Hi,

I've got everything working and my application is successfully reading tokens. A passing curiosity however is when I use the following:

app.use(expressJwt({secret : 'secret'}).unless({ path : ['/user/auth']}));

And afterwards have an error handler like this:

app.use(function (err, req, res, next) {
    console.log(err);
});

UnathorizedError is always being thrown.

I did a little digging around in the source and it looks like two calls are being made in succession to middleware. The first is successful and the token is found but subsequently another is made and the 'token' variable never gets set.

Is this a rookie mistake I'm making within my express app? I think that's likely but it'd be good to get some clarity on this for myself and anyone else working with this awesome library.

Note: I'm using Express 4.x - Only happens on Chrome.

Hi i followed the example here : http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/

Everything works great but i got a strange problem and i don't know how to fix it.

The first time i sign() a user token, everything works great , i can access the protected urls etc.

Then if i logout/remove token and then create a new user and create new token for the new user, protected urls becomes not-accessible.

I checked the token sent and returned both in backend and frontend and everything matches, it's just like i can't sign two or more times with different users tokens but same browser.

i get ----> {"error":{"message":"invalid signature","code":"invalid_token","status":401,"inner":{}}}

While Authorization header is ok and token matches (i checked)

I also opened a stackoverflow question if you can help !

thank you a lot!

http://stackoverflow.com/questions/21904382/node-js-jwt-token-and-logic-behind

I see the build is failing and no responses to latest issues. Currently, evaluating JWT libs for node. Thank you.

As per your documentation, In the secret callback function I will throw errors. I'm listening for an 'UnauthorizedError' in my middle ware to catch it (also per your documentation). The code on line 100 (index.js) doesn't hijack the error and make it an UnauthorizedError neither does it continue with validation. This allows unauthorized usage.

suggested change:

100: if (err) { return next(err); }

to

100:if(err) { return next(new UnauthorizedError(err))}

I've been trying to use your angular-jwt module with the express-jwt module to refresh expired tokens. However, the documentation for these two modules does not seem to match up or explain how they work with each other.

I've created an express route /api/auth/refresh where I am attempting to issue a new refreshed token, and I am calling this route from the 'delegated endpoint' feature of angular-jwt. But the following code throws a 'token expired' error and I'm therefore unable to continue and issue the refreshed token:

  // verify the existing token
  var profile = jwt.verify(req.body.token, secret);

I'm reporting this as an issue since the documentation (for both modules) should really explain how they are meant to interoperate, and the documentation here could cover how the refresh is intended to be implemented in Express.

Hi,

I'm in doubt if I have to implement a refresh-token feature in my app or if everytime a request is done and it's verified by JWT it does postpone the expiration.

Hi,
the following is the simple usage example of the documentation:

app.get('/protected',
  jwt({secret: 'shhhhhhared-secret'}),
  function(req, res) {
    if (!req.user.admin) return res.send(401);
    res.send(200);
  });

Of course we can use the module also as a global middleware:

app.use(jwt({ secret: 'shhhhhhared-secret'}).unless({path: ['/token']}));

Why not having the ability to do something like this:

app.use(jwt({ secret: 'shhhhhhared-secret'}, 
    function(req, res, next){
        // Access req.user and implement more fine-grained authorization
    }
).unless({path: ['/token']}));

or

app.use(jwt({ secret: 'shhhhhhared-secret'})
    .unless({path: ['/token']}))
    .after(function(req, res, next){
        // Access req.user and implement more fine-grained authorization
    }));

Thanks,
Great job!

Stevie

After all, the token payload itself may contain user information that we may want to put directly on req.user.

I have an endpoint like this: /api/v1/auth/confirm-email/:secretId and I have the token middleware set on the /api prefix. I would like to be able to set my skip to this: ['/api/v1/auth/confirm-email/*'] or something like that. How do you think this would be best implemented?

Hi,

express-jwt protected path returns 401 when access with invalid token or an expired one, is there a way to know the 401 was returned due to an expired token so that the app can simply log out the user? Thanks,
A.C.

