zachgoll / express-jwt-authentication-starter Goto Github PK

Hi, I am following your tutorial, I got "Unauthorized" response when I attached bearer token on Authorization header.
I tried by clone the "final" branch but got the same result on postman an Angular app. (after npm install, genKeypair)
Console.log(jwt_payload) didn't show anything.
Can anyone help me on this?

Hi I just wanted to highlight something as well as suggest the fix should it be wanted.

In the issueJWT function in your utils.js file, the payload sets the iat key to Date.now(). This isn't correct as it sets iat to milliseconds representation, rather than seconds. It also creates an issue in that the jwt sign function uses expiresIn '1d'. This in turn is not then set correctly, based upon the iat date being issued in the distant future. It does not seem to generate a jwt that has valid iat or exp claims when you check it on jwt.io, and it doesn't expire the jwt's authorizaton as expected the following day.

The solution is to amend the payload to set the iat to seconds as such:

const payload = {
    sub: _id,
    iat: Math.floor(Date.now() / 1000)
  };

This then sets the iat, and more importantly the exp claims correctly so that the jwt correctly expires as checked by passport.

Hope this helps