Comments (5)
adamjmcgrath
commented on September 24, 2024
Hi @rococtz - thanks for raising this
All this package's errors are caught and handled by Express (see https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/express-oauth2-jwt-bearer/src/index.ts#L76)
This is how errors should be handled in Express, see https://expressjs.com/en/guide/error-handling.html#catching-errors
I'm not sure what mechanism is causing those entries to show in your Cloudwatch logs, perhaps it's the default Express error handler - is your NODE_ENV set correctly? Also, you could have a look at writing your own error handler
from node-oauth2-jwt-bearer.
rococtz
commented on September 24, 2024
@adamjmcgrath This is very helpful, thank you very much.
from node-oauth2-jwt-bearer.
isaachinman
commented on September 24, 2024
@rococtz @adamjmcgrath I've seen identical InvalidTokenError: "exp" claim timestamp check failed errors, despite my JWTs being set to a 30 day expiry (in the Auth0 dashboard).
For my user base, this means that expired tokens should almost never happen, yet I see these errors many times per day.
Any hints as to how these errors can be debugged? As @rococtz hints at, even reqs without a token end up spitting out "exp" claim timestamp check failed, so I have a feeling this error block is unintentionally catching many other errors.
I've tried logging the WWW-Authenticate header as per the docs. It's just:
{"WWW-Authenticate":"Bearer realm=\"api\", error=\"invalid_token\", error_description=\"'exp' claim timestamp check failed\""}
Which doesn't actually provide any further information.
from node-oauth2-jwt-bearer.
adamjmcgrath
commented on September 24, 2024
Hi @isaachinman
As @rococtz hints at, even reqs without a token end up spitting out "exp" claim timestamp check failed, so I have a feeling this error block is unintentionally catching many other errors.
I don't think that's what they're saying. And I don't see how this would be possible since UnauthorizedError will be thrown if there is no token on the request, and the part of code that validates the claims will not be reachable.
If you think there is a bug with this SDK, could you raise a new issue and share an example repo that demonstrates the bug and I'd be happy to debug it.
from node-oauth2-jwt-bearer.
rococtz
commented on September 24, 2024
@isaachinman I was getting the expired token error because it was truly expired :) The error was relevant so my only issue was that I was not catching the right way which is by using next().
from node-oauth2-jwt-bearer.
Related Issues (20)
- Proxy Configuraton Broken/HTTP(S) Agent not being passed on JWKSet Creation HOT 2
- [docs] 404 error in the GitHub Pages documentation when clicking on a class or an interface HOT 1
- "nbf" claim timestamp check failed HOT 1
- 500 Error thrown when deployed to GCP App Engine HOT 3
- Getting AssertionError You must provide a 'tokenSigningAlg' for validating symmetric algorithms despite not providing a secret key value pair. HOT 6
- Node 21.5 support HOT 4
- InvalidTokenError: Failed to fetch authorization server metadata HOT 5
- publicKey without discovery HOT 2
- Crashed my express server. HOT 2
- Is it possible to use this with JWE encrypted access token?
- Audience Checking shouldn't be forced
- Allow to specify the location of the token.
- Cloudflare/Workerd support
- Create a separate method to validate a jwt
- Allow better control for discovery endpoints to use HOT 1
- Node 22 support
- [example] How to write unit tests for our Express APIs with canned JWTs? HOT 1
- [express-oauth2-jwt-bearer] What is the best practice to allow request to go through despite token being unauthorized? HOT 4
- Unable to recovery from temporarily unavailable discovery document HOT 4
- [docs] API documentation of auth middleware should mention "req.auth"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-oauth2-jwt-bearer.