Is there anyway you can verify the JWT when its received in the request query? Because currently i am using image urls and can't pass the token in the headers?

Hello,

sorry, I don't know how to contact you in another way than creating an issue, I have a question :

Do exists a project proposing a JAVA implementation of jwt ?

Thank you in advance for your response.

How can I check to make sure if user's jwt token contains certain scopes?

For example, if the user's JWT contains

{ iss: 'http://myapp.iu.edu/auth',
  exp: 1451426441.837,
  iat: 1435874441.837,
  scopes: { common: [ 'do123', 'do456', 'do789' ] },
  sub: '5595b489131dad691a58703d' }

Then, on the server side, I want to make sure that user is authorized for certain tokens by doing something like

router.get('/profile', jwt({secret: publicKey, scopes: {common: 'do123'}}), function(req, res, next) {
    //do 123
});

The README says express-jwt checks for audience, and issuer, but doesn't say anything about scope (and above code doesn't work.. it let user access without any scopes). Is there anyway express-jwt can check for scopes? Or if it's not express-jwt's responsibility, is there a module that does?

0.3.0 has bug fix implemented here

Can't seem to set token expiration anymore...was this removed? Appears to default to 60 minutes?

According to this comment by @jfromaniello the "UnauthorizedError" could be customized by adding the following middleware:

app.use(function (err, req, res, next) {
  if (err.name === 'UnauthorizedError') { 
    res.send(401, 'invalid token...');
  }
});

Unfortunately the error handler above isn't triggered and therefore the response can't be customized.

Version 0.3.2 of express-jwt and version 4.9.0 of Express.js were used for testing this.

Express-JWT seems to not properly check the expiration time. Although the token is already expired and I checked it manually in the console, I still have access to the restricted endpoints.

Generating a token:

app.get('/authTest', function (req, res){
    genUuid = uuid.v4();
    token = jwt.sign({uuid: genUuid}, privateKey, {algorithm: 'RS256', expiresInMinutes: 5});
    res.json({token:token});
});

Router middleware to check the token:

router.use(expressJwt({secret: publicKey}));

Hi Team!

Thanks for the middleware!

Can we build in the option to have checks against multiple issuers? It may look something like this:

jwt({ secret: 'shhhhhhared-secret',
  audience: 'http://myapi/protected',
  issuer: ['http://issuer1', 'http://issuer2'] })

I looked into express-jwt's index.js and noticed that it all boils down to the use of jwt.verify() from jsonwebtoken.

Someone actually asked how to do this in the JWT-issues. Ultimately, the suggestion is to decode, then check against options:

var expected_issuers = ['issuer1', 'issuer2'];
var decoded = jwt.verify(token, 'secret');
if (expected_issuers.indexOf(decoded.iss) === -1) {
  console.log('unexpected issuer for token');
}

Is this something that we could support? I'd be happy to contribute.

Adam

In the revoke section says:

For example, if the (iss, jti) claim pair is used to identify a JWT:

In auth0/node-jsonwebtoken#36 it says:

...tokens return by Auth0 currently (we are thinking abut adding it in the future) don't return a jti...

Also, in the code sample this are lines are shown but they don't seem to point to any code/library that supports them.

var data = require('./data');
...
data.getRevokedToken(issuer, tokenId, function(err, token){

So, revoke functionality needs to be implemented pretty much from scratch, right?

When authenticated before jwt with basic http auth on another url which is not jwt authenticated browser remembers Authorization header, what is malformed for jwt.
This way the parsed jwt token becomes undefined. Maybe setting it to an empty string by default can help.

Hello, sorry is it possible to know where JWT is actually storing the user token?

When a old token expires it gets automatically deleted (from where its stored) right?

THanks and sorry cause i'm lazy , for sure, but i tryed finding out where tokens are stored without any results :(

I have a use case where I do not want to requireCredentials but I still want to populate request.user if given a valid credential.

