1

I am using package "github.com/dgrijalva/jwt-go" in golang to authenticate api hits.

The code for creating a jwt token is:

token := jwt.NewWithClaims(jwt.SigningMethodHS256, &jwt.MapClaims{
        "email":      "test@example.com",
        "exp":        time.Now().Add(time.Hour * 8760).Unix(),
        "role":       "customer",
        "name":       "John Doe",
        "ip":         0.0.0.0,
        "user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"
        "id":         1,
    })
tokenString, err := token.SignedString([]byte(config.SignKey))

Following are the steps to use this token:

  1. First login api hits and we call above method to generate token and return this token in the api response.

  2. After that another api hits which contains this token in its headers with "Bearer " string. We decode this token and authenticate it through following code:

    bearer := strings.Split(c.Request.Header["Authorization"][0], "Bearer")
bearerToken := strings.TrimSpace(bearer[1])
token, err := jwt.Parse(bearerToken, func(token *jwt.Token) (interface{}, error) {return config.SignKey, nil})
if err != nil {
    c.JSON(200, gin.H{"response": "{error: "err", msg: Session Expired. Please log out and back in to continue2.}",})
    c.Abort()
    return
}

Now suppose the token was decoded for url: http://SOMEDOMAIN.COM/api/v1/SOMEAPI

from this api I issued another curl command in the format:

"curl --header 'Ip: " + ip + "' --header 'User-Agent: " + userAgent + "' --header 'Authorization: " + token + "' 'http://SOMEDOMAIN.COM/api/v2/ANOTHERAPI'"

This command hits another different api but using the same credentials like token is same what was created from login api.

Both apis with different urls are hosted over same server but different golang project folder.

Now at this time this package does not authenticate the token and gives following error:

{"response":{"code":400,"api_status":10,"message":"Session Expired. Please log out and back in to continue2.","data":{"Inner":{},"Errors":4}}}

I was looking for meaning of error code 4 in this case.

Can anyone please explain what is the meaning of Error: 4 and why it is behaving like this on different api urls?

Grokify
  • 15,092
  • 6
  • 60
  • 81
Amandeep kaur
  • 985
  • 3
  • 15
  • 35
  • 1
    Have you looked here: https://github.com/dgrijalva/jwt-go/blob/5e25c22bd5d6de03265bbe5462dcd162f85046f6/errors.go#L41 ? – Havelock Sep 26 '19 at 07:01
  • Please reconsider putting names, email addresses and IP addresses in clear into your tokens. That's just rude. A lifetime of one year is also highly unusual. I sure hope you have some way to invalidate compromised tokens. – Peter Sep 26 '19 at 07:47
  • @Havelock Yes I checked the link you provided. The Error field is of type uint32. But in what case it will return 4 ?? In need this value so that I can check where the code is breaking. – Amandeep kaur Sep 26 '19 at 10:53
  • @Peter I have updated names, emails, ip etc in the post. Also token lifetime of 1 year is my requirement. And its working fine on api/v1 url. – Amandeep kaur Sep 26 '19 at 10:56

1 Answers1

1

When I investigated your code,

There is an misuse about your config.SignKey , It seems it was casting []byte while signing token.

But while parsing your token;

{return config.SignKey, nil}

You used default type and didn't cast []byte.

 {return []byte(config.SignKey), nil}

I think it is the issue.

İlker Korkut
  • 3,129
  • 3
  • 30
  • 51