Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failWithError option missing #215

Open
tobikl1 opened this issue Jul 31, 2020 · 6 comments
Open

failWithError option missing #215

tobikl1 opened this issue Jul 31, 2020 · 6 comments

Comments

@tobikl1
Copy link

tobikl1 commented Jul 31, 2020

I'd like to return a custom json response when authentication fails instead of the plain 'Unauthorized' Text response. In the local strategy for this we can provide a failWithError option to the strategy, which causes the error to be forwared to the express error handling middleware.

Can we provide something like this to this strategy as well? When token is expired, an invalid token was provided or any other error i would like to return a more specific error message.

I might throw an error in the validate callback. When providing 'ignoreExpiration' i could then check the payload.exp in there manually to throw a custom error, but this does not handle tokens invalid for some other reason.

it prevents me from returning json consistently in a rest api.
@mod3x
Copy link

mod3x commented Aug 3, 2020

just subscribed. need that feature too

@yeasir01
Copy link

yeasir01 commented Sep 7, 2020

I Agree!

@vanhumbeecka
Copy link

Related: nestjs/passport#394

@emdemir
Copy link

emdemir commented Feb 27, 2021

My pull request #224 makes passport-jwt respect this setting. Hopefully it gets merged soon.

@noinkling
Copy link

noinkling commented Feb 3, 2022
edited
Loading

It works here. Example app:

const express = require('express')
const passport = require('passport')
const { Strategy: JwtStrategy, ExtractJwt } = require('passport-jwt')

const app = express()

passport.use(new JwtStrategy(
  { secretOrKey: 'secret', jwtFromRequest: ExtractJwt.fromUrlQueryParameter('token') },
  (payload, done) => {
    console.log('Verify callback hit')
    // Always fail authentication:
    done(null, false)
  }
))

app.get('/protected',
  passport.authenticate('jwt', { failWithError: true }),
  (req, res) => res.send('Authenticated')
)

app.use((err, req, res, next) => {
  res.send('Error middleware hit')
  console.error(err)
})

app.listen(3000)

Sending a request to http://localhost:3000/protected?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.dtxWM6MIcgoeMgH87tGvsNDY6cHWL6MGW4LeYvnm1JA results in response body of "Error middleware hit". Terminal:

Verify callback hit
AuthenticationError: Unauthorized
...

Same with a request to http://localhost:3000/protected?token=invalidtoken, except "Verify callback hit" isn't logged.

What you might be getting confused with is the fact that even when failWithError is used, Passport still sets the response status to 401 by default. See here.

Otherwise could you provide a reproduction of what you're experiencing and what you expect?

@Romstar
Copy link

Romstar commented Jul 22, 2023
edited
Loading

@noinkling

this is for when the JWT is valid, if the JWT is invalid or expired then your callback won't be hit. The issue he created is he wants to be able to perform some sort of side effect whenever the JWT is invalid such as making a DB call or modifying the response, currently that isn't doable AFAIK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@Romstar @noinkling @vanhumbeecka @mod3x @tobikl1 @emdemir @yeasir01