Authenticating node API with passport-jwt

Question

I\'m trying to setup JWT authentication using passport-jwt. I think I\'ve taken the right steps, but a test GET won\'t succeed and I don\'t know how to debug it.

He

Answer 1

For any poor soul that follows me here: the passport-jwt doc implies that the auth header should look like this...

Authorization: JWT JSON_WEB_TOKEN_STRING.....

That turned out to be misleading (for me, anyway).

Fortunately, thanks to this article I was able to learn how the token is built. (The token's prefix up to the first '.' is the base64 encoding of the scheme. That "JWT " at the front was noise that prevented the validation from working.

So the fix was to change the token returned by the user controller from:

    res.send({ user: user, jwtToken: "JWT " + token });

To the simpler:

    res.send({ user: user, jwtToken: token });

Phew. Is it me, or is it really a bummer how inadequately these things are explained in so many node package docs??

Answer 2

I may be late but I had a similar problem, and I have another solution. You can use this options.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme('JWT') to extract the JWT token from authentication header with the following format:

Authorization: JWT JSON_WEB_TOKEN_STRING.....

Here is the documentation I used: https://github.com/themikenicholson/passport-jwt

Extracting the JWT from the request

There are a number of ways the JWT may be included in a request. In order to remain as flexible as possible the JWT is parsed from the request by a user-supplied callback passed in as the jwtFromRequest parameter. This callback, from now on referred to as an extractor, accepts a request object as an argument and returns the encoded JWT string or null. Included extractors

A number of extractor factory functions are provided in passport-jwt.ExtractJwt. These factory functions return a new extractor configured with the given parameters.

fromHeader(header_name) creates a new extractor that looks for the JWT in the given http header
fromBodyField(field_name) creates a new extractor that looks for the JWT in the given body field. You must have a body parser configured in order to use this method.
fromUrlQueryParameter(param_name) creates a new extractor that looks for the JWT in the given URL query parameter.
fromAuthHeaderWithScheme(auth_scheme) creates a new extractor that looks for the JWT in the authorization header, expecting the scheme to match auth_scheme.
fromAuthHeaderAsBearerToken() creates a new extractor that looks for the JWT in the authorization header with the scheme 'bearer'
fromExtractors([array of extractor functions]) creates a new extractor using an array of extractors provided. Each extractor is attempted in order until one returns a token.