In My MERN application SIGNUP,SIGNIN is working fine, but when am trying to view my profile on clicking about page then getting an error like "No authorization token was found" for backend am using issignedIn and isAuthenticated middleware, those person who SignIn application who are able to see about us page.
ABoutus.js
const callAboutPage = async()=>{
try{
const res = await fetch('/about',{
method:"GET",
headers:{
Accept:'application/json',
'Content-Type':'application/json'
},
credentials:"include"
})
const data = await res.json();
console.log(data)
// if(!res.status === 200){
// const error = new Error(res.error)
// throw error;
// }
}
catch(err){
console.log(err);
history.push('/login')
}
}
useEffect(() => {
callAboutPage();
}, [])
auth.js/controller
//PROTECTED ROUTE
exports.isSignedIn = expressJwt({
secret: process.env.SECRET,
algorithms: ['RS256'],
userProperty: "Auth"
});
//CUSTOM MIDDLEWARE
exports.isAuthenticated = (req, res, next) => {
let checker = req.profile && req.Auth && req.profile._id == req.Auth._id;
if (!checker) {
return res.status(403).json({
error: "ACCESS DENIED"
});
}
next();
};
Route
router.get('/about',isSignedIn,isAuthenticated,(req,res)=>{
res.send("A protected Route")
});
Related
I am a beginner with node js. I want to make an authentication server using jwt (jsonwebtoken).
The problem is when I test my end point "/api/posts?authorisation=Bearer token..." in postman with method POST with the right token, it gives me forbidden.
Here is my code:
const express = require('express')
const jwt = require('jsonwebtoken')
const app = express()
app.get("/api", (req, res) => {
res.json({
message: "Hey there!!!"
})
})
app.post('/api/posts', verifyToken, (req, res) => {
jwt.verify(req.token, "secretkey", (err, authData) => {
if (err) {
res.sendStatus(403) //forbidden
res.send(`<h2>${err}</h2>`)
} else {
res.json({
message: "Post Created...",
authData
})
}
})
})
app.post('/api/login', (req, res) => {
const user = {
id: 1,
username: "John",
email: "john#gmail.com"
}
jwt.sign({ user: user }, "secretkey", (err, token) => {
res.json({
token
})
})
})
function verifyToken(req, res, next) {
const bearerHeader = req.headers["authorization"]
if (typeof bearerHeader !== "undefined") {
const bearerToken = bearerHeader.split(" ")[1]
req.token = bearerToken
next()
} else {
res.sendStatus(403) //forbidden
}
}
app.listen(5000, () => {
console.log("Server is running :)")
})
I expected it to work because I brought it from a tutorial.
Your code works
The problem is in your request invocation:
According to the oauth2 spec, the Authorization token should be a header and your code expect that
So the token should be sent as http header, not as a query param like foo/bar?authorization=Bearer token...".
Here some samples
Postman
Axios (javascript)
let webApiUrl = 'example.com/getStuff';
let tokenStr = 'xxyyzz';
axios.get(webApiUrl,
{ headers: { "Authorization": `Bearer ${tokenStr}` } });
Advice
Read about oauth2 and jwt
Perform the token validation in the middleware to avoid the validation on each route
Here I'm carrying out the GET method to list the data by authenticating the login credentials, but when I pass the token in value in the header it directly catch the error message. is anything I'm doing wrong?
