermind it was something else in my case.

Laubeee avatar Feb 13 '20 13:02 Laubeee