[英]JWT Invalid signature from one website, but no errors with another. Extra properties of user object get added to token
I have two websites.我有两个网站。 One is production, but a very very old version.
一个是生产,但一个非常非常旧的版本。 Another is just localhost where I'm currently testing it.
另一个只是我目前正在测试的本地主机。 After involving NextAuthJS to the NextJS website, I need to integrate my NextAuthJS session provider to the remote ExpressJS backend.
将NextAuthJS引入 NextJS 网站后,我需要将 NextAuthJS 会话提供程序集成到远程 ExpressJS 后端。
I make a request to /login ->我向 /login -> 提出请求
In case I need to get any user specific details, such as saved videos:如果我需要获取任何用户特定的详细信息,例如保存的视频:
And boom!和繁荣! Here the error message repeats shouting at me: "JsonWebTokenError: invalid signature"
这里的错误消息重复对我大喊:“JsonWebTokenError:无效签名”
That doesn't happen on the production website, even though the remote backend is one link for both the production and development.这不会发生在生产网站上,即使远程后端是生产和开发的一个链接。
What I noticed using JWT token debugger is that我在使用JWT 令牌调试器时注意到的是
Token from local, gives error: eyJhbGciOiJIUzUxMiJ9..ZCnnNZ2a7aeO6GCnyhnWYGMX-4kkJX75ZyzG52lSiWxUBIawXrA37882HFwo_3r6-I3JrrYNv270vxfsMwyBlw来自本地的令牌,给出错误: eyJhbGciOiJIUzUxMiJ9..ZCnnNZ2a7aeO6GCnyhnWYGMX-4kkJX75ZyzG52lSiWxUBIawXrA37882HFwo_3r6-I3JrrYNv270vxfsMwyBl
Token from production, works as expected : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdjMWEzN2EwYjAzMjExNzE1M2Q0NzMiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzNjI5MTY3MywiZXhwIjoxNjM2Mzc4MDczfQ.bqY6y0_lmX5dBAHemgv_9UFuupwLBBDcyFpAdXgCiH8从生产令牌,按预期工作:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdjMWEzN2EwYjAzMjExNzE1M2Q0NzMiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzNjI5MTY3MywiZXhwIjoxNjM2Mzc4MDczfQ.bqY6y0_lmX5dBAHemgv_9UFuupwLBBDcyFpAdXgCiH8
JWT Secret : jdgfaiodsugfaileufliaeruy JWT 秘密:jdgfaiodsugfaileufliaeruy
Code of decoding token and getting user data is:解码token获取用户数据的代码为:
exports.requireSignin = (req, res, next) => {
if (req.headers.authorization) {
const token = req.headers.authorization.split(" ")[1];
console.log( 'token is', token );
jwt.verify(token, process.env.JWT_SECRET, function (err, decoded) {
if (err) {
console.log( err, 'Token given', token, 'Token secret', process.env.JWT_SECRET );
return res.status(401).json({ error: "Token has been expired!" });
}
req.user = decoded;
console.log( decoded );
});
// const user = jwt.verify(token, process.env.JWT_SECRET);
// console.log(user);
// req.user = user;
} else {
return res.status(401).json({ error: "Authorization required" });
}
next();
//jwt.decode()
};
Code of GENERATING that token:生成该令牌的代码:
exports.signin = async (req, res) => {
User.findOne({ email: req.body.email }).exec((error, user) => {
if (error){ console.log( 'login error', error ); return res.status(400).json({ error }); }
if (user) {
bcrypt.compare(req.body.password, user.hash_password, (err, result) => {
if (err) {
console.log( req.body.password, user.hash_password );
return res
.status(400)
.json({ error: "Something's wrong, Please try again" });
}
if (!result) {
return res.status(400).json({ error: "Invalid credentials" });
}
if (user.approval.isApproved === false)
return res
.status(400)
.json({ error: "Please verify your account" });
if (user.isSuspended === true)
return res.status(400).json({ error: "You have been temporarily suspended, please contact support" });
const token = jwt.sign(
{ _id: user._id, role: user.role },
process.env.JWT_SECRET,
{
expiresIn: "1d",
}
);
console.log( process.env.JWT_SECRET, token, user._id, user.role );
// some unnecessary code ...
