Verify a JWT token string, containing 'Bearer ' with NodeJS

Question

I send a header in a recommended form Authorization: Bearer <token>.

As it looks, token string, which is 'Bearer <token>', is not a token, but needs the 'Bearer ' substring to be removed first to get the token string itself.

I wonder, if it's a regular practice to remove it manually from code, like this:

const token = authHeaderValue.replace('Bearer ', '')

before decoding and verifying it?

Why do I need this 'Bearer ' string in my custom application?

refer to this: http://security.stackexchange.com/a/120244 – Abhyudit Jain Oct 12 '16 at 08:36 — Abhyudit Jain, Oct 12 '16 at 08:36

score 23 · Answer 1 · edited Nov 15 '20 at 08:23

I use this technique.

// Header names in Express are auto-converted to lowercase
let token = req.headers['x-access-token'] || req.headers['authorization']; 

// Remove Bearer from string
token = token.replace(/^Bearer\s+/, "");

if (token) {
  jwt.verify(token, config.secret, (err, decoded) => {
    if (err) {
      return res.json({
        success: false,
        message: 'Token is not valid'
      });
    }
    req.decoded = decoded;
    next();
  });
} else {
  return res.json({
    success: false,
    message: 'Token not provided'
  });
}

Here we are stripping off any Bearer string in front of JWT, using a regular expression. If any whitespace is included, it is stripped too.

score 14 · Accepted Answer · edited Oct 07 '21 at 07:59

The value Bearer in the HTTP Authorization header indicates the authentication scheme, just like Basic and Digest. It's defined in the RFC 6750.

An application can support multiple authentication schemes, so it's always recommended to check the authentication schema first.

In a token based authentication, first ensure that the Authorization header contains the Bearer string followed by a space. If not, refuse the request. If Bearer followed by a space has been found, extract the token that must be just after the space character.

See this answer for further details on the Bearer authentication scheme.

score 0 · Answer 3 · edited Oct 07 '21 at 13:39

0

Authentication header request have a format defined in IETF.

i.e. Authentication :

Type consists of following: Bearer, error_code, error_description.

We can send several types at once by delimiting it by ',' character.

Bearer is an Authentication access type.

Reference: https://www.rfc-editor.org/rfc/rfc6750#page-14

edited Oct 07 '21 at 13:39

Community

1
1

answered Oct 12 '16 at 08:46

Manish Singh

518
3
13

score 0 · Answer 4 · answered May 25 '21 at 11:44

i use split function to extract token

const bearerHeader = req.headers['authorization'];
if(! bearerHeader ){
    return res.sendStatus(403);
}
else
{
    const bearerToken = bearerHeader.split(' ')[1];
    let data = await jwt.verify(bearerToken,secretkey);
}

Rehan Goraya · Answer 5 · 2022-04-30T20:32:21.337

const bearerToken = token.split(' ')[1];

Here is the solution. And it will fix your issue. You just need to split function. And in code given below, i show you when to use split function for a specific token.

Cheers!

verifyToken = (req, res, next) => { res.header( "Access-Control-Allow-Headers", "*" ); let token = req.headers["authorization"];

  if (!token) {
    return res.status(403).send({ message: "No token provided!" });
  }
  
  **const bearerToken = token.split(' ')[1];**  Here is the solution. And it will fix your issue. You just need to split function.   

  jwt.verify(bearerToken, config.secret, (err, decoded) => {
    if (err) {
      return res.status(401).send({ message: "Unauthorized Token!" });
    }
    req.userId = decoded.id;
    req.token = token;
    next();
  });
};

Verify a JWT token string, containing 'Bearer ' with NodeJS

5 Answers5