search

tymondesigns / jwt-auth

🔐 JSON Web Token Authentication for Laravel & Lumen
https://jwt-auth.com
MIT License
11.32k stars 1.54k forks source link

Unexpected `Token Signature could not be verified.` randomly happens #1666

Open AmirrezaNasiri opened 6 years ago

AmirrezaNasiri commented 6 years ago

Authentication results in 401 Token Signature could not be verified. randomly

We're working on a project where back-end is being handled by Laravel 5.6 using jwt-auth. On front-end, we use Vue.js and vue-auth to handle authorization. The issue happens randomly so I couldn't find a way to trace it. It's explained in sections below.

My environment

Q A
Bug? maybe
New Feature? no
Framework Laravel
Framework version 5.6.*
Package version 1.0.0-rc.2
PHP version 7.2.6

Here is my .env file (keys will be changed so there is no problem making them public):

APP_NAME=Project  
APP_ENV=local  
APP_KEY=base64:U6I2DVmivEoFa9JGPBFyySz/Umrj+BjZaGiZrsgbRqY=  
JWT_SECRET=JfDLQS8gmEgVNt9SAimY8EcxXmudh0rY  
APP_DEBUG=true  
APP_URL=http://project.online  
LOG_CHANNEL=stack  
CACHE_DRIVER=file  
SESSION_DRIVER=file  
SESSION_LIFETIME=120  
QUEUE_DRIVER=database

Here is my jwt.php config file:

<?php
return [
    'secret' => env('JWT_SECRET', 'changeme'),
    'ttl' => 60,
    'refresh_ttl' => 20160,
    'algo' => 'HS256',
    'user' => 'App\User',
    'identifier' => 'id',
    'required_claims' => ['iss', 'iat', 'exp', 'nbf', 'sub', 'jti'],
    'blacklist_enabled' => env('JWT_BLACKLIST_ENABLED', true),
    'providers' => [
        'user' => 'Tymon\JWTAuth\Providers\User\EloquentUserAdapter',
        'jwt' => 'Tymon\JWTAuth\Providers\JWT\Namshi',
        'auth' => 'Tymon\JWTAuth\Providers\Auth\Illuminate',
        'storage' => 'Tymon\JWTAuth\Providers\Storage\Illuminate'
    ],
];

Steps to reproduce

The issue is unexpected and occurs randomly and I couldn't find a way to reproduce it manually.

Expected behaviour

Token must be verified just like other previous requests. Everything related to authentication is same as other requests.

Actual behaviour

Look at the request stack below:

ok

Request starting with paginate has been accepted correctly but next request starting with last_week has been blocked by a 401 response telling Token Signature could not be verified. Here are the request and response of requests:

Request which was verified correctly

Request headers:

