JWT Returns Invalid Signature Error Even When I enter the token in Authorization

javascript node.js jwt json-web-token express-jwt
flipvinyl picture flipvinyl · Feb 13, 2016 · Viewed 13.5k times · Source

I already looked at this stack overflow entry Node.js - Express.js JWT always returns an invalid token error in browser response but I couldn't find a solution there.

I have attempted to write a small node app as a proof of concept for using JWT access tokens. I went to http://jwt.io/ and attempted to follow along with the video tutorial. I got as far as getting a token generated but when it came to actually using the token, I get a "UnauthorizedError: invalid signature" error. Below is my source code

const myUsername = 'ironflag';
const express = require('express');
const expressJWT = require('express-jwt');
const bodyParser = require('body-parser');
const jwt = require('jsonwebtoken');
const PORT = 2000;

// App
const app = express();

//fake data
let killerBeez = {
  members: 9,
  location: 'staten island',
  stateOfBeing: 'wu-tang forever',
  memberList: [
    {
      name: 'RZA',
      alias: ['Bobby Steels', 'Prince Raheem', 'Bobby Digital', 'The Abbot']
    },
    {
      name: 'GZA',
      alias: ['The Genius','Drunken Monk']
    },
    {
      name: 'Ol\' Dirty Bastard',
      alias: ['Big Baby Jesus', 'Dirt McGirt', 'Ason Unique']
    },
    {
      name: 'Inspecta Deck',
      alias: 'Rebel INS'
    },
    {
      name: 'Raekwon the Chef',
      alias: 'Lex Diamond'
    },
    {
      name: 'U-God',
      alias: 'Baby U'
    },
    {
      name: 'Ghostface Killah',
      alias: ['Tony Starks', 'Big Ghost', 'Ironman']
    },
    {
      name: 'Method Man',
      alias: ['Johnny Blaze', 'Iron Lung']
    },
    {
      name: 'Capadonna'
    }
  ]
};

app.use(bodyParser.urlencoded());
app.use(expressJWT({ secret: 'wutangclan' }).unless({ path: ['/', '/login', '/wutangclan'] }));



app.get('/', function (req, res) {
  res.send('Hello world\n');
});
app.get('/wutangclan', function (req, res) {
  res.send(killerBeez);
});

app.post('/login', function (req, res) {

  if(!req.body.username || myUsername !== req.body.username) {
    res.status(400).send('username required');
    return;
  }

  let myToken = jwt.sign({username: req.body.username},  '36 chambers');
  res.status(200).json({token: myToken});

});
app.post('/shaolin ', function (req, res) {
  if(req.body.location) {
    killerBeez.location = req.body.location;
    res.status(200).send('location updated');
  } else {
    res.status(400).send('location required');
  }

});
app.listen(PORT, function () {
  console.log(`Example app listening on port ${PORT}!`);
});

Answer

alvaropaco picture alvaropaco · Jul 27, 2018

I had the same issue when I tried to integrate the Auth0 authentication in my NodeJS application. I used the express-jwt module for the access token authentication and I got the invalid signature error. In my case I used a wrong client secret. I used the secret to a created application but the correct secret on the server side must be the API secret instead. So check your credentials, the secret to generate the token must be the secret to the API.

Related questions

Invalidating JSON Web Tokens

For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a …

Read More
Best practices to invalidate JWT while changing passwords and logout in node.js?

I would like to know the best practices to invalidate JWT without hitting db while changing password/logout. I have the idea below to handle above 2 cases by hitting the user database. 1.Incase of password changes, I check for password(…

Read More
Payload error in jsonwebtoken

I am making a web application using nodejs and angular cli I'm using JWT to authenticate my login function . But when I process it threw this error Error: Expected "payload" to be a plain object. at validate (D:\Mean_Projects\…

Read More