Missing Authorization header when send http request from browser

Question

I have an application in nodejs with jwt authorization, when I send a get from posman the authentication header is found but when I send it from the browser, the authorization header is missing. Here is the node code, I'm trying to get the authorization header in the verifyToken method, but is not there:

'use strict';

var SwaggerExpress = require('swagger-express-mw');
var app = require('express')();
module.exports = app; // for testing
var _ = require('lodash');
var jwt = require('jsonwebtoken'); // used to create, sign, and verify tokens

var config = {
  appRoot: __dirname // required config
};

app.set('superSecret', config.secret); // secret variable
// bootstrap database connection and save it in express context
app.set("models", require("./api/model"));
var a = app.get("models").Role;

var repositoryFactory = require("./api/repository/RepositoryFactory").init(app);

var verifyToken = function (req, res, next) {
  // verify token and read user from DB
  // var token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiTm9tYnJlVXN1YXJpbyI6ImQiLCJQYXNzd29yZCI6IiQyYSQxMCRYS3BJM2ZDRVFoSzVKUFBQWEdIVVZPbUVPQTZsRVRoZDRtWHl4a0tDeGtUcEhvY0U0UTNILiIsImNyZWF0ZWRBdCI6IjIwMTYtMDktMDVUMTg6Mjk6MTYuMDAwWiIsInVwZGF0ZWRBdCI6IjIwMTYtMDktMDVUMTg6Mjk6MTYuMDAwWiIsInByb2Zlc2lvbmFsSWQiOm51bGwsInByb2Zlc2lvbmFsIjpudWxsLCJpYXQiOjE0NzMyNTczMjcsImV4cCI6MTQ3MzI5MzMyN30.CKB-GiuvwJsDAVnKsWb1FktI9tJY57lSgPRVEfW3pts';
  var token = req.headers.authorization;
  jwt.verify(token, 'shhhhh', function (err, decoded) {
    if (err) {
      res.status(403).json({ success: false, message: 'Failed to authenticate token.' });
    } else {
      // if everything is good, save to request for use in other routes
      req.user = decoded;
      next();
    }
  });
};

SwaggerExpress.create(config, function (err, swaggerExpress) {
  if (err) { throw err; }

  app.use(function (req, res, next) {
    res.header("Access-Control-Allow-Origin", "*");
    res.header("Access-Control-Allow-Headers", "X-CSRF-Token, X-Requested-With, Origin, client-security-token, X-Requested-With, Content-Type, Accept, Authorization");
    res.setHeader('Content-Type', 'application/json');
    res.setHeader('Access-Control-Allow-Credentials', true);
    next();
  });

  app.use(verifyToken);

  // install middleware
  swaggerExpress.register(app);



  var port = process.env.PORT || 10010;
  app.listen(port);
});

I don't know what configuration I'm missing.

Answer 1

Try adding the following code in .htaccess. Apache removes the Authorization Header. This will ensure it is not removed.

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Answer 2

The issue was that I was trying to get the authorization token from the OPTIONS method, this method is sent before the actual get, port, put etc, when is a CORS request. So I was trying to get the authorization header from it and it was not there and the method failed. The solution was to set in the verify token method a validation like this:

if (req.method !== OPTIONS){
}

Answer 3

I think it is easier if you can change the code in verifyToken function : var token = req.headers.authorization; become var token = req.headers.authorization || req.query.access_token || req.body.access_token;

So in the browser, you can add token in "access_token" query param to authenticate in server instead of setting the header.

Hope it is helpful for you !

Answer 4

You need to set those headers in your browser, try use this chrome plugin called ModHeader https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj