Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Signed Cookies in jwt Middleware #2398

Open
HeyITGuyFixIt opened this issue Mar 21, 2024 · 4 comments · May be fixed by #2403
Open

Use Signed Cookies in jwt Middleware #2398

HeyITGuyFixIt opened this issue Mar 21, 2024 · 4 comments · May be fixed by #2403
Labels
bug

Comments

@HeyITGuyFixIt
Copy link
Contributor

What version of Hono are you using?

4.1.3

What runtime/platform is your app running on?

Node.JS

What steps can reproduce the bug?

Set up a signed cookie with jwt:

const payload = {
  sub: 'user123',
  role: 'admin',
}
const secret = 'mySecretKey';
await setSignedCookie(c, 'session', await sign(payload, secret), 'secret ingredient', {
  path: '/',
  secure: true,
  domain: 'example.com',
  httpOnly: true,
  maxAge: 1000,
  expires: new Date(Date.UTC(2000, 11, 24, 10, 30, 59, 900)),
  sameSite: 'Strict',
});

Then set up the jwt middleware:

const secret = 'mySecretKey';
app.use(
  '/auth/*',
  jwt({
    secret,
    cookie: 'session'
  })
)

What is the expected behavior?

I should be able to access a resource when the cookie is set.

What do you see instead?

Trying to access a resource that is using the jwt middleware returns with a 401.

Additional information

jwt middleware needs a parameter to specify the secret for the cookie and needs to be able to handle signed cookies.
@HeyITGuyFixIt
Copy link
Contributor Author

Lain in Discord mentioned having this issue in January 8th in Cloudflare.

@yusukebe
Copy link
Member

Hi @HeyITGuyFixIt

I think the cookie value is not set in the header property, so JWT middleware can't read it.

JWT middleware will read the cookie header in the Request object. Could you confirm that your request has the correct cookie?

@HeyITGuyFixIt
Copy link
Contributor Author

I logged the headers to the console and was able to see the cookies at the time of the request. I forgot that in my application I am using the host prefix. I still don't have a way to specify the prefix other than adding the prefix to the cookie name in the middleware. E.g., with a cookie called jwt, I tried jwt({ cookie: '__Host-jwt', ... }). The response stills errors out, but with an error description of "token verification failure", now likely due to it being a signed cookie. Previously, I was getting "no authorization included in request".

@HeyITGuyFixIt HeyITGuyFixIt linked a pull request Mar 22, 2024 that will close this issue
Open
3 tasks
@adwait-godbole
Copy link

Facing the same issue, JWT middleware is unable to work with cookies that were signed. If the cookie wasn't signed then JWT middleware is able to parse it correctly without any 401.

@newarifrh newarifrh mentioned this issue Jun 25, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(jwt): Pass Cookie Options from jwt Middleware to getCookie/getSignedCookie HeyITGuyFixIt/hono
3 participants
@yusukebe @HeyITGuyFixIt @adwait-godbole