0

I', trying to authenticate a user, I can create a user and get the bearer but after that I added this code to authenticate and it keeps showing the following error once every few seconds:

UnauthorizedError: invalid algorithm
    at /mnt/c/Projects/myProject/node_modules/express-jwt/lib/index.js:105:22
    at /mnt/c/Projects/myProject/node_modules/jsonwebtoken/verify.js:121:14
    at getSecret (/mnt/c/Projects/myProject/node_modules/jsonwebtoken/verify.js:90:14)
    at Object.module.exports [as verify] (/mnt/c/Projects/myProject/node_modules/jsonwebtoken/verify.js:94:10)
    at verifyToken (/mnt/c/Projects/myProject/node_modules/express-jwt/lib/index.js:103:13)
    at fn (/mnt/c/Projects/myProject/node_modules/async/lib/async.js:746:34)
    at /mnt/c/Projects/myProject/node_modules/async/lib/async.js:1213:16
    at /mnt/c/Projects/myProject/node_modules/async/lib/async.js:166:37
    at /mnt/c/Projects/myProject/node_modules/async/lib/async.js:706:43
    at /mnt/c/Projects/myProject/node_modules/async/lib/async.js:167:37

The code:

const express = require("express");
const { ApolloServer } = require("apollo-server-express");
const jwt = require("express-jwt");
const typeDefs = require("./settings/schema");
const resolvers = require("./settings/resolvers");
const JWT_SECRET = require("./settings/constants");

const app = express();
const auth = jwt({
    secret: JWT_SECRET,
    credentialsRequired: false,
    algorithms: ['RS256'],
});

app.use(auth);

const server = new ApolloServer({
    typeDefs,
    resolvers,
    playground: {
        endpoint: "/graphql",
    },
    context: ({ req }) => {
        const user = req.headers.user
            ? JSON.parse(req.headers.user)
            : req.user
            ? req.user
            : null;
        return { user };
    },
});

server.applyMiddleware({ app });

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
    console.log("The server started on port " + PORT);
});

Can't figure out why 'RS256' is not a valid algorithm, should I need to require something else? Do I need different algorithms for different tasks?

constants.js contains the following:

const JWT_SECRET = "sdlkfoish23@#$dfdsknj23SD"; 

module.exports = JWT_SECRET;

Thanks

EDIT:

I'm not using Auth0, OAuth or any other service, I want to authenticate users by my own here

I'm registering a key when a new user is added to the DB (postgres) through the GraphQL API:

mutation {
  register(login: "john", password: "doe")
}

answers with:

{
  "data": {
    "register": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NiwibG9naW4iOiJqb2VsIiwiaWF0IjoxNjE0NDM0NzMwLCJleHAiOjE2MTQ0MzQ5MTB9.ALltmClvlzxDJJ2FgZcFzstDUP5CY1xRzs8yQwheEn8"
  }
}

then I use this bearer like that:

// Headers
{
  "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NiwibG9naW4iOiJqb2VsIiwiaWF0IjoxNjE0NDM0NzMwLCJleHAiOjE2MTQ0MzQ5MTB9.ALltmClvlzxDJJ2FgZcFzstDUP5CY1xRzs8yQwheEn8"
}

// Query
query {
  current {
    id,
    login
  }
}

I'm receiving this answer (also don't know why):

{
  "error": "Unexpected token < in JSON at position 0"
}

And the error at the top of this post on the terminal

JoelBonetR
  • 1,551
  • 1
  • 15
  • 21
  • I don't know if this causes the error message, but when you use an algorithm like RS256 (which is a valid choice), you can't just work with a random "JWT_SECRET", you need a proper key pair, the private key for signing and the public key for verification. – jps Feb 27 '21 at 17:37
  • No clue at all where to put the public, I'm already generating a bearer through the register so It must be the public and the JWT_SECRET must be the private, isn't it? i'll check the doc about express-jwt to see if it brings some light – JoelBonetR Feb 27 '21 at 18:25
  • RS256 have a special format. In this [Q/A](https://stackoverflow.com/questions/53123467/cannot-verify-jwt-with-rs256-invalid-algorithm) you see an example how it looks like with private/public key pair. you can use an [online generator](https://travistidwell.com/jsencrypt/demo/) to create a key pair. – jps Feb 27 '21 at 18:32
  • I'll try it, thanks – JoelBonetR Feb 27 '21 at 18:34
  • 1
    if I change the algorithms to add 'HS256' it works well, it's the RS256 which is not working and still don't know why (I searched on the doc and so but....) – JoelBonetR Feb 28 '21 at 11:25

1 Answers1

0

For a bearer token with JWT_SECRET, use the HS256 algorithm. The RSA256 algorithm requires a public key and private key pair.

The following code snippet works:

const auth = jwt({
    secret: JWT_SECRET,
    credentialsRequired: false,
    algorithms: ['HS256']
});
Tyler2P
  • 2,324
  • 26
  • 22
  • 31
Orukele
  • 27
  • 7