Currently, even if verify fails, the express-jwt request handler still sets request.user.
https://github.com/auth0/express-jwt/blob/master/lib/index.js#L104

When we can get https://www.npmjs.org/package/express-jwt updated to 0.5.0?

Hello, I'd like to be able to pass the token in the querystring but also try the headers if the first doesn't succeed. Currently you would have to rewrite the entire code which extracts the token from the headers, what about making this the default behavior, say, if the custom getToken function returns a falsy value?

Hey,

This unless works on macOs .unless({path: [/\/users\/\w*\/email/i]}), but doesn't on Heroku. (used to let /users/:userid/email)

Is there anything I'm missing?

Thanks,
Philmod

I have express app with a simple express-jwt implementation. Everything functions fine, however the console shows UnauthorizedError: No Authorization header was found when accessing url paths that are in the .unless(path[..]) array. The response is 200 OK which is what I want, however I think it's really misleading to show UnauthorizedError on the console. Can we please update express-jwt to suppress this message if the path is defined in unless.

I can get around this by creating my own error handler (see below), but I believe I shouldn't have to do this

app.use(function (err, req, res, next) {
    if (err.name === 'UnauthorizedError') {
        res.send(401, 'invalid token...');
    }
});

The package.json file and the bower version of express-jwt are using jsonwebtokens version 4.2.2. According to the auth0 blog there is a vulnerability in this version and it should use v5.0.0 instead.

How does one go about using the .unless function passing a path array while also specifying http methods?

I want restrict POST requests to certain routes but not GET requests.

This issue is fixed with #61.

Please see all details in the pull request. Following the tutorial leads to this issue, meaning anyone walking through the Auth0 will struggle to get their express server working.

I use Authorization HTTP header for basic authentication mainly. Wouldn't be better to use x-access-token HTTP header to share JWT token?

Even if possible to do:

app.use(jwt({
  secret: ’shhhhht',
  getToken: function(req) {
    if (req.headers && req.headers['x-access-token']) {
      return req.headers['x-access-token'];
    }
    return null;
  }
}));

I love this repository and I'm trying to use it in a Sails project.

Express middleware in sails as known as policies and internally sails use express 3.x.

Simply you can define a policies and decide what route request pass for each policies (if is necessary).

The interface for create the policy is the same to create a middleware:

module.exports = function(req, res, next) {
 // do something
};

I want to validate the header token with express-jwt and later do a custom action in the policy (for example, search the user and expose in req.user) I'm not sure how to concatenate the middlewares to get in the more external middleware the callback of the express-jwt.

Just something like this:

var options = {secret: 'seeeecret!'};
var expressjwt = require('express-jwt')({options});

module.exports = function(req, res, next) {
  expressjwt(req, res, function(token){
    // Now I have the token
    // do something
    next();
  });
};

Do you think that is possible?

Hi,
got this :app.use('/api', expressJwt({secret: '123'}).unless({path:['/get_price']}));
api is protected, but api/get_price allows un protected access, I did a test, but still get 401:

curl -i -k https://localhost:3000/api/get_price/01
HTTP/1.1 401 Unauthorized
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 77
ETag: W/"4d-118870433"
Date: Sun, 31 Aug 2014 11:15:49 GMT
Connection: keep-alive

<h1>No Authorization header was found</h1>
<h2>401</h2>
<pre>undefined</pre>

why?

Am following your example https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/!
but this line keeps on giving an error

Error: secret should be set
app.use(expressJwt('/api',{secret: 'my secret'}));

Code:

jwt = require('express-jwt'),
var token = jwt.sign( { id: user._id }, secret.secretToken, { expireInMinutes: tokenManager.TOKEN_EXPIRATION } )

Error:

        var token = jwt.sign( { id: user._id }, secret.secretToken, { expireInMinut
                        ^
TypeError: undefined is not a function

I'm not sure if this is intentional or not, but with the merge of pull request 68189c1 you have to specify the option credentialsRequired: true for the middleware to work, otherwise it will skip validation of the jwt.

