I want to find whether the user is authenticated 'jwt' inside middleware. Is there any way like req.isAuthenticated() similar to passportjs?
module.exports = function(app){
return function(req, res, next){
// How to implement the below step?
var isAuthenticated = app.use(jwt({secret: app.get('jwtTokenSecret')}))
if(isAuthenticated){
// do some logic
}
}
}
Yes there is!
1) You can use use the express-jwt module. Check out https://github.com/auth0/express-jwt
2) You can do it this way:
//get the authorization token from the request headers, or from a cookie
if (req.headers && req.headers.authorization) {
var parts = req.headers.authorization.split(' ');
if (parts.length == 2) {
var scheme = parts[0];
var credentials = parts[1];
if (/^Bearer$/i.test(scheme)) {
token = credentials;
}
}
}
else if(req.cookies && req.cookies.token)
{
token = req.cookies.token;
}
...
jwt.verify(token, config.secrets.session, function(err, decoded) {
//isAuthenticated is in here
});
Related
I am trying to check if there is token but the 'split' is undefined. I'm still learning MERN so idk what's the problem.
const auths = async (req,res,next) => {
try {
const token = req.headers.authorization.split(" ")[1];
const isCustomAuth = token.length < 500;
let decodedData;
if(token && isCustomAuth){
decodedData = jwt.verify(token, 'todo');
req.userId = decodedData?.id;
}else {
decodedData = jwt.decode(token);
req.userId = decodedData?.sub;
}
next();
console.log('auth tapped!');
} catch (error) {
console.log(error);
}
}
Because header don't have authorization. So req.headers.authorization is undefined. You can use optional chaining to fix issues like this:
const token = req.headers.authorization?.split(" ")[1];
I tried to implement jwt token generation in node js.I got jwt token but how to validate token using node js crud operation.but I got token jwt verfiy code using callback function.without call back function used to implement async/awit function implement.
index.js
router.post('/', async (req, res) => {
(async function() {
try {
await client.connect();
console.log("Connected correctly to server");
const db = client.db('olc_prod_db');
//Validation
const { error } = validate.validate(req.body);
if (error)
{
return res.status(400).send(error.details[0].message);
}
else
{
const check_login = req.body
const r = await db.collection('UserRegistration').find().toArray();
r.forEach(element => {
if(element['username'] == check_login['username'])
{
const token = get_token.validate(req.body)
res.send({"token ":token})
}
else
{
return res.send(401,"Un Authorized");
}
});
}
client.close();
} catch(err) {
console.log(err.stack);
}
})();
});
authtoken.js
var jwt = require('jsonwebtoken')
function get_token(userdata)
{
var accessToken = jwt.sign(userdata, 'secretkey', {
//Set the expiration
expiresIn: 3600 //we are setting the expiration time of 1 hr.
});
//send the response to the caller with the accesstoken and data
console.log('Authentication is done successfully.....');
return accessToken
}
exports.validate = get_token;
const jwt = require('jsonwebtoken')
const config = require('../../config/default')
function verifyjwt(req,res,next){
const token = req.headers['authorization']
if(!token) return res.status(401).json('Unauthorize user')
try{
const decoded = jwt.verify(token,config.secret);
req.user = decoded
next()
}catch(e){
res.status(400).json('Token not valid')
}
}
module.exports = verifyjwt
const CONST = require('../../config')
exports.validJWTNeeded = (req, res, next) => {
if (req.headers['authorization']) {
try {
let authorization = req.headers['authorization'].split(' ');
if (authorization[0] !== 'Bearer') {
return res.status(401).send('invalid request'); //invalid request
} else {
req.jwt = jwt.verify(authorization[1], CONST.SECRET);
return next();
}
} catch (err) {
return res.status(403).send(); //invalid token