Authentication Middleware - authentication.js
const jwt = require("jsonwebtoken");
const authenticate = (req, res, next) => {
const access_token = req.headers["authorization"];
if (!access_token) return res.status(401).send("Access denied! no token provided.");
try {
const decoded = jwt.verify(access_token, "SECRET_JWT_CODE");
req.receive = decoded;
next();
} catch (error) {
res.status(400).send("invalid token.");
}
};
module.exports = authenticate;
console.log(req.headers)
GET method
const authenticate = require("./authentication.js");
router.get("/admin", authenticate, async (req, res) => {
try {
const receive = await SomeModel.find();
res.json(receive);
} catch (err) {
res.send(err);
}
});
login
router.post("/admin/sign_in", (req, res) => {
if (!req.body.email || !req.body.password) {
res.json({ error: "email and password is required" });
return;
}
login
.findOne({ email: req.body.email })
.then((admin) => {
if (!admin) {
res.json({ err: "user does not exist" });
} else {
if (!bcrypt.compareSync(req.body.password, admin.password)){
res.json({ err: "password does not match" });
} else {
const token = jwt.sign(
{
id: admin._id,
email: admin.email,
},
SECRET_JWT_CODE
);
res.json({
responseMessage: "Everything worked as expected",
access_token: token,
});
}
}
})
.catch((err) => {
err.message;
});
});
The token is in the form Bearer <token> so you need to split it before verifying it:
const jwt = require("jsonwebtoken");
const authenticate = (req, res, next) => {
const access_token = req.headers["Authorization"];
if (!access_token) return res.status(401).send("Access denied! no token provided.");
const splitToken = access_token.split(' ');
if (splitToken.length !== 2) return res.status(401).send("Access denied! invalid token.");
const token = splitToken[1];
try {
const decoded = jwt.verify(token, "SECRET_JWT_CODE");
req.receive = decoded;
next();
} catch (error) {
res.status(400).send("invalid token.");
}
};
module.exports = authenticate;
Also, make sure that you pass the token via the Authorization tab in Postman.
It should be available in req.headers["Authorization"] (capitalized) in the expected Bearer <token> format.
I am trying to create a token from JWT when a user signs up for my application but I get the error, Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client. I think there is an issue with the structure of my code. How can I fix this issue?
//sign up request
exports.signup = async (req, res, next)=> {
const {email} = req.body;
const userExist = await User.findOne({email});
if (userExist) {
return next(new ErrorResponse(`Email already exists`, 404))
}
try {
const user = await User.create(req.body);
res.status(201).json({
success: true,
user
})
generateToken(user, 201, res);
} catch (error) {
console.log(error);
next(error);
}
}
//generate token method
const generateToken = async (user, statusCode, res) => {
const token = await user.jwtGenerateToken();
var hour = 3600000;
const options = {
httpOnly: true,
expires: new Date(Date.now() + hour)
};
res.status(statusCode)
.cookie('token', token, options)
.json({success: true, token})
}
First generate the token and next send the response
generateToken(user, 201, res);
res.status(201).json({
success: true,
user
})
You can return value from the token and then send it using response or you can just send it from the generateToken function. Here you are trying to use the response again though you have sent it once hence resulting in error.
Updated
//sign up request
exports.signup = async (req, res, next)=> {
const {email} = req.body;
const userExist = await User.findOne({email});
if (userExist) {
return next(new ErrorResponse(`Email already exists`, 404))
}
try {
const user = await User.create(req.body);
generateToken(user, 201, res);
} catch (error) {
console.log(error);
next(error);
}
}
//generate token method
const generateToken = async (user, statusCode, res) => {
const token = await user.jwtGenerateToken();
var hour = 3600000;
const options = {
httpOnly: true,
expires: new Date(Date.now() + hour)
};
res.status(statusCode)
.cookie('token', token, options)
.json({success: true, token: token, user: user})
}
you are trying to send the response twice. and then in generateToken method. Keep it at one place, the error will go away.
How to make user redirect after authentication based on user.role ?
