JSON web token appears to be doing no work in app
rjmk opened this issue · 4 comments
Related to #5, but more extreme. Even within a session, it appears that the JSON web token is doing nothing. In my fork in which I have uninstalled json-web-token (https://github.com/rjmk/learn-json-web-tokens), I have identical behaviour to the web app. Namely:
- Seeing the video when the correct credentials are supplied
- Never being able to access '/private' (even directly after authenticating)
Perhaps more illustratively, if you add a console.log for req.headers.authorization at the top of the listener, you will see it is always undefined.
I am not sure if the way you are using the authorization header to spec (http://www.ietf.org/rfc/rfc2617.txt). It appears to be only a meaningful header on the client request. The response may feature a www-authenticate header, which I have tried using with this app but to no avail yet.
Let me know if I've misunderstood anything (which is, of course, pretty likely!)
Finally _someone_ is paying attention...! 😄
You are _100%_ correct Rafe. ✅
The req.headers.authorization will _always_ be undefined because the client is not saving the JWT the server is sending on auth so the client is never sending it back to the server...
What needs to be done to make this example "real wold" is:
a) need to save the token on the client (e.g. to localStorage) so it can be sent back to the server on each _subsequent request_.
b) add a link to /private on the /auth page that the person needs to explicitly _click_ in order view the "private content".
And... if the person has not authenticated then visiting /private should fail because they don't have a JWT in their header.
You have not misunderstood you've done the homework and spotted the opportunity to finish the example app. Do you have time to help "fix" this?
Sure, I'd love to help finish the app!
Before I get to work, it would be great to get an answer to #47 so I know which kind of storage I should use! Also, it would seem to suggest reconfiguring this app to be a one pager. I am happy to do that, but just want to check it is the appropriate approach.
This is issue is being automatically closed as it's more than a year old. Please feel free to reopen it if it's still relevant to your project.