}
} else {
return res.status(401).send('invalid request');
}
}
Im getting a JWT from Auth0. I can decode it with the following middleware function on my Node server (using https://www.npmjs.com/package/jwt-node)
function authoriseToken(req, res, next) {
const token = req.headers.authorization.replace('Bearer ', '');
const decodedToken = jwt.decode(token);
console.log('decodedToken ', decodedToken);
next();
}
How can I verify the token? I keep getting an error JsonWebTokenError: invalid algorithm
function authoriseToken(req, res, next) {
const token = req.headers.authorization.replace('Bearer ', '');
const verifyedToken = jwt.verify(token, "my-secrete");
console.log('verifyedToken ', verifyedToken);
next();
}
Im not sure if I should be using a secrete or a jwksUri or what the difference is
Here is the actual token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik16QkJRa1k0T0RRNE9VWTJORVZGT1VJNFFrSXpNRUZDT0RaQ01VSTBOVGN4TWpVeU1UYzNRdyJ9.eyJpc3MiOiJodHRwczovL25vbWFkZ3JvdXBzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1YjMxMDhkNjc4NzFkNTBkZTA0Njc2NWEiLCJhdWQiOiJTZkQyMEVPZVdRbHlnWXIwUHNXODdtYjd0OGFBOFI2NiIsImlhdCI6MTUzMDAxMzQwMCwiZXhwIjoxNTMwMDQ5NDAwLCJhdF9oYXNoIjoiUi1mRGc3SVRzUUdqemplX3VUR01RdyIsIm5vbmNlIjoiQnN-VmZxNzdtNERuaTJ1LjlIUVJlSEpzeHA4UjF2aDcifQ.CwZb6j3DshbD5M-OWBQpc10EIpAd3D-TuZTA1p7alePobSRVM7bE9Yzr5DIRyc2YUQZQ_OBwVLfFPq0pEBTWFYq2O43FJZ726xP1zK7Ty4PvAoLe4Cx6E0Ow8V8Ymo87XCIKX8J1ndg47q5glKzsnSMToutEWRZ2lnxJyirD4m4EwFykDF8DalA1sWvqnYXEwWraY3VLroqyZH2nkeLDcpcMdJ0tWwmzldwi7ym9OmegV5GBl7F6BgrZNIJfdoT88Rs4AKzogJyJuVQ1XlD7Up_nYlAKBmRMgkFt3t_4iq7pTkgdrWl1tXuJQsnmkkVH6_yffNYrWDnuirWwTCG4XQ
verify takes algorithms option in third parameter, adjust value with the correct one.
You can find it under applications > advanced settings > oauth > JsonWebToken Signature Algorithm
Expanding on Gabriel Bleu's answer here is my complete code:
const jwt = require('jsonwebtoken');
const pemCert = `-----BEGIN CERTIFICATE-----
// <<CERT CODE HERE>>
-----END CERTIFICATE-----`;
function authoriseToken(req, res, next) {
const token = req.headers.authorization;
// If there is no token user is not logged in
if (!token || token.length === 0) {
next();
return;
}
// If there is a token then add it to the res
const tokenCrop = token.replace('Bearer ', '');
const decodedToken = jwt.verify(tokenCrop, pemCert, { algorithm: 'RS256' });
const userId = decodedToken.sub.replace('auth0|', '');
req.authUserId = userId;
next();
}
module.exports = authoriseToken;
I'm trying to create a web app where a user can grant access to her Google Analytics account via OAuth2. After positive response I would like to make a request to that user's GA data (in the real application the request would be made "offline"). But when calling:
google.analytics('v3').data.ga.get(params, callback);
params should contain ids, which should be a list of "table ID"s from the user. How do I get hold of these IDs? Is it necessary to get this information through another profile-scoped-request?
Code:
var google = require('googleapis');
var OAuth2 = google.auth.OAuth2;
var clientId = '123-123.apps.googleusercontent.com';
var clientSecret = 'abc';
var redirectUrl = 'http://localhost:8080/redirect';
var authRequest = function(req, res) {
var oauth2Client = new OAuth2(clientId, clientSecret, redirectUrl);
var scopes = [ 'https://www.googleapis.com/auth/analytics.readonly' ],
params = { state: 'some-data', access_type: 'offline', scope: scopes };
var url = oauth2Client.generateAuthUrl(params);
res.redirect(301, url); // will return to "authResult()"
};
var _sampleAnalytics = function(req, res, oauthClient) {
var params = {
auth: oauthClient,
metrics: 'ga:visitors,ga:visits,ga:pageviews',
'start-date': '2015-06-01',
'end-date': '2015-06-30',
ids: ['ga:123456789'] // <== How to get this parameter?
