使用Express验证JWT令牌。

huangapple go评论68阅读模式
英文:

Validate a jwt token with express

问题

I've been getting a lot of errors saying

POST http://localhost:4000/api/payment/create-checkout-session 403 (Forbidden)

AxiosError {message: 'Request failed with status code 403', name: 'AxiosError', code: 'ERR_BAD_REQUEST', config: {...}, request: XMLHttpRequest, …}
code
: 
"ERR_BAD_REQUEST"
config
: 
"Request failed with status code 403"
name
: 
"AxiosError"
request 
{data: 'A token is required', status: 403, statusText: 'Forbidden', headers: Axios

I think it has something to do with my token validation, this is the file for token validation

const verifyToken = (req, res, next) => {
    const token = req.body.token || req.query.token || req.headers['Authorization'];
    console.log("Token: ", token);

    if (!token) {
      return res.status(403).send("A token is required");
    }

    try {
      const decoded = jwt.verify(token, process.env.JWT_SECRET);
      req.user = decoded;
      next();
    } catch (err) {
      return res.status(401).send("Invalid token, this is the error message:" + err);
    }
  };
  
  module.exports = verifyToken;

This is the file that is making the axios post request

const token = Cookies.get("token");
  console.log("token from catalog " + token)

  const checkout = () => {
    axios({
      method: "post",
      url: "http://localhost:4000/api/payment/create-checkout-session",
      headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        "Authorization": "Bearer " + token,
      }
    }).then(response => {
      if (response.ok) return response.json();
      return response.json().then(json => Promise.reject(json))
    })
    .then(({ url }) => {
      window.location = url;
    })
    .catch(error => {
      console.log(error)
    })
  }

This is the Express file that the axios is posting to

require('./middleware')

router.post("/create-checkout-session", async (req, res) => {

  const { items } = req.body;

  // Create a PaymentIntent with the order amount and currency
  const paymentIntent = await stripe.paymentIntents.create({
    amount: calculateOrderAmount(items),
    currency: "usd",
    automatic_payment_methods: {
      enabled: true,
    },
  });

  res.send({
    clientSecret: paymentIntent.client_secret,
  });

})

module.exports = router;

Is there a better way to validate a token, or am I missing a header or something in my axios request?

英文:

Ive been getting a lot of errors saying

POST http://localhost:4000/api/payment/create-checkout-session 403 (Forbidden)

AxiosError {message: 'Request failed with status code 403', name: 'AxiosError', code: 'ERR_BAD_REQUEST', config: {…}, request: XMLHttpRequest, …}
code
: 
"ERR_BAD_REQUEST"
config
: 
"Request failed with status code 403"
name
: 
"AxiosError"
request 
{data: 'A token is required', status: 403, statusText: 'Forbidden', headers: Axios

I think it has something to do with my token validation, this is the file for token validation

const verifyToken = (req, res, next) => {
    const token = req.body.token || req.query.token || req.headers['Authorization'];
    console.log("Token: ", token);
  
    if (!token) {
      return res.status(403).send("A token is required");
    }
  
    try {
      const decoded = jwt.verify(token, process.env.JWT_SECRET);
      req.user = decoded;
      next();
    } catch (err) {
      return res.status(401).send("Invalid token, this is the error message:" + err);
    }
  };
  
  module.exports = verifyToken;

this is the file that is making the axios post request

const token = Cookies.get("token");
  console.log("token from catalog " + token)

  const checkout = () => {
    axios({
      method: "post",
      url: "http://localhost:4000/api/payment/create-checkout-session",
      headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json',
        "Authorization": "Bearer " + token,
      }
    }).then(response => {
      if (response.ok) return response.json();
      return response.json().then(json => Promise.reject(json))
    })
    .then(({ url }) => {
      window.location = url;
    })
    .catch(error => {
      console.log(error)
    })
  }

this is the express file that the axios is posting too

require('./middleware')




router.post("/create-checkout-session", async (req, res) => {

  const { items } = req.body;

  // Create a PaymentIntent with the order amount and currency
  const paymentIntent = await stripe.paymentIntents.create({
    amount: calculateOrderAmount(items),
    currency: "usd",
    automatic_payment_methods: {
      enabled: true,
    },
  });

  res.send({
    clientSecret: paymentIntent.client_secret,
  });

})

module.exports = router;

is there a better way to validate a toke, or am I missing a header or something in my axios request?

答案1

得分: 1

我认为你的验证是正确的,不需要深入研究你的代码。

你之所以得到403错误是因为没有Authorization头部信息。我假设你正在使用express。尽管你指定了头部是Authorization,但在express中要访问请求头部,你需要查找req.headers.authorization,其中a是小写。

我运行了一个简单的应用程序:

import express from "express";

const app = express();

app.listen(3000, () => {
  console.log("hi there 3000");
});

app.post("/auth", (req, res) => {
  console.log(req.headers);
  res.status(200).send(req.headers);
});

然后使用curl进行了以下操作:➜ curl --header "Authorization: Bearer something" -I -X POST http://localhost:3000/auth

req.headers的输出如下:

{
  host: 'localhost:3000',
  'user-agent': 'curl/7.79.1',
  accept: '*/*',
  authorization: 'Bearer something'
}

如果有帮助,请告诉我。

英文:

Without digging too much into your code I think that your validation is fine.

You are getting the 403 because there is no Authorization header. I am going to assume that you are using express. Even though you specified that the header is Authorization with a capital A, in express to access that request header you have to look for req.headers.authorization with a lower-cased a.

I ran a simple app:

import express from "express";

const app = express();

app.listen(3000, () => {
  console.log("hi there 3000");
});

app.post("/auth", (req, res) => {
  console.log(req.headers);
  res.status(200).send(req.headers);
});

Then curled the following: ➜ curl --header "Authorization: Bearer something" -I -X POST http://localhost:3000/auth

The req.headers is as follows:

{
  host: 'localhost:3000',
  'user-agent': 'curl/7.79.1',
  accept: '*/*',
  authorization: 'Bearer something'
}

Let me know if this helps.

huangapple
  • 本文由 发表于 2023年6月16日 06:07:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/76485807.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定