Comments (4)
As for your first proposed solution, that could work, but I'm afraid of cases such as expired tokens going through. In that case, there would still be an Authorization header set, although the value invalid. I would like the response to still go through, as though you were anonymous user. Is that unreasonable?
No, this still sounds reasonable
On a side note, the option authRequired: false from the package express-openid-connect, as demonstrated here, is probably related to my use case here.
Yeah, this is a good idea. I'll switch this to a feature request, not sure when I can take a look but you should be able to use one of the workarounds in the meantime
from node-oauth2-jwt-bearer.
Hi @nbkhope - thanks for raising this
You could skip this middleware if no authentication is provided on the request.
// untested:
const { auth } = require('express-oauth2-jwt-bearer');
const authIfAvailable = (config) => {
const mw = auth(config);
return (req, res, next) => {
if (!req.headers.authorization) {
next();
} else {
mw(req, res, next)
}
}
}
app.use(authIfAvailable());
Does passport have the option to throw/not throw based on something similar? Which Passport strategy are you referring to?
from node-oauth2-jwt-bearer.
I could add a second step in the pipeline just to catch that possible error, but then that error middleware would also catch any other kind of error and would get in the way of my standard error pipeline.
You could also just do
// untested:
const { auth } = require('express-oauth2-jwt-bearer');
const authNoError = (config) => {
const mw = auth(config);
return (req, res, next) => {
mw(req, res, () => next())
}
}
app.use(authNoError());
from node-oauth2-jwt-bearer.
Thanks for the response, @adamjmcgrath.
One way I got it to work was to add an extra error handler, then rethrow the error if it does not match the error name UnauthorizedError, header, status 401, etc. I still don't like that though.
As for your first proposed solution, that could work, but I'm afraid of cases such as expired tokens going through. In that case, there would still be an Authorization header set, although the value invalid. I would like the response to still go through, as though you were anonymous user. Is that unreasonable?
As for your second proposed solution, I have to try that out and get to understand the () => next()
part (at first glancing assuming it would just get rid of the error and letting it through; that could work).
Does passport have the option to throw/not throw based on something similar? Which Passport strategy are you referring to?
The example I used uses passport-jwt
, but the actual error handling mechanism that lets me keep the pipeline going is from passport
itself, the callback parameter to authenticate()
:
On a side note, the option authRequired: false
from the package express-openid-connect
, as demonstrated here, is probably related to my use case here.
from node-oauth2-jwt-bearer.
Related Issues (20)
- Proxy Configuraton Broken/HTTP(S) Agent not being passed on JWKSet Creation HOT 2
- [docs] 404 error in the GitHub Pages documentation when clicking on a class or an interface HOT 1
- "nbf" claim timestamp check failed HOT 1
- 500 Error thrown when deployed to GCP App Engine HOT 3
- Getting AssertionError You must provide a 'tokenSigningAlg' for validating symmetric algorithms despite not providing a secret key value pair. HOT 6
- Node 21.5 support HOT 4
- InvalidTokenError: Failed to fetch authorization server metadata HOT 5
- publicKey without discovery HOT 2
- Crashed my express server. HOT 2
- Is it possible to use this with JWE encrypted access token?
- Audience Checking shouldn't be forced
- Allow to specify the location of the token.
- Cloudflare/Workerd support
- Create a separate method to validate a jwt
- Allow better control for discovery endpoints to use HOT 1
- Node 22 support
- [example] How to write unit tests for our Express APIs with canned JWTs? HOT 1
- Unable to recovery from temporarily unavailable discovery document HOT 4
- [docs] API documentation of auth middleware should mention "req.auth"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-oauth2-jwt-bearer.