You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 22, 2022. It is now read-only.
Configure to use JWT with Cookie:
=> Setup cookie in default.json, Enabled, HTTP Only, no HTTPs
=> Setup cookie-parser
=> Setup JWT CookieExtractor (like this one, but change to req.cookies[config.cookie.name])
Login should work normally
Requests should work normally.
Try to call "Remove" from Authentication Service (delete to /authentication)
Expected behavior
Cookie should be removed from client, and return an success result.
Actual behavior
Cookie IS REMOVED from client, but returns an Internal Server Error:
Server Error:
info: error: authentication - Method: remove: token must provided
error: Error: token must provided
System configuration
Tell us about the applicable parts of your setup.
NodeJS version: 8.9.1
Operating System: Windows
Browser Version: Chrome / Postman
Module Loader: Webpack
Some Insight
After some research and debugging, pin pointed the problem to service.js from Feathers-Authentication (inside lib folder), and found out this piece of code:
{
key: 'remove',
value: function remove(id, params) {
var defaults = this.app.get('authentication') || this.app.get('auth');
var authHeader = params.headers && params.headers[defaults.header.toLowerCase()];
var authParams = authHeader && authHeader.match(/(\S+)\s+(\S+)/);
var accessToken = id !== null ? id : authParams && authParams[2] || authHeader;
// TODO (EK): return error if token is missing?
return this.passport.verifyJWT(accessToken, (0, _lodash2.default)(defaults, params)).then(function (payload) {
return { accessToken: accessToken };
});
}
}
The problem seems to occur because it tries to find the accessToken on request header 'Authorization', but since I'm using cookies, it can't find and gives the error. After making a small tweak, the problem goes away, but I don't know if it is the right fix:
{
key: 'remove',
value: function remove(id, params) {
var defaults = this.app.get('authentication') || this.app.get('auth');
var authHeader = params.headers && params.headers[defaults.header.toLowerCase()];
var authParams = authHeader && authHeader.match(/(\S+)\s+(\S+)/);
var accessToken = id !== null ? id : authParams && authParams[2] || authHeader;
// Get accessToken from cookies instead of header if not found.
accessToken = accessToken ? accessToken : params.cookies && defaults.cookie ? params.cookies[defaults.cookie.name] : undefined;
// TODO (EK): return error if token is missing?
return this.passport.verifyJWT(accessToken, (0, _lodash2.default)(defaults, params)).then(function (payload) {
return { accessToken: accessToken };
});
}
}
The text was updated successfully, but these errors were encountered:
It checks if there isn't a authHeader, and if cookies seems enabled, if it is, extract it and set authHeader. Error is gone, and I can commit it in my project while I don't know if I'm doing something wrong. (:
The cookie - although possible - is not really intended as an authentication strategy to avoid CSRF issues. Your solution works. Another way would be to use the cookieParser and exposeCookies Express middleware.
Steps to reproduce
=> Setup cookie in default.json, Enabled, HTTP Only, no HTTPs
=> Setup cookie-parser
=> Setup JWT CookieExtractor (like this one, but change to req.cookies[config.cookie.name])
Expected behavior
Cookie should be removed from client, and return an success result.
Actual behavior
Cookie IS REMOVED from client, but returns an Internal Server Error:
Server Error:
info: error: authentication - Method: remove: token must provided
error: Error: token must provided
System configuration
Tell us about the applicable parts of your setup.
NodeJS version: 8.9.1
Operating System: Windows
Browser Version: Chrome / Postman
Module Loader: Webpack
Some Insight
After some research and debugging, pin pointed the problem to service.js from Feathers-Authentication (inside lib folder), and found out this piece of code:
The problem seems to occur because it tries to find the accessToken on request header 'Authorization', but since I'm using cookies, it can't find and gives the error. After making a small tweak, the problem goes away, but I don't know if it is the right fix:
The text was updated successfully, but these errors were encountered: