Token not valid

[jandillmann]

I'm trying to use Openmaize 0.17 for building an Elixir API, and got my session controller set up with plug Openmaize.Login, [storage: nil, unique_id: :email] when action in [:create]. This correctly returns an access_token when logging in with a valid email and password.

If I try to use this token for subsequent requests to routes piped through plug Openmaize.Authenticate in an Authorization-Header formatted Bearer <token> I get a 401 Unauthorized, and further research shows that Openmaize.JWT.Verify.check_sign fails.

Creating and verifying a token in iex -S mix works perfectly. Is there something else to configure when using Openmaize.Login to create a token?

[riverrun]

Are you stopping and starting the server? I ask this because each time Openmaize is started, it generates a new secret key (which is then rotated after a certain amount of days - the default being 28 days). This means the check_sign is using the wrong secret key, and so it fails. I have been looking into writing the secret keys to disk, which could solve this problem, but I want to make sure that I'm doing so safely.

[jandillmann]

I saw that in the source code, but no, I didn't restart the server between requests.

[riverrun]

Could you add the following lines to the check_sign function (just before the if statement) in deps/openmaize/lib/openmaize/jwt/verify.ex, and then run mix deps.compile openmaize:

sign |> IO.inspect |> urldec64 |> IO.inspect
get_mac(enc_header <> "." <> enc_payload, alg, kid) |> IO.inspect

Then let me know the output when it fails.

[jandillmann]

Sorry, after I was stuck I threw it all out and did it again from the beginning. Now I can't get it to "not work" again… Probably was something in my code. But thanks for your help!

[riverrun]

Glad to hear you got it fixed :) If you have any further issues, just let me know.