search

auth0 / node-jsonwebtoken

JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
MIT License
17.69k stars 1.23k forks source link

Laravel JWT Invalid claim date ReactJS #574

Closed ulisescarreonalvarez closed 5 years ago

ulisescarreonalvarez commented 5 years ago

I have a laravel lumen API, we are making some login requests and we wanna validate the signature of the token.

Actually we have our .env like this:

APP_ENV=local
APP_DEBUG=true
APP_KEY=base64:AdA23VBkVMHBkxTzGCyphNbvqsG1Jh9XENi4PQuFusM=
APP_TIMEZONE=UTC

LOG_CHANNEL=stack
LOG_SLACK_WEBHOOK_URL=

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=narval_tenant
DB_USERNAME=root
DB_PASSWORD=realhost

CACHE_DRIVER=file
QUEUE_DRIVER=sync

JWT_SECRET=TQquewiCV0znRVZMN2JTmA0ukNNpXV4z
JWT_TTL=3600

And our request send us the token. Actually token looks like:

 {
  "iss": "URL",
  "iat": 1549845482,
  "exp": 1550061482,
  "nbf": 1549845482,
  "jti": "7hFYZByFFKAHH40R",
  "sub": 1,
  "prv": "87e0af1ef9fd15812fdec97153a14e0b047546aa",
  "email": "MAIL"
}

If we verify the token and the signature on JWT.io we get "Signature verified"

But on react whe we verify with:

import jwt_decode from "jwt-decode";
import * as jwt from "jsonwebtoken";

try {
    console.log(nextProps.token)
    const decoded = jwt.verify(nextProps.token, "TQquewiCV0znRVZMN2JTmA0ukNNpXV4z");
    localStorage.setItem("token", nextProps.token);
    this.props.history.push("/headquarters");
  } catch (e) {
    console.log(e.message)
    this.setState({ isLoading: false });
    let myColor = { background: "#f44242", text: "#FFFFFF" };
    notify.show("Error en inicio de sesión", "custom", 5000, myColor);
  }

We get this message "jwt not active", on the documentation it saids:

NotBeforeError

Thrown if current time is before the nbf claim.

Error object:
    date: Date 2019-02-11T00:38:02.000Z
    ​​message: "jwt not active"
​    name: "NotBeforeError"
​    stack: ""

What am i missing? JWT Node is checking the claims with another date?

ziluvatar commented 5 years ago

Try to log the current timestamp when that error happens. If the issuer and the verifier systems are not in clock sync it might happen that from the verifier point of view it's still too soon to allow the token to be used.

You could tweak a bit that using the option clockTolerance or ignoreNotBefore if you want to completely skip the nbf validation claim.