Node-jsonwebtoken: jwt.verify fails to throw error for expired tokens

Created on 13 Jul 2017  路  4Comments  路  Source: auth0/node-jsonwebtoken

I am creating a jwt like this:
return jwt.sign({ some_key: some_value }, Authentication.secret, { expiresIn: '1s'});

And verifying it like:

jwt.verify(token, Authentication.secret, (err, result) => { if (err) { return res.status(400).send('Failed'); } return next(); }); }

When I log the decoded results, I can see something like:

iat: 1499970792, exp: 1499970793

which looks fine I suppose, I have checked whether the token I am sending to the client is the same as the one I am verifying, all looks good..but the middleware proceeds with next(), am I missing something here?

Most helpful comment

I used the following line:

jwt.verify(token, secret, (err, result) => { return res.status(200).send({ err: err, result: result, }); });

on an expired token and got this result:

{
    "err": {
        "name": "TokenExpiredError",
        "message": "jwt expired",
        "expiredAt": "2017-07-19T17:08:44.000Z"
    }
}

On a non-expired token, I got this result:

{
    "err": null,
    "result": {
        "data": "data",
        "iat": 1500484656,
        "exp": 1500916656
    }
}

which is the expected result. Maybe try logging your err object and seeing what's happening? Perhaps the next() is being called later in your code?

All 4 comments

I used the following line:

jwt.verify(token, secret, (err, result) => { return res.status(200).send({ err: err, result: result, }); });

on an expired token and got this result:

{
    "err": {
        "name": "TokenExpiredError",
        "message": "jwt expired",
        "expiredAt": "2017-07-19T17:08:44.000Z"
    }
}

On a non-expired token, I got this result:

{
    "err": null,
    "result": {
        "data": "data",
        "iat": 1500484656,
        "exp": 1500916656
    }
}

which is the expected result. Maybe try logging your err object and seeing what's happening? Perhaps the next() is being called later in your code?

I am using the next() ... snap! this is how it looks like

return jwt.verify(token, Authentication.secret, (err, result) => { if (err) { console.log("Auth error", err); return res.status(400).send('Failed on second middleware'); } return next(); });

I guess putting the next() in an else wouldn't cut it?

If wrapping the call to next() in an else works then it is a fine solution, but I would imagine that the return statement should stop execution. Maybe there is something I'm missing, however? Give the else a try and see if that fixes it for you.

@z2oh the return was not needed, thanks

Was this page helpful?
0 / 5 - 0 ratings