search

mikenicholson / passport-jwt

Passport authentication using JSON Web Tokens
MIT License
1.96k stars 213 forks source link

I'm always unauthorized. #233

Open jovi-tsx opened 2 years ago

jovi-tsx commented 2 years ago

Why is my routes always getting unauthorized?

This is where i'm setting my JWT Token:

authRouter.get('/callback', passport.authenticate('google', {
  failureRedirect: '/',
  session: false
}), (req, res) => {
  const user = {
    display_name: req.user.displayName,
    email: req.user._json.email,
    provider: req.user.provider
  }

  const token = generateJWT(user)

  res.cookie('x-auth-cookie', token)
  res.redirect('/')
})

This is how i'm generating the token (gerateJWT):

const generateJWT = (payload) => {
  return jwt.sign({
    ...payload,
  }, secretOrKey, {
    expiresIn: 2 * 60 * 60
  });
}

This is my JWT Strategy:

passport.use(new JwtStrategy(
  {
    jwtFromRequest: ExtractJwt.fromHeader('x-auth-cookie'),
    secretOrKey,
  },
  (payload, done) => {
    done(null, payload)
  },
))

In my route i'm just using:

passport.authenticate('jwt', { session: false })

My request headers:

GET /secret HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Cookie: x-auth-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkaXNwbGF5X25hbWUiOiJKb8OjbyBab3J6ZXR0aSIsImVtYWlsIjoiam9hby56b3J6ZXR0aUBnbWFpbC5jb20iLCJwcm92aWRlciI6Imdvb2dsZSIsImV4cGlyZXNJbiI6IjFkIiwiaWF0IjoxNjUwNjc3MDU4fQ.voZWZkxNSG7wVp9gbTnuepq6wKnrcbgVUHm6YnevB7U
Host: localhost:4000
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-GPC: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

My JWT Strategy doesn't even reach the payload/done callback, tried to console log and nothing, I tried everything

jovi-tsx commented 2 years ago

So, I made a few changes:

// jwtStrategy.js
passport.use(new JwtStrategy(
  {
    jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
    secretOrKey,
  },
  (payload, done) => {
    console.log(payload)
    return done(null, payload)
  },
))
// googleAuth.js
authRouter.get('/callback', passport.authenticate('google', {
  failureRedirect: '/',
  session: false
}), (req, res) => {
  const user = {
    display_name: req.user.displayName,
    email: req.user._json.email,
    provider: req.user.provider
  }

  const token = generateJWT(user)

  req.headers.authorization = `Bearer ${token}`
  res.redirect('/')
})

If I try to GET my url with postman passing in the header my bearer key, my page works fine, but in browser i always get unauthorized and when i check debug tool, in my request headers, Authorization isn't there.

Outternet commented 1 year ago

This will not work because your token is not in a header value but in a cookie, you need to use the coockieExtractor for this.

x-auth-cookie is not a header value, Cookie is but it is not common to use the cookie header directly.

You are looking for something like this: request.headers.authorization = token; please consult the documentation of express on how to set a header value.