How verify token and store secret ? #211
Answered
by
panva
innovaweb-dev
asked this question in
Q&A
-
|
How verify a token ? // login
const {generateSecret} = require('jose/util/generate_secret')
const secret = await generateSecret('HS256')
console.log(secret);
const accessToken = await new SignJWT({'userID': userID})
.setProtectedHeader({alg: 'HS256'})
.setIssuedAt()
.setSubject('auth-access')
.setIssuer('foo')
.setExpirationTime(process.env.JWT_ACCESS_EXPIRATION * 100)
.sign(secret)
res.cookie('accessToken', accessToken, {
httpOnly: true,
secure: false, //TODO process.env.NODE_ENV === 'production'
maxAge: process.env.JWT_ACCESS_EXPIRATION * 1000
});
I try to verify access token, but does not work // auth middleware
const secret = await generateSecret('HS256');
const { payload, protectedHeader } = await jwtVerify(accessToken, secret).promise((err)=> {
console.log(err); // JWSSignatureVerificationFailed: signature verification failed
}) |
Beta Was this translation helpful? Give feedback.
Answered by
panva
Jun 22, 2021
Replies: 1 comment
-
Well, why are you verifying with a new random secret? Of course the signature validation is going to fail. Use the same secret for signing and verifying. Store the secret through whatever means fits your deployment. The secret can be passed in as a Buffer or a KeyObject instance, both of which have APIs to (de)serialize the random value and come as standard APIs in Node.js |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
innovaweb-dev
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Well, why are you verifying with a new random secret? Of course the signature validation is going to fail. Use the same secret for signing and verifying. Store the secret through whatever means fits your deployment. The secret can be passed in as a Buffer or a KeyObject instance, both of which have APIs to (de)serialize the random value and come as standard APIs in Node.js