Postgrest: JWSError JWSInvalidSignature

Created on 16 Sep 2017  路  4Comments  路  Source: PostgREST/postgrest

It does not seem that the JSON Web Token verification works as intended or maybe the documentation is outdated. I am getting a 401 JWSError JWSInvalidSignature on the POST requests with authorization token.

I followed Tutorial 0 and Tutorial 1 word-by-word and this is what I get:

> cat postgrest.conf
db-uri = "postgres://postgres:mysecretpassword@localhost/postgres"
db-schema = "api"
db-anon-role = "web_anon"
jwt-secret = "secret"
> ./postgrest postgrest.conf
Listening on port 3000
Attempting to connect to the database...
Connection successful
127.0.0.1 - - [15/Sep/2017:14:58:02 -0700] "GET /todos HTTP/1.1" 200 - "" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0"
127.0.0.1 - - [15/Sep/2017:14:58:23 -0700] "POST /todos HTTP/1.1" 401 - "" "curl/7.53.1"

The token I use is identical with the one in the tutorial.

> export TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidG9kb191c2VyIn0.IF9PKgLZ_XA70Uz5vm0OxrqYTCQdXxBA0Oz4uK8lBqM"
> curl http://localhost:3000/todos -v -X POST \
     -H "Authorization: Bearer $TOKEN"   \
     -H "Content-Type: application/json" \
     -d '{"task": "learn how to auth"}'

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 3000 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3000 (#0)
> POST /todos HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.53.1
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidG9kb191c2VyIn0.IF9PKgLZ_XA70Uz5vm0OxrqYTCQdXxBA0Oz4uK8lBqM
> Content-Type: application/json
> Content-Length: 29
> 
* upload completely sent off: 29 out of 29 bytes
< HTTP/1.1 401 Unauthorized
< Transfer-Encoding: chunked
< Date: Fri, 15 Sep 2017 21:58:23 GMT
< Server: postgrest/0.4.3.0
< Content-Type: application/json; charset=utf-8
< WWW-Authenticate: Bearer error="invalid_token", error_description="JWSError JWSInvalidSignature"
< 
* Connection #0 to host localhost left intact
{"message":"JWSError JWSInvalidSignature"}%     

postgrest 0.4.3.0
PostgreSQL 9.6.5
Fedora 26

Most helpful comment

In v4.3 we require a secret of at least 32 characters. See if that helps, and we can update the docs. Thanks for your report.

All 4 comments

In v4.3 we require a secret of at least 32 characters. See if that helps, and we can update the docs. Thanks for your report.

I secret of 32 characters works. Thanks.

I believe postgrest should notify user somehow that secret is less than 32 characters :)

I opened a docs pull request to help clarify the 32-char minimum.

We can improve postgrest's error message later when https://github.com/frasertweedale/hs-jose/issues/46 gets closed due to https://github.com/frasertweedale/hs-jose/commit/59ca5e656370e5b7812faadf5234aa9b0724e782 in check-jwk branch of jose

Was this page helpful?
0 / 5 - 0 ratings

Related issues

waghanza picture waghanza  路  28Comments

ric2b picture ric2b  路  21Comments

tomberek picture tomberek  路  19Comments

ruslantalpa picture ruslantalpa  路  25Comments

daurnimator picture daurnimator  路  57Comments