UnauthorizedError: No authorization token was found – despite valid token

Question

UnauthorizedError: No authorization token was found – despite valid token

axhl opened this issue 3 years ago · comments

express-jwt refuses to parse a valid token, and I cannot for the life of me understand why :

Reproduction

The following client-side code uses graphql-ws to include a token in a request via Relay:

const subscriptionsClient = createClient({
      url: process.env.REACT_APP_GRAPHQL_API || "string",
      retryAttempts: 10,
      connectionParams: () => {
	      return {
		      headers: {
			      "Content-Type": "application/json",
			      authorization: token ? `Bearer ${token}` : "auth-header not defined",
		      },
	      };
      },
});

The token is visible in the network requests when there is an open express-server on the other end.

On the server-side, the request is then parsed as follows:

var jwtCheck = jwt({
	secret: jwksRsa.expressJwtSecret({
		cache: false,
		rateLimit: true,
		jwksRequestsPerMinute: 5,
		jwksUri: "CORRECT",
	}),
	audience: "CORRECT",
	issuer: "CORRECT",
	algorithms: ["RS256"],

app.use("/graphql", jwtCheck);

});

This renders a UnauthorizedError: No authorization token was found error message.

Grateful for any community input

relevant dependencies

"dependencies": {
	"express": "^4.17.1",
	"express-jwt": "^6.1.0",
	"jwks-rsa": "^2.0.5"}

Adam Mcgrath · Answer 1 · Fri Oct 29 2021 20:10:48 GMT+0800 (China Standard Time)

👋 @axhl

You don't need to provide a custom getToken option to express-jwt (your custom implementation is wrong, it needs to split out the bearer string from the authorization header).

For your reference, the default implementation is here https://github.com/auth0/express-jwt/blob/master/lib/index.js#L58-L74

axhl · Answer 2 · Fri Oct 29 2021 20:36:37 GMT+0800 (China Standard Time)

@adamjmcgrath many thanks for replying so far. Unfortunately I made a mistake when pasting the code:

getToken: function (req) {
		if (req.headers.authorization) return req.headers.authorization;
	},

has already been removed and the error persists. (I've updated the code above to reflect that for later arrivals to the thread). Any thoughts what could be up apart from the getToken?

Adam Mcgrath · Answer 3 · Fri Oct 29 2021 21:06:49 GMT+0800 (China Standard Time)

Hi @axhl - can't see anything wrong with your code.

Happy to debug a sample project if you can share a minimal reproduction of the issue

axhl · Answer 4 · Fri Oct 29 2021 22:08:49 GMT+0800 (China Standard Time)

Hi @axhl - can't see anything wrong with your code.

Happy to debug a sample project if you can share a minimal reproduction of the issue

Huge thanks @adamjmcgrath for offering to be so generous with your time. I think I've made progress:

As graphql-ws runs all its connections via websocket, the server's middleware for the incoming client request needs to wrap thews:// / wss:// endpoints and have access to the socket equivalent of the http req object; app.use won't work. So if I can figure out how to use postgraphile's websocketMiddlewares option correctly, it should work.

Any thoughts on how to best wrap wrap sockets with jwt-verification?

Adam Mcgrath · Answer 5 · Fri Oct 29 2021 22:16:51 GMT+0800 (China Standard Time)

@axhl - no problem

It doesn't sound like you need express-jwt for that.

Any thoughts on how to best wrap wrap sockets with jwt-verification?

I'm not sure about graph-ql specifically, but this looks like the sort of thing I'd do for authenticating Web Sockets with JWTs https://gist.github.com/jfromaniello/8418116