expressjwt middleware shouldn't throw error if credentialsRequired is falsed

Question

expressjwt middleware shouldn't throw error if credentialsRequired is falsed

phatify opened this issue 2 years ago · comments

Description

The default behavior shouldn't throw an error if the token is invalid in credentialsRequired: false optional

Reproduction

return [
    expressJwt({
        secret: secretKey,
        algorithms: ['HS256'],
        requestProperty: 'user_data',
        credentialsRequired: false,
        getToken: authToken,
    }),
    (err, req, res, next) => {
        if (err && err.name === 'UnauthorizedError') {    // err wouldn't throw here because it no necessary
            return res.status(401).send('Wrong authentication token!')
        }
        next(err);
    },
];

Environment

Please provide the following:

Version of this library used: latest version
Version of the platform or framework used, if applicable: ExpressJS latest
Other relevant versions (language, server software, OS, browser): Chrome Latest Version
Other modules/plugins/libraries that might be involved: undefined

Michele Dalle Rive · Answer 1 · Tue Dec 27 2022 06:24:06 GMT+0800 (China Standard Time)

The problem with your code is that credentialsRequired: true goes to the next middleware if there is no token, not if the token verification fails: if there is a token that is invalid, the verification will happen anyways.
I think this behaviour is intended, since in the README the author says:

credentialsRequired?: boolean (optional): If its false, continue to the next middleware if the request does not contain a token instead of failing, defaults to true.

I am not sure if this behaviour should be changed or not.

Jiang · Answer 2 · Tue Dec 27 2022 16:31:47 GMT+0800 (China Standard Time)

credentialsRequired

@micheledallerive Sure, maybe I should do next(new ErrorInstance(401, Wrong authentication token!)) instead of return res.status(401).send('Wrong authentication token!') because the error will be forwarded to the error middleware for final handle.

Michele Dalle Rive · Answer 3 · Tue Dec 27 2022 16:49:34 GMT+0800 (China Standard Time)

credentialsRequired

@micheledallerive Sure, maybe I should do next(new ErrorInstance(401, Wrong authentication token!)) instead of return res.status(401).send('Wrong authentication token!') because the error will be forwarded to the error middleware for final handle.

I still don't get why you are using the middleware if you don't want the authentication to be handled.
Could you provide more details on where you use that middleware?

Jiang · Answer 4 · Tue Dec 27 2022 18:42:15 GMT+0800 (China Standard Time)

@micheledallerive In some case, you want to get the payload in the request object with requestPropertyto check logged in status of user (example: verify you are author of the public post regardless of whether you are logged in or not). So in that case, I need to disable credentialsRequired flag but still working with user_data in requestProperty.
the error exception in this middleware is not really necessary.

    (err, req, res, next) => {
        // the err variable should be null or undefined when enabling credentialsRequired flag
        next(err);
    },

I am using middleware to test whether err exist or not in case: credentialsRequired: false

Do you know what I mean?

José F. Romaniello · Answer 5 · Wed Dec 28 2022 01:49:53 GMT+0800 (China Standard Time)

Do you have another layer of reverse proxy or api gateway doing the actual validarion of the token?
In that case please do not use this middleware, it is not intended for the solely purpose of base64 decoding.. you could build a much simpler one, even use the jwt-decode module