Graceful Errors for an Invalid JWT

Hey nOograss

Sorry for the late response. Do you still have this problem?

Hi,
I'm still using symfony2.8,
I'm having a weird issue, the firewall is correclty triggered on urls containing /api but even without the token i'm able to get the response from the controller.
Here is part of the logs:

Checking for guard authentication credentials. {"firewall_key":"api","authenticators":1} []
[2018-04-05 21:53:30] security.DEBUG: Calling getCredentials() on guard configurator. {"firewall_key":"api","authenticator":"HME\\HMEBundle\\Security\\TokenAuthenticator"} []
[2018-04-05 21:53:30] security.DEBUG: Passing guard token information to the GuardAuthenticationProvider

The token is false after the extract and thus going into the 'return;'

[EDIT]
I'll restart from the beginning and implement the testClasses, maybe i overlooked something in the configuration

Thank you so much. It solved my issue too.

Hey Br!

Ah yes! So, this can be tricky, because the error means that the token is invalid. But, it could be invalid for many different reasons: you're fetching it from the request wrong, you have some problem with your public/private key, etc. The very nature of the cryptography makes it difficult to know what's going wrong :).

But, here are a few tips to debug:

1) If you wrap the line that is failing in a try-catch, then in the catch, add dump($e->getReason());. This should one of these constants: https://github.com/lexik/Le... - which may help debugging.

2) Double-check (by dumping) that $credentials looks how you expect before calling decode() on it.

If the cause is invalid_token, and you've verified that the $credentials DOES look correct, then there is likely some issue with your signing process, which could mean there's an issue with your public/private key.

Cheers!

I've got the other exception using Symfony 3.4, and I don't know why. On Exception method onAuthenticationFailure is not called, I just see a different error message:

"message": "Invalid JWT Token",
"class": "Lexik\\Bundle\\JWTAuthenticationBundle\\Exception\\JWTDecodeFailureException",

Script failes on line:
$data = $this->JWTEncoder->decode($credentials);

Can you help me with that? I don't really know how to fix that :(

I fixed my issue ;)

Hey Zuhayer,

I think you can wrap your code related to the DefaultEncoder with a try-catch block, then catch the exception which you need (as I see it's the JWTDecodeFailureException) and create a new ApiProblem in this catch block with any message you want in this case. Does it makes sense for you?

Cheers!

How can I handle the exceptions in vendor/lexik/jwt-authentication-bundle/Encoder/DefaultEncoder.php with custom JSON response as you did in AppBundle/Api/ApiProblem.php?

Should I try to handle them in conditions in ApiProblem::__construct or make a new JWT exception class?

e.g. In DefaultEncoder.php::isExpired() shows this long message -> http://pastebin.com/u4mqscVy

I want it to show JSON response as:
{
"error": 1,
"status": 500(or which ever is appropriate),
"msg": "Expired JWT Token",
"data": { }
}

Had the same issue. Code above works like a charm. Thanks

Hey John!

Ah, ok - I've got it on my list to run through the tutorial with v2 and see what we need to change on our side.

The problem (actually it's awesome - the bundle author we great enough to make this change by my request for version 2) is in getUser() of our JwtTokenAuthenticator. In v1.4, if decode() failed, it returned false - and we're handling this very nicely. The problem was that, as a user of the bundle, we couldn't get more information about *why* it failed (was the token invalid? expired?). So in v2, the bundle throws different types of exceptions on failure, which kind of awesome (different exception classes for each failure type).

Because of this change, we need to surround that line in a try-catch, something like this:

public function getUser($credentials, UserProviderInterface $userProvider)
{
    try {
        $data = $this->jwtEncoder->decode($credentials);
    } catch (JWTDecodeFailureException $e) {
        // if you want to, use can use $e->getReason() to find out which of the 3 possible things went wrong
        // and tweak the message accordingly
        // https://github.com/lexik/LexikJWTAuthenticationBundle/blob/05e15967f4dab94c8a75b275692d928a2fbf6d18/Exception/JWTDecodeFailureException.php

        throw new CustomUserMessageAuthenticationException('Invalid Token');
    }

    // ...
}

That should do it :). Also, another cool thing about the new version is that they have added their *own* Guard authenticator to the bundle, which is based off of our's in this tutorial. If you want to, you can actually use it instead of building your own (building your own is still a good exercise, but now you have the opportunity to not *need* to do this).

