I've built my MEAN web application. To authorize users I'm using JWT tokens. But there is one problem. Sometimes while reloading page I get 401 Unauthorized while I'm still authorized. I checked twice my token in locale storage and it was right there. Then I tried to reload other my pages and it's so weird cause some of the are reloading nicely and some are returning 401. I have this error while hosting my app on Heroku . I'm using angular 5 for frontend and Node js for back. Does anyone have such a problem. If you need code it's on my github https://github.com/tia337/MEAN-Stack .
I think it have some problem in package. tokenNotExpired function have some issue. You can also check by your own whether token expired or not. Just decode your token from JWT library and compare expire time with current time.
Hope it will help.
Related
In Vue, I understand that any Javascript included in the Vue files will be exposed to the browser (The User-agent in OAuth model). I want to make an API call to an API protected using OAuth 2 and have the data returned from the API call then displayed in the Vue app. Using OAuth, I need to use an Access token only known to the client server (node/express server) and I do not want to reveal the access token to the browser (user-agent).
I tried to see if I could do it using vue-axios, but that forces me to add the auth-token to the logic within vue, which means the browser can access the access token, which seems really unsecure.
So, I thought that I could make the API call on the node/express server that hosts the Vue application. Then, have the data included in the Vue app and send it to the user's browser with the data. The Vue app would then be rendered as normal. That would keep Auth Token hidden from the user's browser. However, I got stuck trying to include JSON data extracted from the api using Express in the Vue app.
How can I insert data into Vue using express, without putting code from the API call into vue?
Note: I'm new to Vue, so if anyone thinks that there is better way to do this securely, I'm open to suggestions.
It's possible you're trying to over-think this. You're not going to out-think the designers of OAuth. Consumers of apis need access tokens. Your OAuth access token is secure, in the sense that it can't be modified to get extra rights, and it should be short-lived, requiring regular re-authentication. You security lies in the fact that even if your user recovers the token, it won't let him do anything you're not happy for him to do anyway.
I'm using a Node.JS express backend and an Angular 4 frontend in this app. I use JWT tokens to store an id which I use to find a user. Please note these JWT tokens do not expire.
Scenario:
User logs in.
JWT Token is generated and signed (containing the user ID)
JWT token is saved in localStorage
JWT token is used from then on to find the current user that's logged in
This was working perfectly. Now, something really weird happens. In production, occasionally, the JWT token seems to change value which then throws an error on my application as the user can no longer be found. I've run through all the code, nothing on the app itself should be changing the value at all.
I appear to have isolated this issue as only occurring mostly in Google Chrome however, (I think) I might have seen it occur in Safari at times. I have no idea why this would be happening. When I go to a protected page in Angular, it checks if a JWT token exists or not before proceeding. If it doesn't then it'll go to login. Nowhere is the value of that token changed.
Does anyone know what I may be doing wrong/why this is happening?
Are you using a middleware function in order to implement your JWT logic?
If not, I would recommend using a middleware function, that is written prior to your route logic/handler function. I guess, that helps debugging the problem and also a good practice.
So i'm running into a problem I suspect I shouldn't be having and having tried several things i'm seemingly at an impasse.
I am trying to integrate LinkedIn login with Stormpath and it seems the accounts get created and technically the user is logged in, the application does return one of two errors:
"Token is invalid" or "Invalid state token provided."
I checked my id and secret several times and the authorized callback urls etc but I'm not sure where else to actually check, some help would be appreciated.
To try further I did in fact clone https://github.com/stormpath/stormpath-express-react-example and run it, and everything else works fine but again LinkedIn login on this app doesn't work so I suspect its not my code (maybe, after years of coding I'm never really comfortable saying its not my code, but there you have it).
I have attached the screenshot of things in case my now very tired eyes are missing something. Can someone point me to my mistake please?
For reference, Omar and I looked through this problem and realized that his server was not running ntp, and the clock was running fast.
This meant that the signed token request generated by Stormpath's Express integration was sent to Stormpath's REST API with a different valid time interval than expected, and thus failed validation.
We fixed it by installing ntp and syncing the server's time.
I have an MVC app, like explained here: https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth#web-applications-aspnet-mvc
From Javascript I make AJAX calls to some Action that uses Google API to get message from Gmail.
At first everything works fine, but after some time I keep receiving
Error:"invalid_grant", Description:"Token has been revoked.", Uri:""
Can someone explain to me what that means and why I am getting this error ???
Cheers
Error:"invalid_grant", Description:"Token has been revoked.", Uri:""
Means just that the user has revoked your access to their data you will need to request authentication again.
One thing you need to remember is that while testing. If you request access from yourself you grant it get a refresh token, do it again you get another refresh token. They both will work. You can do this up to 26 times and have 26 technically live and active refresh tokens for an application. Once you do it the 27th time the first one will stop working normally you just get an invalid grant error.
Token has been revoked normally means that the user has revoked access in Google but it might be different with Gmail.
Update 2021:
Invalid grant means that the token you have no longer works. As of 2021 google has made a change which will cause all refresh tokens to expire after seven days if the project that created it is still in the testing phase. The solution is to move your project to production and then your refresh tokens will last longer then seven days.
I created a chrome app which uses the identity api, and it is deployed on the chrome web store. I cleared the dev version from my computer and downloaded it myself and it works wonderfully.
All it really does is get your identity, use that to grab a token that can be used to access the json representation of a google doc.
My teammate downloaded the app from the store and it and it isn't working at all. It seems that the app is not able to get a token, and therefore doesn't grab the json from the restricted google doc. I tried re-uploading the app with the key.pem in the root directory of the zip file, but with no luck.
What possible reason could there be for this? The only thing that I could think of is that my computer has a particular key on it. Any ideas.
Much appreciated.
The problem here was that I had previously cached my auth token from when I was developing locally.
Since your offline development version of the chrome app must have the same 64-character ID as the one that you upload (if you want api credentials to work for you), you have to be mindful of cached Oauth tokens. You can easily find them at chrome://identity-internals where you can revoke the tokens to simulate a user opening the app for the first time.
In my case, I initially had
chrome.identity.getAuthToken({
"interactive": true
}, function(token) {
inside window.onload. I later changed it to false, which didn't matter since I already had one cached for who knows how long. Thus, the app failed to authenticate for anyone else. Google recommends including a button or any other UI element for initiating the chrome.getAuthToken method because bandwidth issues often lead to a messy situation. I refactored this code to use interactive: true only if an auth token is not already present.