Open snaum opened 5 years ago
mikenicholson
commented
5 years ago I'm sorry, but I can't understand your question/issue. Can you please link to the spec you reference and explain:
snaum
commented
5 years ago Hi themike,
here's the spec: https://tools.ietf.org/html/rfc7235#section-4.1
If authentication fails and 401 status is returned, the HTTP response must also include the WWW-Authenticate header.
In the case of JWT based authentication, I suppose the header should look something like this:
WWW-Authenticate: Bearer realm="
I'm observing that when authentication fail, returned status is 401, but the WWW-Authenticate header is missing.
Did I just miss some config to enable this?
elainegasca
commented
5 years ago @themikenicholson Why passport-jwt does not return an error exception when token is expired or have not set? passport-jwt 4.0.0
9horses
commented
5 years ago WWW-Authenticate would be very helpful. Just had to troubleshoot a 401 case thinking it was an 'exp' issue. Troubleshooting 401 is pretty painful w/o some indication of why it's rejecting the request.
Turned out it's because the fromHeader(header_name) argument has to be lowercase... (Which IMO ought to be at least documented, or just addressed in code so you don't need to do what's illustrated here: https://github.com/themikenicholson/passport-jwt/issues/117#issuecomment-419885262)
natario1
commented
3 years ago As I see it the issue is that strategy.fail should be passed a string (source: https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L289-L293 ) but it receives a jwt error object instead ( https://github.com/mikenicholson/passport-jwt/blob/master/lib/strategy.js#L106 ).
If it were a string like Bearer, passport would be able to set the header correctly. https://github.com/jaredhanson/passport/blob/master/lib/middleware/authenticate.js#L162-L170
according to spec, 401 responses MUST set WWW-Authenticate header. At the least if should be "Bearer" by default, or an option in config.