CODEWITHSUNDEEP
node.jsexpressgoogle-apijwtgoogle-calendar-api
Iman Ashour
Iman Ashour

Reputation: 77

JsonWebTokenError: invalid signature when verifying the jwt token

I'm implementing an web app that contains a chatbot that will remind the user on his upcoming google calendar events. I have successfully generated a jwt token when the user authorizes, but, I'm getting this error "JsonWebTokenError: invalid signature" when I verify the token. I'm still new to these concepts so I would really appreciate any help.

Here is where I signed my token:

  let iss = 'GoogleCalender'
  let sub = '[email protected]'
  let aud = 'xxxxxxxxxxxxxx'
  let exp = '24h'

  let sighOptions = {
    issuer: iss,
    subject: sub,
    audience: aud,
    expiresIn: exp,
    algorithm: "RS256"

  }

  app.get('/landingPage', (req, res) => {
    const token = jwt.sign({ user: 'iman' }, privateKey , sighOptions);
    res.cookie('token', token,{ httpOnly: true });
    res.sendFile(path.join(__dirname, "./landingPage.html"));
  });

And here is where I verify the token:


  let verifyOptions = {
    issuer: iss,
    subject: sub,
    audience: aud,
    maxAge: exp,
    algorithms: "RS256"

  }

  function verifyToken(req,res,next){
    const baererHeader = req.headers['authorization']
    if(typeof baererHeader !== 'undefined'){
      const baerer = baererHeader.split(' ')
      const baererToken = baerer[1]
      req.token = baererToken
      next()
    }
    else{
      res.sendStatus(403)
    }
  }

  app.post('/landingPage',verifyToken, express.json(),(req,res)=>{
    token = req.token
    jwt.verify(token, publicKey, verifyOptions, (err,authData) =>{
        const calendar = google.calendar({version: 'v3' , auth:createConnection()});
        const agent = new dfff.WebhookClient({
            request : req,
            response : res
          })
          if(err) {
            console.log(err)
            function welcome(agent){
              agent.add("Hi, Im helen, Please log in so i can remind you on your upcoming events")
            }
            }
           else{
              function welcome(agent){
                agent.add("Hi, I'm Rem. Please click on remind me button if you want to be reminded on your upcoming events!")
              
        } ) 
  
  });

Is there any thing I'm doing wrong??

Upvotes: 3

Views: 5453

Answers (1)

Michal Trojanowski
Michal Trojanowski

Reputation: 12342

  1. It's good that you're using a pair of private and public keys. It's better to use asymmetric signing than symmetric.

  2. In your code I can see that you're sending the JWT token in a httpOnly cookie, but then in the landingPage you read it from the Authorization header. Not sure how is that supposed to work. Are you sure you're sending the right JWT to the /landingPage endpoint?

  3. If you want to use this JWT that you issued yourself to access a user's data in a Google Calendar then it will not work. To access this data you need an access token issued by Google. Have a look at Google's documentation to check how to obtain an access token from them which will allow you to call the calendar API. You can still use the token that you are creating as a way of protecting your own endpoints. So: the user will need your token to be able to call your endpoint, and then a token from Google will be used to call the calendar API.

Upvotes: 3

Related Questions