Javascript 无效的JWT令牌导致500内部服务器错误
在服务器启动之前,所有插件等都已注册。我创建了我的策略,并将JWT设置为服务器的默认身份验证方法Javascript 无效的JWT令牌导致500内部服务器错误,javascript,node.js,jwt,hapijs,Javascript,Node.js,Jwt,Hapijs,在服务器启动之前,所有插件等都已注册。我创建了我的策略,并将JWT设置为服务器的默认身份验证方法 await server.register(require('hapi-auth-jwt2')); await server.register(require('~/utils/jwt-key-signer')); server.auth.strategy( 'jwt', 'jwt', { key: process.env.API_KEY, validate:
await server.register(require('hapi-auth-jwt2'));
await server.register(require('~/utils/jwt-key-signer'));
server.auth.strategy(
'jwt', 'jwt',
{ key: process.env.API_KEY,
validate: true, // Temporarily using true
verifyOptions: { algorithms: [ 'HS256' ] }
});
server.auth.default('jwt');
这是我的路线。我将有效负载从处理程序请求传递到一个插件,该插件对我的密钥进行签名并返回一个令牌:
'use strict';
const Boom = require('boom');
exports.plugin = {
name: 'user-create',
register: (server, options) => {
server.route({
method: 'POST',
path: '/user/create',
options: { auth: 'jwt' },
handler: async (request, h) => {
const { payload } = await request;
const { JWTKeySigner } = await server.plugins;
const token = await JWTKeySigner.signKeyReturnToken(payload);
const cookie_options = {
ttl: 365 * 24 * 60 * 60 * 1000, // expires a year from today
encoding: 'none', // we already used JWT to encode
isSecure: true, // warm & fuzzy feelings
isHttpOnly: true, // prevent client alteration
clearInvalid: false, // remove invalid cookies
strictHeader: true // don't allow violations of RFC 6265
}
return h.response({text: 'You have been authenticated!'}).header("Authorization", token).state("token", token, cookie_options);
},
options: {
description: 'Creates a user with an email and password',
notes: 'Returns created user',
tags: ['api']
}
});
}
};
以下是我如何签署我的钥匙:
const jwt = require('jsonwebtoken');
exports.plugin = {
name: 'JWTKeySigner',
register: (server, options) => {
server.expose('signKeyReturnToken', async (payload) => {
jwt.sign(payload, process.env.API_KEY, { algorithm: 'HS256' }, async (err, token) => {
if (err) {
console.log(err)
}
await console.log(`TOKEN${token}`);
return token;
});
})
}
};
然后,我从邮递员处访问我的路线,然后将包含电子邮件地址和密码的用户作为JSON传递回该轮,这是我得到的响应:
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Missing authentication"
}
好的,这证明我的路线被成功保护了。我现在开始将我的代币添加到邮递员中:
然后我得到这个错误:
{
"statusCode": 500,
"error": "Internal Server Error",
"message": "An internal server error occurred"
}
如果我从邮递员那里移除代币,我会得到“未授权”错误
我所要做的就是阻止外界访问我的API,只允许有权限的人访问它。这将是注册的普通用户
当我将令牌粘贴到JWT.io中时,我可以在页面的右侧看到我的数据,但JWT告诉我这是一个无效的签名
我真的希望这里能澄清一下。我用的是hapi-auth-jwt2
提前感谢嗯,我正在给你写另一条消息,但是我检查了hapi-auth-jwt2文档中的验证选项,它说
validate - (required) the function which is run once the Token has been decoded with signature
async function(decoded, request, h) where:
decoded - (required) is the decoded and verified JWT received in the request
request - (required) is the original request received from the client
h - (required) the response toolkit.
Returns an object { isValid, credentials, response } where:
isValid - true if the JWT was valid, otherwise false.
credentials - (optional) alternative credentials to be set instead of decoded.
response - (optional) If provided will be used immediately as a takeover response.
试试看
server.auth.strategy(
'jwt', 'jwt',
{ key: process.env.API_KEY,
validate: validate: () => ({isValid: true}), // Temporarily using true
verifyOptions: { algorithms: [ 'HS256' ] }
});
然后让我们看看500错误是否继续
也许代码中有其他东西会抛出错误。您是否在服务器设置上启用了调试?您应该在服务器控制台中看到该500错误的详细信息。500内部错误通常与日志中的错误成对出现,是否存在错误?我打开了调试,并跟踪问题,直到验证方法不存在。我假设我可以传入“true”,然后下次编写验证方法。我错了。嗨,我发现这就是问题所在,但忘了添加我的答案。所以是的,验证方法不能被排除。