JWT解码返回null
我是Node.js的新手,阅读Fabian Cook的Node.js Essentials。 在使用JWT进行身份validation时尝试代码时,我从jwt.decode(token)中获得了一个NULL,但是令牌可以由jwt.io上的Debugger进行parsing。 代码有什么问题?
var Passport = require( 'passport' ); var LocalStrategy = require( 'passport-local' ).Strategy; var Express = require( 'express' ); var BodyParser = require( 'body-parser' ); var jwt = require( 'jsonwebtoken' ); var Crypto = require ( 'crypto' ); var users = { zack: { username: 'zack', password: '1234', id: 1, }, node: { username: 'node', password: '5678', id: 2, }, } var localStrategy = new LocalStrategy({ usernameField: 'username', passwordField: 'password', }, function(username, password, done) { user = users[ username ]; if ( user == null ) { return done( null, false, { message: 'Invalid user' } ); }; if ( user.password !== password ) { return done( null, false, { message: 'Invalid password' } ); }; done( null, user ); } ) Passport.use( 'local', localStrategy ); var app = Express(); app.use( BodyParser.urlencoded( { extended: false } ) ); app.use( BodyParser.json() ); app.use( Passport.initialize() ); var generateToken = function( req, res ) { var payload = { id: user.id, username: user.username } var secret = user.secret || Crypto.randomBytes( 128 ).toString( 'base64' ); var token = jwt.sign( payload, secret ); user.secret = secret; return token; }; var generateTokenHandler = function ( req, res ) { var user = req.user; var token = generateToken( user ); res.send( token ); }; app.post( '/login', Passport.authenticate( 'local', { session: false } ), generateTokenHandler ); var BearerStrategy = require( 'passport-http-bearer' ).Strategy; var verifyToken = function( token, done ) { var payload = jwt.decode(token); if ( payload == null ){ return done( null, false ); } console.log(payload); var user = users[ payload.username ]; if ( user == null || user.id !== payload.id || user.username !== payload.username ) { return done( null, false ); } jwt.verify( token, user.secret, function ( error, decoded ) { if ( error || decoded == null ) { return done( error, false ); } return done( null, user ); }) } var bearerStrategy = new BearerStrategy( verifyToken ) Passport.use( 'bearer', bearerStrategy ); app.get( '/userinfo', Passport.authenticate( 'bearer', { session: false } ), function ( req, res ) { var user = request.user; res.send( { id: user.id, username: user.username }); } ); app.listen( 3000, function() { console.log( 'Listening on 3000' ); }); 这是我从代码FYI得到的一个令牌
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJ6YWNrIiwiaWF0IjoxNDU5MDAzMTYxfQ.rhqOX0ICRvivNCwwLNsu5KizNPLQTKPVEqfCuxtII90~
我相信问题是,当使用jwt.decode同时也有一个密钥,你将需要传递一个选项的解码调用完全设置为true:
从jwt文档:
// get the decoded payload ignoring signature, no secretOrPrivateKey needed var decoded = jwt.decode(token); // get the decoded payload and header var decoded = jwt.decode(token, {complete: true}); console.log(decoded.header); console.log(decoded.payload)
https://github.com/auth0/node-jsonwebtoken
显然,在这里最好使用jwt.verify:
Warning: This will not verify whether the signature is valid. You should not use this for untrusted messages. You most likely want to use jwt.verify instead.