jwt in the authorization header even if authorization failed #342

opya · 2023-06-02T05:42:22Z

opya
Jun 2, 2023

Hi guys,

I wondered if there is a specific reason to set_jwt in rereturn_json_response even if the login failed. Or I misconfigured something and did something wrong.

rodauth/lib/rodauth/features/jwt.rb

Lines 137 to 140 in cbdfde5

    
           def return_json_response 
        
             set_jwt 
        
             super 
        
           end

jeremyevans · 2023-06-02T14:33:42Z

jeremyevans
Jun 2, 2023
Maintainer

As the code you posted shows, JWTs are set for all JSON responses if you are using the jwt feature. Is this causing a problem in your application?

2 replies

thedumbtechguy Sep 3, 2023

@jeremyevans I saw a similar report on rodauth rails janko/rodauth-rails#213

That's what brought me here. Appears the returned token is valid.
And that might be a problem since the login attempt failed.

I'm yet to test myself but that's what the other report seems to claim.

jeremyevans Sep 3, 2023
Maintainer

The response body and status code indicate whether a request was successful. A JWT is always set for consistency, mirroring the non-JWT case where a session cookie is set. This is by design. It is possible to override the behavior and not set JWT for errors:

set_jwt_token do |token|
  super(token) unless json_response_error?
end

opya · 2023-06-02T14:58:09Z

opya
Jun 2, 2023
Author

no, no problems just curiosity on my side. I'm using jwt feature with use_jwt? false to fallback and use rack session and was wondering why the Authorization header appear. Thank you @jeremyevans

3 replies

janko Jun 2, 2023

Just wondering, why are you using the JWT feature if you're relying on Rack session? I would use just the JSON feature in this case.

opya Jun 3, 2023
Author

I'm using roda, sequel, and rodauth as the backend and react spa frontend. The react spa is an administrative app and there I want to use sessions instead of JWT tokens because I'm not sure which is the best way to store the token in the browser, so I'm trying to use sames_site: strict cookies. The ruby app is divided in tho two, the first one is that which interacts with react spa for administration and uses JWT as a cookie and the second one is API where we will use JWT as a token and then give the token to the clients in order to integrate with the second part of the app. I'm not sure which is the correct way to do the above with ruby/roda/sequel stack, I'm curious how you use roda and friends ? :)

janko Jun 4, 2023

Right, I'm the same, I don't know how to securely store the token in the browser, so I would prefer using Rack session for a SPA as well 🙂

jwt in the authorization header even if authorization failed #342

Uh oh!

Uh oh!

opya Jun 2, 2023

Replies: 2 comments · 5 replies

Uh oh!

jeremyevans Jun 2, 2023 Maintainer

Uh oh!

thedumbtechguy Sep 3, 2023

Uh oh!

jeremyevans Sep 3, 2023 Maintainer

Uh oh!

Uh oh!

opya Jun 2, 2023 Author

Uh oh!

janko Jun 2, 2023

Uh oh!

opya Jun 3, 2023 Author

Uh oh!

Uh oh!

janko Jun 4, 2023

opya
Jun 2, 2023

Replies: 2 comments 5 replies

jeremyevans
Jun 2, 2023
Maintainer

jeremyevans Sep 3, 2023
Maintainer

opya
Jun 2, 2023
Author

opya Jun 3, 2023
Author