It does not seem that the JSON Web Token verification works as intended or maybe the documentation is outdated. I am getting a 401 JWSError JWSInvalidSignature on the POST requests with authorization token.
I followed Tutorial 0 and Tutorial 1 word-by-word and this is what I get:
> cat postgrest.conf
db-uri = "postgres://postgres:mysecretpassword@localhost/postgres"
db-schema = "api"
db-anon-role = "web_anon"
jwt-secret = "secret"
> ./postgrest postgrest.conf
Listening on port 3000
Attempting to connect to the database...
Connection successful
127.0.0.1 - - [15/Sep/2017:14:58:02 -0700] "GET /todos HTTP/1.1" 200 - "" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0"
127.0.0.1 - - [15/Sep/2017:14:58:23 -0700] "POST /todos HTTP/1.1" 401 - "" "curl/7.53.1"
The token I use is identical with the one in the tutorial.
> export TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidG9kb191c2VyIn0.IF9PKgLZ_XA70Uz5vm0OxrqYTCQdXxBA0Oz4uK8lBqM"
> curl http://localhost:3000/todos -v -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"task": "learn how to auth"}'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 3000 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3000 (#0)
> POST /todos HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.53.1
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidG9kb191c2VyIn0.IF9PKgLZ_XA70Uz5vm0OxrqYTCQdXxBA0Oz4uK8lBqM
> Content-Type: application/json
> Content-Length: 29
>
* upload completely sent off: 29 out of 29 bytes
< HTTP/1.1 401 Unauthorized
< Transfer-Encoding: chunked
< Date: Fri, 15 Sep 2017 21:58:23 GMT
< Server: postgrest/0.4.3.0
< Content-Type: application/json; charset=utf-8
< WWW-Authenticate: Bearer error="invalid_token", error_description="JWSError JWSInvalidSignature"
<
* Connection #0 to host localhost left intact
{"message":"JWSError JWSInvalidSignature"}%
postgrest 0.4.3.0
PostgreSQL 9.6.5
Fedora 26
In v4.3 we require a secret of at least 32 characters. See if that helps, and we can update the docs. Thanks for your report.
I secret of 32 characters works. Thanks.
I believe postgrest should notify user somehow that secret is less than 32 characters :)
I opened a docs pull request to help clarify the 32-char minimum.
We can improve postgrest's error message later when https://github.com/frasertweedale/hs-jose/issues/46 gets closed due to https://github.com/frasertweedale/hs-jose/commit/59ca5e656370e5b7812faadf5234aa9b0724e782 in check-jwk branch of jose
Most helpful comment
In v4.3 we require a secret of at least 32 characters. See if that helps, and we can update the docs. Thanks for your report.