i'm new node.js, reading node.js essentials fabian cook. when trying code in authentication jwt, got null jwt.decode( token ), token can parsed debugger on jwt.io. what's wrong code?
var passport = require( 'passport' ); var localstrategy = require( 'passport-local' ).strategy; var express = require( 'express' ); var bodyparser = require( 'body-parser' ); var jwt = require( 'jsonwebtoken' ); var crypto = require ( 'crypto' ); var users = { zack: { username: 'zack', password: '1234', id: 1, }, node: { username: 'node', password: '5678', id: 2, }, } var localstrategy = new localstrategy({ usernamefield: 'username', passwordfield: 'password', }, function(username, password, done) { user = users[ username ]; if ( user == null ) { return done( null, false, { message: 'invalid user' } ); }; if ( user.password !== password ) { return done( null, false, { message: 'invalid password' } ); }; done( null, user ); } ) passport.use( 'local', localstrategy ); var app = express(); app.use( bodyparser.urlencoded( { extended: false } ) ); app.use( bodyparser.json() ); app.use( passport.initialize() ); var generatetoken = function( req, res ) { var payload = { id: user.id, username: user.username } var secret = user.secret || crypto.randombytes( 128 ).tostring( 'base64' ); var token = jwt.sign( payload, secret ); user.secret = secret; return token; }; var generatetokenhandler = function ( req, res ) { var user = req.user; var token = generatetoken( user ); res.send( token ); }; app.post( '/login', passport.authenticate( 'local', { session: false } ), generatetokenhandler ); var bearerstrategy = require( 'passport-http-bearer' ).strategy; var verifytoken = function( token, done ) { var payload = jwt.decode(token); if ( payload == null ){ return done( null, false ); } console.log(payload); var user = users[ payload.username ]; if ( user == null || user.id !== payload.id || user.username !== payload.username ) { return done( null, false ); } jwt.verify( token, user.secret, function ( error, decoded ) { if ( error || decoded == null ) { return done( error, false ); } return done( null, user ); }) } var bearerstrategy = new bearerstrategy( verifytoken ) passport.use( 'bearer', bearerstrategy ); app.get( '/userinfo', passport.authenticate( 'bearer', { session: false } ), function ( req, res ) { var user = request.user; res.send( { id: user.id, username: user.username }); } ); app.listen( 3000, function() { console.log( 'listening on 3000' ); }); here token got code f.y.i.
eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyjpzci6mswidxnlcm5hbwuioij6ywnriiwiawf0ijoxndu5mdazmtyxfq.rhqox0icrvivncwwlnsu5kiznplqtkpveqfcuxtii90~
i believe issue when using jwt.decode while having secret key need pass in option decode call complete set true:
from jwt docs:
// decoded payload ignoring signature, no secretorprivatekey needed var decoded = jwt.decode(token); // decoded payload , header var decoded = jwt.decode(token, {complete: true}); console.log(decoded.header); console.log(decoded.payload) https://github.com/auth0/node-jsonwebtoken
apparently might best use jwt.verify here:
warning: not verify whether signature valid. should not use untrusted messages. want use jwt.verify instead. 
Comments
Post a Comment