Reputation: 1345
Using express-jwt, why is my authorization header missing when it's clearly there
I am using express-jwt along with jsonwebtoken.
When I try to use jsonwebtoken.verify(), I get this error:
Error: Invalid token: no header in signature 'Bearer eyJ0eXAiOi...reallylongtoken...
... more ...
code: 'MISSING_HEADER'
I can see that the req.headers.authorization token exists because I'm logging it out. So I don't understand why the header is missing if it's clearly there.
Any help appreciated.
here's the gist:
https://gist.github.com/ryanore/914362881d2d9f0878f2
Here's the console.log output for req.headers.authorization
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJfaWQiOiI1NDhhMGFkODcwZWZjZmMwM2EwMDAwMDEiLCJjcmVhdGVkQXQiOiIyMDE0LTEyLTExVDIxOjIxOjI4LjI0M1oiLCJmaXJzdE5hbWUiOiIiLCJsYXN0TmFtZSI6IiIsInVzZXJuYW1lIjoicnlhbm9yZSIsInBhc3N3b3JkIjoiJDJhJDEwJFM0YjcyVzIyQS9ubDJxZXV0WUxsUk9SNWhIblhvTGxkT09ud096OTFVNzBvSDVIQXRGZFhTIiwiZW1haWwiOiIiLCJfX3YiOjB9.fiHZ1J7cLXtgurTvqGVP2RcJqpju1zNmXBETWqYKXko
Upvotes: 1
Views: 7341
Answers (3)
Reputation: 1345
I had to unaccept @rdegges answer because I jumped the gun a little bit. It was very helpful to discover the debugger, but it was of little actual help in solving my problem.
The answer is actually simple. I was sending the whole Authorization header when I needed to split off the 'Bearer ' part of it. I got the idea from This blog. After removing the 'Bearer ' part it verified fine.
Here's the updated function if it's helpful to anyone else.
exports.verify = function(req, res) {
var token = null;
var bits = req.headers.authorization.split(' ');
if (bits.length == 2) {
var scheme = bits[0];
var credentials = bits[1];
if (/^Bearer$/i.test(scheme)) {
token = credentials;
jwt.verify(token, config.secret, function(err, decoded){
if(err) sendStatus(res, 401);
});
}
}
else{
sendStatus(res, 401);
}
};
Upvotes: 2
Reputation: 1042
I don't have enough reputation to comment, but in the screenshot of the jwt from @rdegges answer, it looks like you are including the the password with the user details. You shouldn't send the password in the jwt (even though it is hashed it is unnecessary) or any sensitive data.
You can avoid having it returned if you add "selected: false" to your mongoose user schema in the password field. If you do that, use the '+password' notation in the find method for login (as in):
User.findOne({ email: req.body.email }, '+password', function(err, user) {
.... <<enter code to check if credentials are correct>> }
Hope this helps!
Upvotes: 0
Reputation: 33844
It looks like the issue is that your signature is invalid.
I tested this by taking your Authorization header output, and copy+pasting it into the JWT debugger at: http://jwt.io
As you can see in the screenshot below, there are some errors.
Best!
Upvotes: 0
Related Questions
- req.headers['authorization'] is undefined in Nodejs JWT(JSON WEB TOKEN)
- JWT token not set in the response header
- How do I access JWT from header?
- Node JS : Can't access to req.headers.authorization to extract JWT token
- Missing Authorization header when send http request from browser
- Header authorization doesn't exist
- JWT-Node authentication - req.headers[''authorization"] is Undefined
- get authorization header token with node js
- jsonwebtoken not in headers
- Express JS and JWT - Token Type not shown in decoded header