0

I am creating jwt token in my webserver with PHP jwt tool as below,

    $key = 'key';
    $allowInfinity=true;

    //for mobile devices allow infinity
    if($allowInfinity===false) {
        $token = array(
            "iss" => "https://www.example.com/",
            "aud" => "https://www.example.com/",
            "iat" => time(),
            "nbf" => time(),
            "exp" => time() + (60 * 60)
        );
    }else{
        $token = array(
            "iss" => "https://www.example.com/",
            "aud" => "https://www.example.com/",
            "iat" => time(),
            "nbf" => time()
        );
    }
    return JWT::encode($token, $key);

In my Nodejs code with module JsonWebTokenError i try to verify the token as below,

      var jwt = require('jsonwebtoken');
      if (token !== undefined) {
            jwt.verify(token, 'key', { algorithms: ['HS256'], audience: 'https://www.example.com/', issuer: 'https://www.example.com/' }, function (err, decoded) {
                if (err) {
                    logging.log("error", "Unauthorised Access:" + util.inspect(err));
                    logging.log('error', "Unauthorised Access Headers: " + util.inspect(sockclient.request.headers) + "");
                }
                logging.log("error", "Decode:" + util.inspect(decoded));
            });
        } else {
            logging.log("error", "Unauthorised Access: No token found.");
            logging.log('error', "Unauthorised Access Headers: " + util.inspect(sockclient.request.headers) + "")
        }

However, when decoding I get the below error in my log file, Any idea on what I am doing wrong here ?

[2022-04-25T14:27:03.774] [ERROR] log_file - Unauthorised Access:JsonWebTokenError: invalid signature
    at /var/www/vhosts/example.com/chat/node_modules/jsonwebtoken/verify.js:133:19
    at getSecret (/var/www/vhosts/example.com/chat/node_modules/jsonwebtoken/verify.js:90:14)
    at Object.module.exports [as verify] (/var/www/vhosts/example.com/chat/node_modules/jsonwebtoken/verify.js:94:10)
    at Namespace.<anonymous> (/var/www/vhosts/example.com/chat/chat_server.js:218:17)
    at Namespace.emit (events.js:400:28)
    at Namespace.emitReserved (/var/www/vhosts/example.com/chat/node_modules/socket.io/dist/typed-events.js:56:22)
    at /var/www/vhosts/example.com/chat/node_modules/socket.io/dist/namespace.js:141:26
    at processTicksAndRejections (internal/process/task_queues.js:77:11)
mahen3d
  • 7,047
  • 13
  • 51
  • 103
  • You didn't show how you sign the token in PHP. Make sure to use the same key and algorithm for signing and verifying. Can you pls show the token? – jps Apr 25 '22 at 09:18
  • @jps i am only using sectret-key to encode, does that means i cannot verify and i have to do only jwt.decode ? – mahen3d Apr 25 '22 at 10:07
  • Whatever type of key you're using, it is always used to sign the token and you can verify the token. In case of HS256 you need the same secret/key for signing and verifying, in case of asymmetric algorithms you would need the private key to sign and the public key to verify. – jps Apr 25 '22 at 10:26
  • @jps my key is a string like '123333something' I have seen some code uses public key and pvt as you mention, If i use a String key does that mean i can only decode but not verify? sorry i am just bit confused. – mahen3d Apr 25 '22 at 23:46
  • again, as mentioned before, of course you can verify the signature (and the JWT would be pointless if you could not do that). Could you please share the generaed token along with the exact secret that you used? And have oyu made sure that the variable `token`on node.js side is identical ot the token you generate with the PHP code? – jps Apr 26 '22 at 07:17

0 Answers0