I'm getting the following error: UnhandledPromiseRejectionWarning: Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
const jwt = require('jsonwebtoken')
const { COOKIE_NAME, SECRET } = require('../config/config')
module.exports = function() {
return (req, res, next) => {
let token = req.cookies[COOKIE_NAME]
if(token) {
jwt.verify(token, SECRET, function(err, decoded){
if (err) {
res.clearCookie(COOKIE_NAME)
} else {
if(decoded.user.role === 'admin') {
res.redirect('http://localhost:4000')
}
req.user = decoded;
}
})
}
next();
}
}
Login Fetch:
fetch(`${API}/auth/login`,{
method: 'POST',
credentials: 'include',
withCredentials: true,
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(user)
})
.then((response) => {
if(response.status === 302) {
window.location = 'http://localhost:4000'
}
else if(response.status === 200) {
onSuccess()
setTimeout(() => {
window.location = '/'
}, 1000)
} else if (response.status === 401) {
onError()
}
})
.catch((error) => {
console.log(error)
})
}
Here is my authService:
const jwt = require('jsonwebtoken')
const User = require('../models/User');
const bcrypt = require('bcrypt')
const { SALT_ROUNDS, SECRET } = require('../config/config');
const register = async ({name, username, email, password, cart}) => {
let salt = await bcrypt.genSalt(SALT_ROUNDS);
let hash = await bcrypt.hash(password, salt);
const user = new User({
name,
username,
email,
password: hash,
cart
});
return await user.save()
}
const login = async ({email, password}) => {
let user = await User.findOne({email})
if (!user) {
throw {message: 'User not found!'}
}
let isMatch = await bcrypt.compare(password, user.password)
if (!isMatch) {
throw {message: 'Password does not match!'}
}
let token = jwt.sign({user}, SECRET)
return token;
}
And my authController:
const { Router } = require('express');
const authService = require('../services/authService');
const { COOKIE_NAME } = require('../config/config');
const router = Router();
router.post('/login', async (req, res) => {
const {email, password} = req.body
try {
let token = await authService.login({email, password})
res.cookie(COOKIE_NAME, token)
res.status(200).json(token)
} catch (error) {
res.status(401).json({ error: error })
}
})
Here is my server if this will help:
app.use((req, res, next) => {
const allowedOrigins = ['http://localhost:3000', 'http://localhost:4000'];
const origin = req.headers.origin;
if (allowedOrigins.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Access-Control-Allow-Credentials', true)
}
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
next();
});
Since you're using jwt.verify with a callback, it is being executed asynchronously. Due to this, immediately after calling verify but before getting the decoded token, your next() function is called which passes the control to the next middleware (which probably would be synchronous) which then returns the request.
The flow of events would be something like this:
if(token) { ... starts
jwt.verify(token, ... is called asynchronously. It registers the callback function(err, decoded) { ... but doesn't execute it yet.
You exit the if(token) { ... } block and call next().
The next middleware in line starts executing and probably returns the request if it is the last middleware in chain. So the client has already been sent the response by this time.
jwt.verify(token ... succeeds and calls your registered callback.
It sees that there is no error at line if (err) ... so it moves to the else block.
It decodes the user role and tries to redirect (which internally would try to insert a header on the response). But this fails because the user was already sent the response (and hence your error message).
So the simple solution to this is to not call next() UNTIL jwt verifies and decodes your token and you know the role. In the code below, I've moved the next() function call a few lines upwards.
const jwt = require('jsonwebtoken')
const { COOKIE_NAME, SECRET } = require('../config/config')
module.exports = function() {
return (req, res, next) => {
let token = req.cookies[COOKIE_NAME]
if(token) {
jwt.verify(token, SECRET, function(err, decoded){
if (err) {
res.clearCookie(COOKIE_NAME)
} else {
if(decoded.user.role === 'admin') {
res.redirect('http://localhost:4000')
}
req.user = decoded;
}
next();
})
}
}
}
Picture of error in postman
//This is route
router.get("/all/posts",isSignedIn,isAuthenticated, getAllPosts)
//This is controller
exports.getAllPosts = (req, res) => {
Post.find()
.populate("postedBy","_id username")
.exec((err, posts) => {
if(err || !posts){
return res.status(400).json({
error:"No Post found"
})
}
res.json(posts)
})
}
//This is Auth controller which is middleware where I'm getting error
exports.isAuthenticated = (req, res, next) => {
let checker = req.profile && req.auth && req.profile._id == req.auth._id;
if (!checker) {
console.log(checker);
return res.status(403).json({
error: "ACCESS DENIED",
});
}
console.log(checker);
next();
};
//This is isSignedIn controller
//protected routes
exports.isSignedIn = expressJwt({
secret: process.env.SECRET,
userProperty: "auth",
});
//This is signin controller
exports.signin = (req, res) => {
const errors = validationResult(req);
const { username, password } = req.body;
if (!errors.isEmpty()) {
return res.status(422).json({
error: errors.array()[0].msg,
});
}
User.findOne({ username }, (err, user) => {
if (err || !user) {
return res.status(400).json({
error: "USER does not exists",
});
}
if (!user.autheticate(password)) {
return res.status(401).json({
error: "Username and password do not match",
});
}
//create token
const token = jwt.sign({ _id: user._id }, process.env.SECRET);
//put token in cookie
res.cookie("token", token, { expire: new Date() + 9999 });
//send response to front end
const { _id, username, role } = user;
return res.json({ token, user: { _id, username, role } });
});
};
//Only all/posts having problem remaining all are working fine even isAuthentication is also working with others routes but in this case it is giving error