GET /api/link/paginate?get_stats=1&get_campaign=1&page=1&archive=false&sort_by=created_at&sort_direction=desc HTTP/1.1
Host: project.online:3000
Connection: keep-alive
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vc21vbGkub25saW5lL2FwaS9hdXRoL3JlZnJlc2giLCJpYXQiOjE1MzcwODM2MzMsImV4cCI6MTUzNzA4NzY0MCwibmJmIjoxNTM3MDg0MDQwLCJqdGkiOiJuSzNEVU1Cc1I1TjlPakN0Iiwic3ViIjoxLCJwcnYiOiI4N2UwYWYxZWY5ZmQxNTgxMmZkZWM5NzE1M2ExNGUwYjA0NzU0NmFhIn0.zoKfw8Rmhgu2qldJTd-8BXXofAGr_gIdeiFzZJ6Wflw
X-XSRF-TOKEN: eyJpdiI6Ik9selN2SmZjSjNaMDFHeWNnbVY5M2c9PSIsInZhbHVlIjoiOU1hZzFGTm1lSHpnQ3JJVkY0TEpKNUlURWxZMlpHRUdYNXoybTY1cnpvak1XYjBuemwzWU1xUzRTUHBwaGRVMThQNzUzWkxUNmZ3WStodUZFVHQ5aUE9PSIsIm1hYyI6ImM2NWYyY2E0MTIyODdjYTMwZDE3MTQwYWNlMWIxZWI1OTJlNjVjMjYyZDk1ZGRlNWY0OTJhMzE0ZDcwZjk1ZjMifQ==
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: */*
Referer: http://project.online:3000/panel
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: rememberMe=true; XSRF-TOKEN=eyJpdiI6Ik9selN2SmZjSjNaMDFHeWNnbVY5M2c9PSIsInZhbHVlIjoiOU1hZzFGTm1lSHpnQ3JJVkY0TEpKNUlURWxZMlpHRUdYNXoybTY1cnpvak1XYjBuemwzWU1xUzRTUHBwaGRVMThQNzUzWkxUNmZ3WStodUZFVHQ5aUE9PSIsIm1hYyI6ImM2NWYyY2E0MTIyODdjYTMwZDE3MTQwYWNlMWIxZWI1OTJlNjVjMjYyZDk1ZGRlNWY0OTJhMzE0ZDcwZjk1ZjMifQ%3D%3D; project_session=eyJpdiI6IlRSOU02OGltNVNnMUZmdTFqUGhIRmc9PSIsInZhbHVlIjoiVldrbStoeG1KSkx5UVpHbTM4eXRIVkZSUDhia000V3ZEZG94RllxcERLRHVtYzJMZSt1WnZxR0xVZ2FzU0lBZzE3aW1lOUVlcjYzTHk0M085M204d0E9PSIsIm1hYyI6IjEwNjdhYjgyOGE4NjljMTE5N2IxOWE3MzQ1MDg1ZGQ4ZTNhMDNkNTM1NzA2ZGYxYzBlYThmYWIzY2NkZGE0MjkifQ%3D%3D; io=cNhmY3NUT5n_H5NbAAD5

Response headers:

HTTP/1.1 200 OK
access-control-allow-origin: *
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-headers: Content-Type, Authorizations
Access-Control-Allow-Credentials: true
date: Sun, 16 Sep 2018 08:08:55 GMT
server: Apache/2.4.33 (Win32) OpenSSL/1.1.0h PHP/7.2.6
vary: Authorization
x-powered-by: PHP/7.2.6
cache-control: no-cache, private
x-ratelimit-limit: 120
x-ratelimit-remaining: 113
content-length: 319
connection: close
content-type: application/json

Response body:

{"current_page":1,"data":[],"first_page_url":"http:\/\/project.online\/api\/link\/paginate?page=1","from":null,"last_page":1,"last_page_url":"http:\/\/project.online\/api\/link\/paginate?page=1","next_page_url":null,"path":"http:\/\/project.online\/api\/link\/paginate","per_page":10,"prev_page_url":null,"to":null,"total":0}

Request which could not be verified

Request headers:

