express-jwt icon indicating copy to clipboard operation
express-jwt copied to clipboard

Published 20 hours ago verified publisher icon auth0

`UnauthorizedError: jwt expired` being thrown with `credentialsRequired: false`

Open lorensr opened this issue 6 years ago • 9 comments

I believe that according to https://github.com/auth0/express-jwt/pull/47 I should not get this error?

UnauthorizedError: jwt expired
    at /Users/me/gh/api-model/node_modules/express-jwt/lib/index.js:102:22
    at /Users/me/gh/api-model/node_modules/jsonwebtoken/verify.js:27:18

Code:

import jwt from 'express-jwt'

expressApp.use(
  '/graphql',
  jwt({
    ...
    credentialsRequired: false
  }),
  ...
)

Version: "express-jwt": "^5.3.0",

lorensr avatar May 18 '18 01:05 lorensr

👍

bearfact avatar May 30 '18 15:05 bearfact

Having a same problem unable use the custom error handling it always return jwt expired

devansvd avatar May 31 '18 13:05 devansvd

@Vanthiyadevan that didn't work for me, and I don't think that the order of parameters should matter in any reasonable context.

This issue is pretty straightforward: In most circumstances, it's logically disjointed to allow the forward sequence of a request without credentials, yet deny a request that has expired credentials.

Therefore an option to allow the forward sequence of a request with expired credentials should be included; that has the added benefit of not breaking any apps that might now rely on the current behavior.

SimonStiph avatar Jun 07 '18 23:06 SimonStiph

The behavior was changed, caught me by surprise to. When the token is invalid it will now go to the error handler even if {credentialsRequired: false} is set. It used to be that it just continued as an unauthenticated user.

You can go back to the previous behavior by eating the error like so:

var ejwt = require('express-jwt');
app.use(ejwt({secret: config.app.secret, credentialsRequired: false}), function (err, req, res, next) {
  if (err.code === 'invalid_token') return next();
  return next(err);
});

karellodewijk avatar Jun 28 '18 07:06 karellodewijk

@karellodewijk solution seems to work, but it's weird to create custom error handlers while credentialsRequired is set to false.

pie6k avatar Aug 11 '18 13:08 pie6k

@karellodewijk I think the e in next(e) should be err.

paulbuying avatar Jan 21 '19 19:01 paulbuying

Any update on this?

iamchathu avatar Mar 26 '20 04:03 iamchathu

This is rather counter-intuitive behaviour. I would expect all failures of the token to be silent if credentialsRequired: false is set.

nolandg avatar May 17 '20 04:05 nolandg

To work around this I ended up creating a separate middleware for my routes that needed to allow an expired token, and including the ignoreExpiration option that gets passed along to jsonwebtoken here:

expressJwt({
  secret: process.env.JWT_SECRET,
  credentialsRequired: false,
  ignoreExpiration: true
});

rebolyte avatar Nov 03 '21 07:11 rebolyte