Dexie.js icon indicating copy to clipboard operation
Dexie.js copied to clipboard

Published 20 hours ago verified publisher icon dexie

validating client tokens

Open phil-w opened this issue 7 months ago • 3 comments

  • I let Dexie Cloud create cloud tokens and those work as intended.
  • I also have a separate server I use for other things.

I want to pass the JWT obtained from Dexie Cloud and stored in my client to my private server, and then use that to determine "who the user is". That is, I need to (a) check the token signature; (b) decode the token; (c) extract the user ID from it.

This is how I'm doing it: https://dexie.org/cloud/docs/rest-api#tokenvalidate

In Development

That works fine if I'm running a client connected to a dev server, with server code as below. I cache the results carefully.

  • Note use of "origin", without which it fails.
  • origin = http://localhost:5173
  • web/mobile clients access this and it works as intended/ expected.
const r = await fetch(`https://${PUBLIC_DEXIE_DB}/token/validate`,
   {  method:'GET', headers: { 'Content-Type': 'application/json', 'Authorization': bearer, 'Origin': origin} } )

In Production

  • origin = https://ApplicationName.netlify.app/, and I get the following error (I blanked the details):

  • fails at server with: Token verification failed: jwt audience invalid. expected: https://zuu**.dexie.cloud or zuu**

  • Fair enough: it checks "origin", and https://ApplicationName.netlify.app/ is different from those it expected, which are likely the "audience" values.

  • I also that audience values in dev and production are different. I'd guess there are multiple Dexie Cloud servers in some balancing config, and in the two scenarios (Dev, Prod) I'm unlikely to be allocated the same machine.

Attempted Fix: hard coded correct expected origin into request

  • Same problem, same error.
  • I added some trace to show the actual origin I'm using and it's definitely one of the two required:
Validate via zuu***.dexie.cloud with origin = https://zuu**.dexie.cloud
Token verification failed: jwt audience invalid. expected: https://zuu**.dexie.cloud or zuu**
  • I tried it with the other audience with a similar failure.

Ideas?

I just want to check the signature and get the userID plus the expiration date out of it. Any ideas?

  • Could /token/validate return a list of errors and a list of the good stuff too? I mean, maybe knowing that the audience is wrong is useful, but I don't care about it in this case, and I do care about the other stuff. I can manually check the jwt with jwt.io and it reads/ sig-checks fine.
  • I can probably ignore this error; I don't care about it, but I still need the other data out of the token, so that's not helping much.

phil-w avatar Jun 29 '24 10:06 phil-w