Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Node.js - Express.js JWT always returns an invalid token error in browser response

I'm using node.js and express.js with the express-jwt module, and I have set up a simple HTTP server to test everything:

This is the node code involved:

 app.set('port', process.env.PORT || 3000);
    app.use(express.methodOverride());
    app.use(allow_cross_domain);
    app.use('/api', expressJwt({secret: '09qrjjwef923jnrge$5ndjwk'}));
    app.use(express.json());
    app.use(express.urlencoded());
    app.use('/', express.static(__dirname + '/'));
    app.use(function(err, req, res, next){
      if (err.constructor.name === 'UnauthorizedError') {
        res.send(401, 'Unauthorized');
      }
    });

    app.get('login',function(req,res){

    //...
    jwt.sign(results.username+results.email, secret, { expiresInMinutes: 9000000000*9393939393393939393939 });
    });

    app.post('api/profile',function(req,res){
     console.log(req.user); // this return undefined in console
     res.send(req.user); // response is pending and dunno why it returns error in browser console
    });

So once I open the /login URL I get logged in and I send the session token to api/post, which returns this response error in the browser console:

{"error":{"message":"invalid signature","code":"invalid_token","status":401,"inner":{}}}

I don't understand why this is happening, because the token stored in the front-end and the token in JWT are the same. What could be the reason for this error?

An example of headers POSTed to the api/post URL:

enter image description here

like image 575
itsme Avatar asked Feb 19 '14 14:02

itsme


People also ask

How JWT verify works in node JS?

Verifying a JWT To verify a JWT, the server generates the signature once again using the header and payload from the incoming JWT, and its secret key. If the newly generated signature matches the one on the JWT, then the JWT is considered valid.

How do I fix an invalid token?

There are two ways to fix the error: (RECOMMENDED) Change the application signature algorithm to RS256 instead of HS256. Change the value of your responseType parameter to token id_token (instead of the default), so that you receive an access token in the response.

What is an invalid JWT token?

Reasons why a token might be invalid include: The token is missing required fields. The token has all the required fields, but some values are incorrect. Verify that the kid claim matches the key identifier used to sign the token, and that the iss claim matches the 10-character Team ID for your Apple Developer Account.


2 Answers

Here is an example

http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/

var expressJwt = require('express-jwt');
var jwt = require('jsonwebtoken');

var SECRET = 'shhhhhhared-secret';

app.use('/api', expressJwt({secret: SECRET}));

app.post('/authenticate', function (req, res) {
  //TODO validate req.body.username and req.body.password
  //if is invalid, return 401
  if (!(req.body.username === 'john.doe' && req.body.password === 'foobar')) {
    res.send(401, 'Wrong user or password');
    return;
  }

  var profile = {
    first_name: 'John',
    last_name: 'Doe',
    email: '[email protected]',
    id: 123
  };

  // We are sending the profile inside the token
  var token = jwt.sign(profile, SECRET, { expiresIn: 18000 }); // 60*5 minutes

  res.json({ token: token });
});

app.get('/api/protected', 
  function(req, res) {  
    res.json(req.user);
  });
like image 185
woloski Avatar answered Sep 21 '22 15:09

woloski


Also, make sure you don't put a : after bearer. E.g.

BAD! Authorization: Bearer: eyJ0eXAiOiI1NiJ9.eyJpZCMjEyNzk2Njl9.4eU6X1wAQieH Prints "UnauthorizedError: jwt must be provided" to logs

Good Authorization: Bearer eyJ0eXAiOiI1NiJ9.eyJpZCMjEyNzk2Njl9.4eU6X1wAQieH

like image 31
Michael Cole Avatar answered Sep 21 '22 15:09

Michael Cole