Verdaccio: "JWT not active" error return by server when requesting /verdaccio/packages from the Web

Created on 28 Sep 2019  路  3Comments  路  Source: verdaccio/verdaccio

We are using verdaccio 4 and we want to configure JWT authentication.

We have read:

When we set the jwt configuration as in the sample:

security:
  legacy: false
  api:
    jwt:
      sign:
        expiresIn: 60d
        notBefore: 1
  web:
    sign:
      expiresIn: 7d
      notBefore: 1

We are having issue after connecting using with a user and it's password from the Web:

The GET request to http://localhost:4873/-/verdaccio/packages return the following content:

{
  "error": "jwt not active"
}

What have I done wrong?

needs triage
Source
picture kopax

All 3 comments

Use notBefore: 0

The JWT documentation explain the reason of it. I will close, but feel free to PR some improvement in the docs if you consider is misleading for users.

juanpicado picture juanpicado on 28 Sep 2019
😕2

The JWT documentation explain the reason of it.

Thanks @juanpicado, I have read the documentation and I was surprised not to get any explanation regarding many options.

  • notBefore: expressed in seconds or a string describing a time span zeit/ms.
    > Eg: 60, "2 days", "10h", "7d". A numeric value is interpreted as a seconds count. If you use a string be sure you provide the time units (days, hours, etc), otherwise milliseconds unit is used by default ("120" is equal to "120ms").

I don't find any reason here, I don't even know what this variable does and I have to guess what it is for just from the variable name...

I have set notBefore: 0 to both web and API. It still returns:

{
  "error": "jwt not active"
}

Do you mind reopening @juanpicado ?

Since I couldn't find what notBefore is for.

  • Is 0 the recommended parameter for security.web.sign.notBefore and security.api.jwt.sign.notBefore?
  • Where did you get more explanation?
  • Why do you use notBefore: 1 in your config sample?
kopax picture kopax on 28 Sep 2019

I have found what is the option notBefore for after asking on SO and it is not in the documentation as you mentioned:

You can check this document

https://tools.ietf.org/html/rfc7519

The section 4.1.5. "nbf" (Not Before) Claim

The "nbf" (not before) claim identifies the time before which the JWT
   MUST NOT be accepted for processing.  The processing of the "nbf"
   claim requires that the current date/time MUST be after or equal to
   the not-before date/time listed in the "nbf" claim.  Implementers MAY
   provide for some small leeway, usually no more than a few minutes, to
   account for clock skew.  Its value MUST be a number containing a
   NumericDate value.  Use of this claim is OPTIONAL.

Source: https://stackoverflow.com/questions/58150945/what-is-options-notbefore-in-auth0-node-jsonwebtoken-for?answertab=oldest#tab-top

The error is still here with notBefore: 0, to reproduce:

  1. Activate jwt authentication.
  2. Go to the webui and login.
  3. After login, check the console and you will see the 401 error with jwt not active.
  4. CTRL+F and search for a private package you have access for, you can notice you can't see them.
  5. Refresh the page with F5.
  6. Now it work and you can see all package for which you have access.
kopax picture kopax on 29 Sep 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

liujingbreak picture liujingbreak  路  3Comments
priscilawebdev picture priscilawebdev  路  3Comments
lope picture lope  路  3Comments
bicienzu picture bicienzu  路  4Comments
SheetJSDev picture SheetJSDev  路  4Comments