Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

handle missing token and expired tokens in the custom function

See original GitHub issue

Hi,

I’m using passport-jwt to authenticate some endpoints that accept request both with and without a jwt token in the header.

Right now it looks like passport-jwt handles this by returning a 401 status code when there is no header/authorization in payload.

Would it be possible to handle such logic inside the custom function?

I was originally using my own middleware to handle this, but I couldn’t figure out how to modify the req.user object without express complaining about having only a getter on req.user.

Issue Analytics

State:
Created 8 years ago
Reactions:5
Comments:8 (1 by maintainers)

Top GitHub Comments

10reactions

oleecommented, Apr 12, 2016

I used the following middleware to handle at least the situation when mixed authorized and unauthorized access is desired.

    app.use((req, res, next) => {
        passport.authenticate('jwt', { session: false }, (error, user, info, status) => {
            if (user === false && info && info.message === 'No auth token') {
                // Just unauthorized - nothing serious, so continue normally
                return next();
            }
            return unauthenticatedError(res);
        })(req, res, next);
    });

And at some later point I use this custom middleware to protect all following routes

function isAuthenticatedMiddleware(req, res, next) {
    if (req.isAuthenticated())
        return next();
    res.statusCode = 401;
    res.json({
        message: http.STATUS_CODES[res.statusCode]
    });
};

0reactions

mikenicholsoncommented, Oct 31, 2016

I know this is an old issue, I think what you are looking for is the custom callback feature of passport. That is where you handle failed authentication, JWT parse errors, etc. See http://passportjs.org/docs#custom-callback

Your custom callback would have the signature:

function (err, user, info) { .... }

If a JWT parse error occurs or the JWT is not valid the user will be false and info will contain the error that jsonwebtoken provides explaining why validation of the JWT failed.