2

I'm using PostMan to troubleshoot an odd 400 error with my Angular / NodeJS app.

I'm trying to GET https://example.com/login.html and the request has two headers:

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGc...== and Accept: text/html

This returns a 400 Bad Request error (server: cloudflare-nginx)

This works fine (returns 200) if:

  • I access the file in my local environment on http://localhost:5000/login.html (no https factor?) -or-

  • I remove Authorization: Bearer from the header

If I watch my NodeJS server logs, I don't even see the request come through. So /login.html doesn't even get hit, I assume because Express is rejecting it before my app.use(logger('dev')); picks it up.

UPDATE: I believe Cloudflare is kicking it back with 400 prior to the request ever reaching Heroku.

A few more points:

  • I am using JWT to authenticate users, which is where the Bearer token comes from.

  • If I access other endpoints, such as /profile with the Bearer token, it responds properly with the user profile from decoding the token.

My question is:

  • Why would this request be a "Bad Request" when it works on other endpoints?

  • Is there a way to catch this and do something with the request before it's returned as 400?

James Gentes
  • 7,528
  • 7
  • 44
  • 64

2 Answers2

6

As it turns out, the issue was related to my implementation of JWT. For some reason, one user continued to receive a token that caused these 400 errors, even though the token was verified as valid using JWT.io.

I made two significant changes that fixed the issue:

  1. I was embedding the full user profile (long JSON) in the token payload. I reduced it to just their userid, both for performance reasons (far smaller size) and just in case something in the complex payload was causing the issue.

  2. I switched from JWT-Simple to jsonwebtoken in my node implementation.

I'm just glad that worked. My next step was to switch from 'Authorization' to 'x-encoded-auth' or some other custom name.

James Gentes
  • 7,528
  • 7
  • 44
  • 64
  • any documentation from cloudflare on this? – Simon_Weaver Dec 01 '16 at 01:05
  • i think im having some SSL issue that is breaking the authentication. When I access without SSL it is working - so hoping the size of the user profile isn't the problem – Simon_Weaver Dec 01 '16 at 05:42
  • @Simon_Weaver have you tried switching to JWT-Simple? – James Gentes Dec 01 '16 at 05:51
  • Already spent enough time this weekend figuring out identityserver and refresh tokens and angular2. Hoping I can figure out the problem now it appears to be SSL related – Simon_Weaver Dec 01 '16 at 06:14
  • I've been seeing this issue recently, with a Bearer token that was particularly big - about 3k. I need to see if I can utilize your suggestions. Thank you very much for posting your answer! – cs94njw Sep 30 '19 at 15:59
  • 1
    It turns out some colleagues have seen this problem before. This was their suggestion on how to solve: "Node express has certain limits by default on request payload size and exceeding these limits for certain users in your case and causing an issue. You can override these default limits in your node express API as below: `this.express.use(bodyParser.json({ limit: ‘50mb’ }));` `this.express.use(bodyParser.urlencoded({ limit: ‘50mb’, extended: true, parameterLimit: 50000 }));` " – cs94njw Oct 01 '19 at 08:12
0

@James, I don't have enough reputation to post a comment on your answer, but I thought it would be helpful to others struggling with this issue to state that your suggestion to reduce the complexity/size of the signed user indeed resulted in resolving similar issues I was experiencing. This was on my list of performance optimizations anyway - but it didn't occur to me that it could be a cause for error in this scenario - so you deserve the credit... thanks!

For readers - there are some useful links in this SO thread about max size for tokens: What is the maximum size of JWT token?

And this is a tool I use to check the validity of a generated tokens... https://www.base64decode.org/

Hope this justifies the upgrade from comment to answer!

Community
  • 1
  • 1
user2270872
  • 11
  • 1