Need help with PGRST301 JWSError JWSInvalidSignature #2823
-
|
Greetings For some reason I'm having troubles with authentication, show me my errors, please Technical setup:
Setup for anon role, authenticator and technical schema 'postgrest' (for JWT generation and storage, accessed only by superuser): drop schema public cascade;
create role "postgrest_anon" noinherit nocreatedb nosuperuser nologin;
create role "postgrest_authenticator" noinherit nocreatedb nosuperuser login password 'postgrest_authenticator_password';
revoke all on schema "postgrest" from public;
revoke all on all tables in schema "postgrest" from public;
revoke all on all functions in schema "postgrest" from public;
grant "postgrest_anon" to "postgrest_authenticator";
alter default privileges for role "postgrest_anon" grant all on schemas to "postgrest_authenticator";
alter role "postgrest_authenticator" in database "db_name" set search_path = "postgrest", test;
alter role "postgrest_anon" in database "db_name" set search_path = "postgrest", test;PGRST_DB_URI: postgres://postgrest_authenticator:postgrest_authenticator_password@postgres-db:5432/db_name
PGRST_DB_ANON_ROLE: postgrest_anon
PGRST_JWT_SECRET: WHPPJMDJZCYRGBJTNIWASUXFEUVJQWAIINo problems there, anonymous requests works good if explicitly grant access on object to anon / public user. ============================================================== Setup for user role (there could be many schemas for one user and many users): create role "nikolai.nalbantov" noinherit nocreatedb nosuperuser login password 'user_password'
create schema if not exists "nikolai_nalbantov_branch_1_schema"
create table "nikolai_nalbantov_branch_1_schema".v_editor_tables (mt_json json, mt_table_name text, mt_table_schema text);
revoke all on schema "nikolai_nalbantov_branch_1_schema" from public;
alter schema "nikolai_nalbantov_branch_1_schema" owner to "nikolai.nalbantov";
grant all on all tables in schema "nikolai_nalbantov_branch_1_schema" to "nikolai.nalbantov";
grant all on all sequences in schema "nikolai_nalbantov_branch_1_schema" to "nikolai.nalbantov";
grant all on all routines in schema "nikolai_nalbantov_branch_1_schema" to "nikolai.nalbantov";
alter default privileges for role "nikolai.nalbantov" grant all on schemas to "postgrest_authenticator";
alter default privileges in schema "nikolai_nalbantov_branch_1_schema" for role "nikolai.nalbantov" grant select, insert, update, delete on tables to "postgrest_authenticator";
alter default privileges in schema "nikolai_nalbantov_branch_1_schema" for role "nikolai.nalbantov" grant all on sequences to "postgrest_authenticator";
alter default privileges in schema "nikolai_nalbantov_branch_1_schema" for role "nikolai.nalbantov" grant all on routines to "postgrest_authenticator";
alter default privileges in schema "nikolai_nalbantov_branch_1_schema" for role "nikolai.nalbantov" grant all on types to "postgrest_authenticator";
grant "nikolai.nalbantov" to "postgrest_authenticator";
alter role "postgrest_authenticator" in database "db_name" set pgrst.db_schemas = 'nikolai_nalbantov_branch_1_schema, ...';
notify pgrst, 'reload config'
notify pgrst, 'reload schema'I've generated two JWT tokens with secret 'WHPPJMDJZCYRGBJTNIWASUXFEUVJQWAII' (33 symbols), algorithm HS256 One for role postgrest_authenticator (expiration set to year 2055): One for user nikolai.nalbantov (expiration = +4 hours from now()): Both tokens are valid (according to jwt.io) and correctly delivered in-app to the request And here's the problem - any attempt of authorized request with JWT token fails like that: curl -X GET "http://127.0.0.1:3000/v_editor_tables"
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoibmlrb2xhaS5uYWxiYW50b3YiLCJleHAiOjE2ODY3MzQzMjR9.vZBZkh1066n3ICZKt25n-ungO9tnyh_u8Lct8rNYFD8"
-H "Prefer: return=representation"
-H "Content-Type: application/json"
-H "Accept-Profile: nikolai_nalbantov_branch_1_schema"{"code":"PGRST301","details":null,"hint":null,"message":"JWSError JWSInvalidSignature"}Same result from app, from curl inside Docker, for curl outside Docker (example above). -- Please, what I'm doing wrong? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
|
Is it possible that JWT secret somehow dropped to None after config reload? And if yes, how to correctly update it in-database? UPD: just used alter role "postgrest_authenticator" in database "db_name" set pgrst.jwt_secret = 'WHPPJMDJZCYRGBJTNIWASUXFEUVJQWAII';
notify pgrst, 'reload config'Same result, PGRST301 |
Beta Was this translation helpful? Give feedback.
-
|
Oh, that is an error in the docs. The correct one is |
Beta Was this translation helpful? Give feedback.
-
|
Forgot to mention Unsuccesfull attempts looks like this in log: postgrest-api | 172.19.0.4 - - [14/Jun/2023:04:06:14 -0300] "POST /meta_env HTTP/1.1" 401 - "" "python-requests/2.31.0"
postgrest-api | 172.19.0.1 - - [14/Jun/2023:04:18:17 -0300] "GET /v_editor_tables HTTP/1.1" 401 - "" "curl/8.0.1"For some reason there's no user identificator Succesfull attempt from postgrest_anon have user ID (code 400 is unrelated here) postgrest-api | 172.19.0.1 - postgrest_anon [14/Jun/2023:04:19:04 -0300] "POST /v_editor_tables HTTP/1.1" 400 - "" "curl/8.0.1" |
Beta Was this translation helpful? Give feedback.
-
|
I get Signature Error when verifying the tokens in https://jwt.io. The same secret gives me different tokens, so these ones should work. For For I got curious and verified that using |
Beta Was this translation helpful? Give feedback.
-
|
Oh man, that validation on jwt.io is quite misleading, even changes input token without notice Thanks, will look into source of these quotes |
Beta Was this translation helpful? Give feedback.
I get Signature Error when verifying the tokens in https://jwt.io. The same secret gives me different tokens, so these ones should work.
For
postgrest_authenticator:For
nikolai.nalbantov(this should give a "JWT expired" error):I got curious and verified that using
'WHPPJMDJZCYRGBJTNIWASUXFEUVJQWAII'(including the') as secret worked for your examples. Removing the'when building your JWT should …