How do I resolve this 401 error when trying to access a refresh token route on my MERN app? Passport JWT Local

huangapple go评论106阅读模式
英文:

How do I resolve this 401 error when trying to access a refresh token route on my MERN app? Passport JWT Local

问题

我在构建我的MERN堆栈应用程序时,尝试从后端获取刷新令牌时遇到了401 "未经授权"错误。在这里,我找到了一个帖子,有人说他们通过使用ExtractJwt方法fromAuthHeaderWithScheme("Bearer")来解决了这个问题,但我尝试了并没有成功。之前我在使用fromAuthHeaderAsBearerToken()方法,所以我也尝试了两者结合使用:

opts.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme("Bearer") &&
  ExtractJwt.fromAuthHeaderAsBearerToken();

但这也没有奏效。我不知道还有什么其他尝试方法。

这里是我的完整GitHub代码。

之前我也遇到了404 "未找到"错误,所以我在向/refreshToken路由的fetch请求中添加了完整的URL。对于其他路由,我不必这样做。我如何能够像其他路由一样只使用"/api/users/refreshToken"而不会出现错误?我的代理设置有什么问题(我认为这是代理问题,否则我不应该收到404错误)?

英文:

I'm getting a 401 "Unauthorized" error when trying to fetch a refresh token from the backend in my MERN stack app that I'm building. Here on SO, I found a post where someone said they solved this by using the ExtractJwt method fromAuthHeaderWithScheme("Bearer"), but I tried that and it didn't work. I was using the fromAuthHeaderAsBearerToken() method earlier, so I also tried both by doing

opts.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme("Bearer") &&
  ExtractJwt.fromAuthHeaderAsBearerToken();

But this didn't work either. I don't know what else to try.

Here's my full code on GitHub.

I was getting a 404 "Not Found" error before too, so I added the full URL on the fetch request to the /refreshToken route. I don't have to do that for any other route. How can I get it to where I can do just "/api/users/refreshToken" like I do with other routes without getting that error? What problems do I have in my proxy setup (I assume it's a proxy issue, since I shouldn't get a 404 error otherwise)?

答案1

得分: 0

我解决了这个问题。

首先,在服务器响应客户端的令牌属性值上,无论大小写如何,都会干扰Authorization头中客户端必须发送的值。这个问题是因为这里有人告诉我要包括它,但我不得不改回来。

我还不得不提前部署应用程序,因为如果sameSite是"none",则httpOnly cookies必须是安全的,而对于安全的cookies,您必须部署应用程序,以便它也获得有效的TLS/SSL证书;但localhost对我来说不起作用,所以我不得不进行实际部署。希望这能帮助其他遇到类似问题的人:不要尝试为localhost添加SSL/TLS证书,因为这太难,甚至可能现在已经不可能了。

英文:

I resolved the problem.

First, the "jwt" or "bearer" (case doesn't matter) prefix on the value for the token property in the server's response to the client interferes with that in the Authorization header the client has to send back with the token. Someone on here told me to include it, but I had to change it back because of this.

I also had to prematurely deploy the app because httpOnly cookies have to be secure if sameSite is "none", and for secure cookies you have to deploy the app such that it also gets a valid TLS/SSL cert; localhost didn't work for me though, so I had to do an actual deploy. I hope this helps someone else facing a similar issue: don't try to put in SSL/TLS certs for localhost, since it's too hard or may even be impossible now.

huangapple
  • 本文由 发表于 2023年6月19日 08:28:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/76503000.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定