Should use cookie JWT if there is no local storage JWT OR local storage JWT is invalid.

[skinnyworm]

Steps to reproduce

Given a user is successfully authenticated.

After the JWT is expired. The user won't be able to authenticate via oauth2(eg. authenticate via cookie jwt).

Cause of the problem.

In my React(or native) app, it will try to authenticate current user during app initialize phase by calling passport.authenticate() without any parameter. In this case feathers-authenticate-client will get an updated token by using existing token and jwt strategy. The existing token is resolved by local storage or cookie.

This is an expected behavior for oauth2. During an oauth2 success redirect, a jwt token will be presented in the cookie for the app to authenticate.

By reading the getJWT() method in passport.js file.

return Promise.resolve(this.storage.getItem(this.options.storageKey))
        .then(jwt => {
          let token = jwt || this.getCookie(this.options.cookie);

          if (token && token !== 'null' && !this.payloadIsValid(decode(token))) {
            token = undefined;
          }

          return resolve(token);
        });

I've found that as long as a local token exists it will omit the cookie token even if the local token is invalid. It will cause the passport.authenticate() failure, given no existing token can be resolved.

Expected behavior

A cookie token should be used if there are no local token or a local token is invalid.

[marshallswain]

This should be easily solved by providing a WebStorage-compatible cookie package like this one https://www.npmjs.com/package/cookie-storage

import { CookieStorage } from 'cookie-storage'
import feathers from 'feathers/client'
import auth from 'feathers-authentication-client'

const feathersClient = feathers()
  .configure(auth({
    // Use a cookie in the primary storage engine.
    storage: new CookieStorage()
  })

The above example is missing the transport setup, of course, but the information relevant to this issue has been added.

[skinnyworm]

@marshallswain This is a good solution.

[jasondonnette]

I was just running into some strange bugs with the cookie/localStorage thing as well. Similar to @skinnyworm I was finding that users would get "locked out" after the jwt expired.

(In my case it kept locking users out even after manually clearing the localStorage variable, I wasn't quite able to pinpoint what was going on... pretty strange behavior).

But this cookie-storage library does resolve it. Seems like a pretty big issue, curious how this is not affecting more people?

[marshallswain]

That is weird. I'm not sure why it's happening. I haven't been able to reproduce it, yet, but I'll keep watching for it.

[daffl]

Cookies are no longer used in Feathers v4 authentication. Please see the migration guide for more information. Closing this issue in order to archive this repository. Related issues can be opened at the new code location in the Feathers main repository.