Cheers!

I was passing an invalid token and that's when it responds with that html error. But on the 1.4 version, with an invalid token, I get the json response of "Invalid token".

Hey John!

Well, I'm actually glad you installed the brand-new version 2 - I'm hoping we can make that work without too much effort! And thanks to your comment and the awesome maintainer of that bundle, version 2.0.1 fixes the autowiring problem: https://github.com/lexik/Le.... Fast service!

About your error, if the token is correct, you don't get that error. That's good :). So, when exactly *do* you get that error? Is it when you pass *no* token? Or is it when you pass an invalid token (perhaps because you're testing to see how that works)? Is that behavior different on 2.0 versus 1.4 of the bundle?

Cheers!

Just for the record, I dropped version 2 of the jwt bundle and installed the version you used 1.4. Everything works like a charm!

I found the h1 in the terminal, this error makes no sense to me:
Unable to verify the given JWT through the given configuration. If the "lexik_jwt_authentication.encoder" encryption options have been changed since your last authentication, please renew the token. If the problem persists, verify that the configured keys/passphrase are valid.

If the token is right, I don't get this error. I get my response from the controller.

Also, I did post another question on part 3 of this course about trying to get those key files up to Heroku and configured properly. I've found nothing on the subject for guidance. Does anyone use Heroku for Symfony apps/apis??

Hey John!

Hmm, so usually, when you see a ton of HTML in your terminal, it's because you're seeing Symfony's HTML 500 exception page. But, it's also possible is that you're somehow seeing one of *your* HTML pages (not an exception page). But, it's probably an exception of some sort - our system only returns JSON if (a) we return JSON from the matched controller or (B) we are handling some ApiProblemException, where we've built extra logic to return JSON.

Try one of these 2 things:
1) Make the request that fails (I assume when you do this, you're hitting your application in the "dev" environment?). Then, go to http://localhost:8000/app_dev.php/_profiler. You should see a list of requests - and the one that you JUST made should be on top (or perhaps second, but at least very near the top). Click the sha link on the right to enter the profiler for that request. Then, check out the Exception tab - it should show you the HTML exception so you can read it. If you're doing this in a test, then you can also do this - but you'll need to temporarily turn the profiler on by setting the "collect" key to true and the "toolbar" key also to true in config_test.yml (https://github.com/symfony/.... Then, make sure you go to http://localhost:8000/app_test.php/_profiler

2) Or, just try to read the HTML exception message in your terminal. It's not super-easy at first, but if you scroll all to the top and start scanning down, you'll eventually see an h1 that has the exception message in it. You could alternatively try to tail var/cache/dev.log (or test.log) to see the exception there.

So, these are both strategies to see *what* the exception is, so that we can fix it (I'm still assuming that the problem is an exception!).

About the JWT fix, thanks for posting that! It sounds like an update to the library may have introduced a second service which implements this interface. I'll go look at the library now to see if I can have those guys fix that in the bundle to make our lives easier.

Cheers!

I am having trouble with the error not returning as a json response when I use a wrong or invalid token. I get a ton of html that overloads my terminal on a curl. It works fine if I put a valid token in the Bearer Header. My route method is GET. Any ideas what maybe happening? also, another issue I ran into earlier but forgot to comment there was the autowire for jwt service. I got this error:

Unable to autowire argument of type "Lexik\Bundle\JWTAuthenticationBundle\Encoder\JWTEncoderInterface" for the service "app.security.jwt_token_authenticator". Multiple services exist for this interface (lexik_jwt_authentication.encoder.default, lexik_jwt_authentication.encoder.lcobucci).

So I used arguments: ['@lexik_jwt_authentication.encoder.default', '@doctrine.orm.entity_manager', '@api.response_factory']