GET /api/stats/last_week?links_created=1&links_views=1&links_conversations=1&links_conversation_rate=1&facebook_source=1&twitter_source=1&linkedin_source=1&google_plus_source=1 HTTP/1.1
Host: project.online:3000
Connection: keep-alive
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vc21vbGkub25saW5lL2FwaS9hdXRoL3JlZnJlc2giLCJpYXQiOjE1MzcwODM2MzMsImV4cCI6MTUzNzA4NzY0MCwibmJmIjoxNTM3MDg0MDQwLCJqdGkiOiJuSzNEVU1Cc1I1TjlPakN0Iiwic3ViIjoxLCJwcnYiOiI4N2UwYWYxZWY5ZmQxNTgxMmZkZWM5NzE1M2ExNGUwYjA0NzU0NmFhIn0.zoKfw8Rmhgu2qldJTd-8BXXofAGr_gIdeiFzZJ6Wflw
X-XSRF-TOKEN: eyJpdiI6Ik9selN2SmZjSjNaMDFHeWNnbVY5M2c9PSIsInZhbHVlIjoiOU1hZzFGTm1lSHpnQ3JJVkY0TEpKNUlURWxZMlpHRUdYNXoybTY1cnpvak1XYjBuemwzWU1xUzRTUHBwaGRVMThQNzUzWkxUNmZ3WStodUZFVHQ5aUE9PSIsIm1hYyI6ImM2NWYyY2E0MTIyODdjYTMwZDE3MTQwYWNlMWIxZWI1OTJlNjVjMjYyZDk1ZGRlNWY0OTJhMzE0ZDcwZjk1ZjMifQ==
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Accept: */*
Referer: http://project.online:3000/panel
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: rememberMe=true; XSRF-TOKEN=eyJpdiI6Ik9selN2SmZjSjNaMDFHeWNnbVY5M2c9PSIsInZhbHVlIjoiOU1hZzFGTm1lSHpnQ3JJVkY0TEpKNUlURWxZMlpHRUdYNXoybTY1cnpvak1XYjBuemwzWU1xUzRTUHBwaGRVMThQNzUzWkxUNmZ3WStodUZFVHQ5aUE9PSIsIm1hYyI6ImM2NWYyY2E0MTIyODdjYTMwZDE3MTQwYWNlMWIxZWI1OTJlNjVjMjYyZDk1ZGRlNWY0OTJhMzE0ZDcwZjk1ZjMifQ%3D%3D; project_session=eyJpdiI6IlRSOU02OGltNVNnMUZmdTFqUGhIRmc9PSIsInZhbHVlIjoiVldrbStoeG1KSkx5UVpHbTM4eXRIVkZSUDhia000V3ZEZG94RllxcERLRHVtYzJMZSt1WnZxR0xVZ2FzU0lBZzE3aW1lOUVlcjYzTHk0M085M204d0E9PSIsIm1hYyI6IjEwNjdhYjgyOGE4NjljMTE5N2IxOWE3MzQ1MDg1ZGQ4ZTNhMDNkNTM1NzA2ZGYxYzBlYThmYWIzY2NkZGE0MjkifQ%3D%3D; io=cNhmY3NUT5n_H5NbAAD5

Response headers:

HTTP/1.1 401 Unauthorized
access-control-allow-origin: *
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-headers: Content-Type, Authorizations
Access-Control-Allow-Credentials: true
date: Sun, 16 Sep 2018 08:08:55 GMT
server: Apache/2.4.33 (Win32) OpenSSL/1.1.0h PHP/7.2.6
vary: Authorization
x-powered-by: PHP/7.2.6
www-authenticate: jwt-auth
cache-control: no-cache, private
x-ratelimit-limit: 120
x-ratelimit-remaining: 119
content-length: 59
connection: close
content-type: application/json

Response body:

{
    "message": "Token Signature could not be verified."
}

As you can see, there is no difference between Authorization headers, no token was refreshed and there is no new token in the verified response. Also I think there is no problem with JWT_SECRET since the token is being correctly validated often. There is no problem in caching system. Note that the requests are verified somehow randomly so next time these requests may get verified and others not. If there is anything could help make the problem more clear, please let me know.

larabhdr commented 5 years ago

I have the same issue with version 1 of this package I use lumen version 5.7 php version 7.1

AmirrezaNasiri commented 5 years ago

The issue is still there however it's mostly happening on development environment. In production however, I'm not faced with it yet. @larabhdr Something to note is that in the development environment, trying to disable any extra requests like requests related to BrowserSync was useful to reduce the problem occurrences.

stale[bot] commented 3 years ago

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

UsaMaH11 commented 2 years ago

Facing the same issue, It is working fine in production env but facing problem while testing it on local dev env... Have you guys found any solution or clue, on how to proceed with it further?