};
google.analytics('v3').data.ga.get(params, function(err, response) {
// todo
});
};
var authResult = function (req, res) {
if (req.query.error) {
return handleError(res, req.query.error);
}
var oauth2Client = new OAuth2(clientId, clientSecret, redirectUrl);
oauth2Client.getToken(code, function(err, tokens) {
// Now tokens contains an access_token and an optional refresh_token. Save them.
if(err) {
return handleError(res, err);
} else {
oauth2Client.setCredentials(tokens);
_sampleAnalytics(req, res, oauth2Client);
}
});
};
Ok, that was simple. I just need to make another call to:
google.analytics('v3').management.accountSummaries.list(params, function(err, result) {
// ...
});
result will contain all the required information.
In the express-jwt docs there is a reference to being able to use a getToken function to get the token from a request.
How do you use this call in a route?
app.use(jwt({
secret: 'hello world !',
credentialsRequired: false,
getToken: function fromHeaderOrQuerystring (req) {
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
return req.headers.authorization.split(' ')[1];
} else if (req.query && req.query.token) {
return req.query.token;
}
return null;
}
}));
A useful little trick is to add unless which makes every URL except those specified by unless require a token.
This means you don't need to create a app.get for every single path in your api that you want to protect (unless you want different secrets for each, which I don't know why you would).
var jwt = require('jsonwebtoken');
var expressJWT = require('express-jwt');
app.use(
expressJWT({
secret: 'hello world !',
getToken: function fromHeaderOrQueryString (req) {
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer')
return req.headers.authorization.split(' ')[1];
else if (req.query && req.query.token)
return req.query.token;
return null;
}
}).unless({ path: ['/login'] }));
// Test paths
app.get('/login', function (req, res) {
res.send("Attempting to login.");
});
app.get('/otherurl', function (req, res) {
res.send('Cannot get here.');
});
Or you simply specify it for a single path:
app.get('/protected',
expressJWT({
secret: 'hello world !',
getToken: function fromHeaderOrQueryString (req) {
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer')
return req.headers.authorization.split(' ')[1];
else if (req.query && req.query.token)
return req.query.token;
return null;
}
}));
Notice the change from get and use in the configuration.
For every path that you supply through express-jwt, the function getToken is run if specified in your configuration.
What's nice about adding unless is that now you have minimized the amount of work you need to do in order to get the token from the user for each and every path.
Refer to index.js of express-jwt which tells you more about how getToken works:
If you specify the option as a function, the token value is the returned value of the function
This means that you can supply custom logic for handling your tokens, and may be a useful place to call verify.
Otherwise it runs the standard logic for extracting the token from the Authorization header with the format of '[Authorization Bearer] [token]' (I denote the brackets to show where it splits the string).
Like so:
app.get('/protected',
jwt({
secret: 'hello world !',
credentialsRequired: false,
getToken: function fromHeaderOrQuerystring(req) {
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
return req.headers.authorization.split(' ')[1];
} else if (req.query && req.query.token) {
return req.query.token;
}
return null;
}
})
);
Just add the getToken field in the object you pass to the jwt middleware. It's a combination of the example in the question, and the first example in the documentation.
Another way to get a JWT and Bearer tokens is:
To get a JWT token
let token = req.headers.authorization && req.headers.authorization.match(/^JWT (.*)$/);
if (token && token[1]) { token = token[1]; }
if (!token) { throw ['missingRequired']; }
To get a Bearer token
let token = req.headers.authorization && req.headers.authorization.match(/^Bearer (.*)$/);
if (token && token[1]) { token = token[1]; }
if (!token) { throw ['missingRequired']; }
To support both types of tokens:
let token = req.headers.authorization
&& (
req.headers.authorization.match(/^JWT (.*)$/)
||
req.headers.authorization.match(/^Bearer (.*)$/)
);
if (token && token[1]) { token = token[1]; }
if (!token) { throw ['missingRequired']; }