res.status(200).json({
success: true,
token: "Bearer " + token,
ProfileImageBaseUrl: ProfileImageBaseUrl,
user: {
_id,
firstName,
lastName,
email,
role,
jobRole,
videoGoal,
profilePicture,
createdBy,
approval,
accessType,
resetPassToken,
branding,
sub_status
},
});
})
});
} else {
return res.status(400).json({ error: "Something's wrong, Please try again" });
}
});
};
A) WHEN I GET AN ERROR, The LOGS I receive from my backend are: A) 当我收到错误时,我从后端收到的日志是:
Sign in controller , console.log( process.env.JWT_SECRET, token, user._id, user.role ) is登录控制器,console.log( process.env.JWT_SECRET, token, user._id, user.role ) 是
jdgfaiodsugfaileufliaeruy eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdjMWEzN2EwYjAzMjExNzE1M2Q0NzMiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzNjI5MTY3MywiZXhwIjoxNjM2Mzc4MDczfQ.bqY6y0_lmX5dBAHemgv_9UFuupwLBBDcyFpAdXgCiH8 617c1a37a0b032117153d473 user jdgfaiodsugfaileufliaeruy eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdjMWEzN2EwYjAzMjExNzE1M2Q0NzMiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzNjI5MTY3MywiZXhwIjoxNjM2Mzc4MDczfQ.bqY6y0_lmX5dBAHemgv_9UFuupwLBBDcyFpAdXgCiH8 617c1a37a0b032117153d473用户
Require sign in controller ,console.log( err, 'Token given', token, 'Token secret', process.env.JWT_SECRET ) is:需要登录控制器,console.log(err, 'Token given', token, 'Token secret', process.env.JWT_SECRET ) 是:
Token given eyJhbGciOiJIUzUxMiJ9..ZCnnNZ2a7aeO6GCnyhnWYGMX-4kkJX75ZyzG52lSiWxUBIawXrA37882HFwo_3r6-I3JrrYNv270vxfsMwyBlw Token secret jdgfaiodsugfaileufliaeruy给定的令牌 eyJhbGciOiJIUzUxMiJ9..ZCnnNZ2a7aeO6GCnyhnWYGMX-4kkJX75ZyzG52lSiWxUBIawXrA37882HFwo_3r6-I3JrrYNv270vxfsMwyBlwfagia Token secret
B) When no error, these are: B) 当没有错误时,这些是:
Require sign in : token is eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdjMWEzN2EwYjAzMjExNzE1M2Q0NzMiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzNjI5MTYyNSwiZXhwIjoxNjM2Mzc4MDI1fQ.K-inQfI77mepKjkG_5g4obr3sfcVnDwCOXeQlDPra00需要登录:令牌eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdjMWEzN2EwYjAzMjExNzE1M2Q0NzMiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzNjI5MTYyNSwiZXhwIjoxNjM2Mzc4MDI1fQ.K-inQfI77mepKjkG_5g4obr3sfcVnDwCOXeQlDPra00
Sign in :登录:
jdgfaiodsugfaileufliaeruy eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdjMWEzN2EwYjAzMjExNzE1M2Q0NzMiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzNjI5MTYyNSwiZXhwIjoxNjM2Mzc4MDI1fQ.K-inQfI77mepKjkG_5g4obr3sfcVnDwCOXeQlDPra00 617c1a37a0b032117153d473 user jdgfaiodsugfaileufliaeruy eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTdjMWEzN2EwYjAzMjExNzE1M2Q0NzMiLCJyb2xlIjoidXNlciIsImlhdCI6MTYzNjI5MTYyNSwiZXhwIjoxNjM2Mzc4MDI1fQ.K-inQfI77mepKjkG_5g4obr3sfcVnDwCOXeQlDPra00 617c1a37a0b032117153d473用户
I feel like it is just something simple I just don't notice, I've been trying to fix it for 9 hours, but I haven't determined what yet.我觉得这只是一些我没有注意到的简单事情,我已经尝试修复了 9 个小时,但我还没有确定是什么。
Please, help me, guys!请帮帮我,伙计们!
Any help or hints are highly appreciated!任何帮助或提示都非常感谢!
Thanks everyone who helped me with this!感谢所有帮助过我的人! @Bergi and @eol!
@Bergi 和 @eol!
The problem was nextauthjs specific and not conserned about expressjs, as it appeared.问题是 nextauthjs 特定的,而不是像它出现的那样关注 expressjs。
So I don't get token returned by nextauthjs anymore.所以我不再得到 nextauthjs 返回的令牌。
Instead, I get token from user object's authToken property, stored in the session.相反,我从存储在会话中的用户对象的 authToken 属性获取令牌。
So it is like:所以它就像:
MyApp.getInitialProps = async ({ router, ctx }) => {
const session = await getSession(ctx);
if (router.asPath === '/login' || router.asPath === '/register') {
return { session: session };
}
if (!session || !session.user) {
ctx.res.writeHead(302, {
Location: '/login',
});
ctx.res.end();
}
console.log('Access token', session.accessToken);
axios.defaults.headers.common = {
authorization: `${session.accessToken}`,
};
return { token: `${session.accessToken}`, session: session };
};
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.