Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove method failed with JsonWebTokenError: invalid token #388

Closed
boybundit opened this Issue Dec 31, 2016 · 6 comments

Comments

Projects
None yet
3 participants
@boybundit
Copy link
Contributor

boybundit commented Dec 31, 2016

Steps to reproduce

Call DELETE /authentication with a valid JWT in the header results in an error.

Apparently, it gets a token from Authorization header without removing Bearer text in the beginning.

  remove (id, params) {
    const defaults = this.app.get('auth');
    const accessToken = id !== null ? id : params.headers[defaults.header.toLowerCase()];
    // TODO (EK): return error if token is missing?
    return this.passport
      .verifyJWT(accessToken, merge(defaults, params))
      .then(payload => {
        return { accessToken };
      });
  }

Expected behavior

No error

Actual behavior

Error is thrown. JsonWebTokenError: invalid token

System configuration

Module versions (especially the part that's not working):

+-- feathers@2.0.3
+-- feathers-authentication@1.0.2
+-- feathers-authentication-jwt@0.3.1

NodeJS version: 6.9.1

Operating System: Windows 10

Browser Version: Chrome 55.0.2883.87 m

Module Loader: Node.js

@boybundit

This comment has been minimized.

Copy link
Contributor Author

boybundit commented Dec 31, 2016

This is pretty straight-forward, so please let me know if PR is welcomed.

BTW, what is exactly the purpose of it? If for token verification, then why do we use remove method?

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Dec 31, 2016

It's remove for sending the app.on('logout') event and to also have the option of adding hooks to e.g. revoke or blacklist a token.

I think this is related to feathersjs/authentication-jwt#5, I guess verifyJWT needs to do the same thing.

@boybundit

This comment has been minimized.

Copy link
Contributor Author

boybundit commented Jan 3, 2017

Then ,should we make a distinction between JWT to authenticate the request, and JWT to be removed?

  1. JWT to authenticate the request
    This is a task of feathers-authentication-jwt.

  2. JWT to be removed
    As with standard remove service, it should require an id like DELETE /auth/:id. This is already implemented using JWT as an id. (Even though token is not exactly an id. RFC 7519 offers optional jti field.)

If we would like to support extraction of JWT to be removed, from JWT used to authenticate the request, then we have to expose jwtFromRequest as with feathers-authentication-jwt because both should ultimately use the same extractor(s).

IMHO, the current implementation is fine as we should make the distinction between the two. I would like to even remove header extraction support if id is missing when calling remove.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Jan 20, 2017

I had intended on adding support for jti so that we can handle blacklisting nicer. Still some work to do there but IMHO the authentication service really should be auth/token again and the validation of a token really should just be a hook you apply on the service, and the service acts like a regular DB backed one. This would allow us to blacklist tokens easily if you wanted that functionality.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Jan 20, 2017

@boybundit if you have time for a PR in the next couple days I'd love one! Otherwise I will try and get to it. In order to fix the actual issue it should split on whitespace and ignore the Bearer part.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Mar 22, 2017

Closed by #403.

@ekryski ekryski closed this Mar 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.