remove method failed with JsonWebTokenError: invalid token

[boybundit]

Steps to reproduce

Call DELETE /authentication with a valid JWT in the header results in an error.

Apparently, it gets a token from Authorization header without removing Bearer text in the beginning.

  remove (id, params) {
    const defaults = this.app.get('auth');
    const accessToken = id !== null ? id : params.headers[defaults.header.toLowerCase()];
    // TODO (EK): return error if token is missing?
    return this.passport
      .verifyJWT(accessToken, merge(defaults, params))
      .then(payload => {
        return { accessToken };
      });
  }

Expected behavior

No error

Actual behavior

Error is thrown. JsonWebTokenError: invalid token

System configuration

Module versions (especially the part that's not working):

+-- feathers@2.0.3
+-- feathers-authentication@1.0.2
+-- feathers-authentication-jwt@0.3.1

NodeJS version: 6.9.1

Operating System: Windows 10

Browser Version: Chrome 55.0.2883.87 m

Module Loader: Node.js

[boybundit]

This is pretty straight-forward, so please let me know if PR is welcomed.

BTW, what is exactly the purpose of it? If for token verification, then why do we use remove method?

[daffl]

It's remove for sending the app.on('logout') event and to also have the option of adding hooks to e.g. revoke or blacklist a token.

I think this is related to feathersjs-ecosystem/authentication-jwt#5, I guess verifyJWT needs to do the same thing.

[boybundit]

Then ,should we make a distinction between JWT to authenticate the request, and JWT to be removed?

1. JWT to authenticate the request
   This is a task of feathers-authentication-jwt.

2. JWT to be removed
   As with standard remove service, it should require an id like DELETE /auth/:id. This is already implemented using JWT as an id. (Even though token is not exactly an id. RFC 7519 offers optional jti field.)

If we would like to support extraction of JWT to be removed, from JWT used to authenticate the request, then we have to expose jwtFromRequest as with feathers-authentication-jwt because both should ultimately use the same extractor(s).

IMHO, the current implementation is fine as we should make the distinction between the two. I would like to even remove header extraction support if id is missing when calling remove.

[ekryski]

I had intended on adding support for jti so that we can handle blacklisting nicer. Still some work to do there but IMHO the authentication service really should be auth/token again and the validation of a token really should just be a hook you apply on the service, and the service acts like a regular DB backed one. This would allow us to blacklist tokens easily if you wanted that functionality.

[ekryski]

@boybundit if you have time for a PR in the next couple days I'd love one! Otherwise I will try and get to it. In order to fix the actual issue it should split on whitespace and ignore the Bearer part.

[ekryski]

Closed by #403.