Strategy Configuration Questions #13
Description
Thank you! I really enjoyed the talk and have now watched it twice. I think this is a much-needed resource—certainly much-needed by me.
I was having some trouble getting the /whoami route to work. I think there may be two issues, but I'm certainly not an expert:
-
The validate function in the strategy configuration seems to be expecting the decoded JWT to contain an id, a role, and a scope. In the example, however, the JWT is created with an email, scope, and name. This seems to be a mismatch.
-
Because there is no default auth configured (server.auth.default) and because auth is not configured for the /whoami route (config: {auth: "jwt"}), I think that that request.auth.credentials will always be null. I kept getting a 204 ("No Content") response, for example, whether I was signed in or not. To get the route to pipe the token through the authentication strategy, I configure authentication for the route (config: {auth: "jwt"}). But that caused me to get an "invalid_token" response. Digging into the hapi-auth-jwt2 documentation, I saw that setting the key is a required field. Setting that to my secret key seems to have fixed the issue. I know that you said in the talk that in a production app you would, of course, verify the token and, if invalid, sign the user out. It might be helpful to add those details to this demo. I realize that you are trying to keep things as simple as possible, but it would seem that verifying the JWT is essential to an authentication example.
Again, I'm certainly not an expert. Even if I'm missing something basic here, I hope that this question will be helpful to others who may be wondering about the same things. And thank you again for putting together this demo and for doing the talk.