If this is expected behaviour if would be good if the readme was updated since it took me a while before I figured out why the middleware wasn't throwing an error as I expected.

app.use(jwt({ secret: 'shhhhhhared-secret'}).unless({path: [''/jobs/:category/:company/:title/:id'']}));

Requests made with no token are still being getting a 200 response. What gives?

app.use(expressJwt({
    secret: secret,
    getToken: function fromHeaderOrQuerystring (req) {
        if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
            return req.headers.authorization.split(' ')[1   ];
        } else if (req.query && req.query.token) {
            return req.query.token;
        }
        return null;
    }
}).unless({path: ['/authentication']}));

app.get('/route/protected', function(req, res) {
    res.json({ route: 'should be restricted if no tokens found'});
});

I'm in a situation where I need to access req.user without the authorization header being set.
Let's say a user directly go to this path: /test (for example after a callback)
I need to be able to authenticate the user in the route:

app.route('/test')
  .get(function (req, res) {
    // No authorization header, no req.user :(
  });

What I'm doing at the moment is manually set the header by reading the token from a cookie like this:

function setHeader(req, res, next) {
  if(req.cookies && req.cookies.hasOwnProperty('token')) {
    // Copy the token without the quotes
    req.headers.authorization = 'Bearer ' + req.cookies.token.slice(1, req.cookies.token.length -1);
  }
  next();
}

Is there a better solution or am I doing something wrong?

right now, the jwt middleware will skip all routes in the array passed to jwt().unless(). As far as I can tell, that's irrespective of verb. But there are many cases where you want to secure all routes except for some of the GET routes. For example, you might want to allow anonymous users to read a given document (e.g. GET /articles/:id) but you would not want them to edit or delete that same article (PUT /articles/:id).

Recommend either taking an object into .unless() like so:

jwt({secret: 'keyboard cat'}).unless({ get: ['/articles', '/articles/:id']});

or else parsing the string version from your array, eg:

jwt({secret: 'keyboard cat'}).unless(['GET /articles', 'GET /articles/:id']);

I want to use Passport for it's social strategies, and I want to use express-jwt for email/password JWT authentication, but I have not been able to find any examples of integrating the two. Is there a way to integrate the two? Or is it completely absurd to use them both?

As the decoded object is the entire payload, would it make sense to assign this to req.payload and let the app finds the user itself and then assigns it to req.user?
I know we can also do jwt({ secret: 'shhhhh', requestProperty: 'payload' });.

I can't seem to do app.use('/api', expressJwt({secret: secret}).unless({path: ['/api/public/*']}));

It seems like I should be able to, but it is not working. I have to specify each individual public route.

When subapp is being used like so:

// main.js
var main = express();
var api = require('./api');
main.use('/v1', api);

// api.js
var api = express();
api.use(jwt({...}).unless({path:['/auth/login']});

module.exports = api;

It won't work as long as you prefix auth/login with v1 which makes the whole idea of subapping a bit pointless. As long as it is a middleware, it should be able to take profit from mountpath to prepend the routes, shouldn't it?

Seems very much out of scope to me. While it's nice to show how you can achieve this, it shouldn't be a dependency of express-jwt. Developers can install express-unless separately if they want it. For everyone else, it's just unnecessary additional files.

Maybe worth consideration to remove it for v3?

req.user set with user that taken from the jwt that is out of date when user get updated in the db,
this should be fixed

The server sends a 401 response without a WWW-Authenticate header field. This does not appear to be compliant with http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2:

The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource

This makes things challenging for Android volley users:
https://stackoverflow.com/questions/17121213/java-io-ioexception-no-authentication-challenges-found

Fixed in auth0/node-jsonwebtoken#13

IMPORTANT: update to latest version [email protected] and [email protected]

It'd be nice to track api changes.

I should add that the semver now states:

Major version zero (0.y.z) is for initial development. Anything may change at any time. The public API should not be considered stable.

So you should get to 1.0.0 to be compliant ;).

I'm looking for a method of using asymmetric encryption with JWT. From what I can see, the auth0 libraries don't seem to support setting an encryption type. Is this possible?