if (!options.algorithms) throw new Error('algorithms should be set'); Error: algorithms should be set

Question

I started learning Nodejs and i am stuck somewhere in the middle. I installed a new library from npm and that was express-jwt, its showing some kind of error after running. Attached the code and the logs of the error, please help me out!

const jwt = require('jsonwebtoken');
require('dotenv').config()
const expressJwt =  require('express-jwt');
const User = require('../models/user');




exports.requireSignin =  expressJwt({ secret:  process.env.JWT_SECRET});

The below thing is the logs of the error.

[nodemon] starting `node app.js`
D:\shubh\proj\Nodejs\nodeapi\node_modules\express-jwt\lib\index.js:22
  if (!options.algorithms) throw new Error('algorithms should be set');
                           ^

**Error: algorithms should be set**
    at module.exports (D:\shubh\proj\Nodejs\nodeapi\node_modules\express-jwt\lib\index.js:22:34)
    at Object.<anonymous> (D:\shubh\proj\Nodejs\nodeapi\controllers\auth.js:64:26)
    at Module._compile (internal/modules/cjs/loader.js:1138:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1158:10)

For those wondering... The old default was apparently ['HS256'] I changed some legacy code to that as per Igor's answer and it worked without breaking anything. YMMV — m12lrpv, Jan 28 '22 at 22:16

score 92 · Accepted Answer · answered Jun 30 '20 at 20:34

92

You should add algorithms property to the jwt constructor.

Example;

expressJwt({ secret:  process.env.JWT_SECRET, algorithms: ['RS256'] });

answered Jun 30 '20 at 20:34

Tugay İlik

3,688
1
14
21

1

Hey thanks, but can you tell me how do we decide which algo to choose. – Shubham gupta Jun 30 '20 at 21:20
8

It changes on the purpose, if you want to use it for session, you can use HSXXX types. If you want to use it for cross application authentication(like oauth) etc., you can prefer RSXXX types. RS types are digital signatures, HS types are not. – Tugay İlik Jul 01 '20 at 06:06
2

@Shubhamgupta I would recommend you to read this for understanding the difference between the two algorithms better: https://stackoverflow.com/a/39239395/12404524 – Aniruddha Aug 13 '20 at 00:37

score 30 · Answer 2 · answered Jul 08 '20 at 14:44

30

The issue caused by changes in version 6.0.0. Documentation also has been updated recently, it says:

The algorithms parameter is required to prevent potential downgrade attacks when providing third party libraries as secrets.

So now specifying algorithm property is mandatory, like so:

expressJwt({
  secret: 'secret',
  algorithms: ['HS256']
})

answered Jul 08 '20 at 14:44

Igor Rybak

437
5
10

4

Thanks for this — I was seeing in the docs that `HS256` was the default algo, so I was confused as to why I needed to specify it. Turns out the docs on npm haven't been updated yet. – Bryan Downing Jul 08 '20 at 18:42
Thank you. I was searching for the default algo. – katsos Jul 13 '20 at 10:37

Chirag Kushwaha · Answer 3 · 2020-09-01T13:52:07.817

4

if the above algorithm : ['RS256'] does not work try this, algorithms: ['HS256']

edited Sep 01 '20 at 13:52

answered Sep 01 '20 at 11:55

Chirag Kushwaha

91
1
6

score 1 · Answer 4 · answered Jul 25 '20 at 14:27

1

if you are facing this error you might be using the new version of 'express-jwt' Downgrade to ^5.3.3 version to solve this

answered Jul 25 '20 at 14:27

Atabic Umer

152
4

3

Downgrade, should be always the last solution. – StPaulis Aug 07 '20 at 14:19
1

Non breaking changes and/or proper documentation about managing the transition in a non breaking way should be the first solution for the people managing the package. – m12lrpv Jan 28 '22 at 21:28

score 1 · Answer 5 · edited Mar 13 '21 at 19:12

1

 exports.requireSignin = expressJwt ({
      secret: process.env.JWT_SECRET,
      algorithms: YOU CHOOSE ALGORITHM 
});

For more details visit: https://www.npmjs.com/package/express-jwt

jwt({ secret: new Buffer('shhhhhhared-secret', 'base64') })

edited Mar 13 '21 at 19:12

Kristian

2,456
8
23
23

answered Mar 12 '21 at 23:00

Jaasiel Quiroz

11
1

score 1 · Answer 6 · answered May 03 '21 at 11:11

For those wandering what algorithm is used to generate their tokens

A JWT is made of 3 parts separated with a dot '.':

<header>.<payload>.<signature>

The header (and payload) is just a Base64 encoded JSON object that holds the name of the hashing algorithm.

For example, with that token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXNzYWdlIjoiaGkgc3RhY2tvdmVyZmxvdyJ9.01jBDw7uUgCr8cRMEQt4KJxfL6QLkt0ZuHly2AxdXZY

you could use atob() in the javascript console of your browser to decode the header:

atob('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9')
// → "{\"alg\":\"HS256\",\"typ\":\"JWT\"}"

Here HS256 was used.

This does not answer the question asked. If you are attempting to provide more context to an already provided answer, maybe that would be better handled as a comment? — Samudra, May 04 '21 at 00:37

score 0 · Answer 7 · answered Mar 01 '22 at 14:25

I had to face the same error, and after I mentioned the algorithm in express-jwt initialization, the error was gone.

Example Code:

exports.requireSignin=  expressJwt({
      secret: process.env.jwtSecret,
      userProperty: "auth",
      algorithms: ["RS256"],
    }

if (!options.algorithms) throw new Error('algorithms should be set'); Error: algorithms should be set

7 Answers7