I am trying to build a MERN stack Food Tracker application for a school project, I'm very new to the MERN stack, and I've come across a problem with making my server's Express routes private that I haven't been able to find a solution for through searching.
I've set up login functionality using Auth0. My routes and models are stored in separate files and my checkJwt middleware is stored in a separate file that I'm importing into my route files. I am also using cors. I've tested that everything is setup correctly for authentication by sending a request from my frontend to a route that was written directly into my server.js file, and I've also verified that my routes respond to my frontend when they are left public, but when I try to make my routes private, I get a 401 Unauthorized error.
checkJwt file:
const jwksRsa = require("jwks-rsa");
require("dotenv").config();
const audience = process.env.AUTH0_AUDIENCE;
const issuer = process.env.AUTH0_ISSUER;
module.exports = checkJwt = jwt({
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `${issuer}.well-known/jwks.json`,
}),
audience: audience,
issuer: issuer,
algorithms: ["RS256"],
});
Server.js Setup:
app.use(cors({ origin: appOrigin }));
app.options("*", cors());
const profile = require("./backend/routes/profile");
//Test Route
app.get("/api/messages", checkJwt, (req, res) => {
res.send({
msg: "Testing authentication.",
});
});
// External route
app.use("/routes/profile", profile);
profile.js - Route file:
//Import checkJwt
const checkJwt = require("../../config/checkjwt");
//Import model
const Profile = require("../models/Profile");
//Router
router.post("/update/:user_id", checkJwt, (req, res, next) => {
//Code to update user information in database//
});
And, just in case it might help, I'm using axios to make the request on the frontend. Here is that code:
const onSubmit = async () => {
try {
const token = await getAccessTokenSilently();
const response = await axios.post(
`${apiUrl}routes/profile/update/${sub}`,
{
data: qs.stringify({
username: username,
}),
headers: {
Authorization: `Bearer ${token}`,
},
}
);
setMessage(response.data);
} catch (error) {
setMessage(error.message);
}
};
I've tried rewriting the request, turning it into a Promise, but because the request works when the route is left public, and I'm able to make requests of private routes that are directly written into my server.js, I suspect the issue is somewhere in how I'm accessing those external routes. Any help is greatly appreciated.
*Edit: I realized this morning that there was another big difference between my test route and problem route that I hadn't considered. Test route is a GET route and problem route is POST. When I changed one of my GET routes in the profile.js route file to include the checkJwt, it worked fine. So the issue is that I can't POST. Looking into this issue now, but there isn't much out there on how to specifically setup POST routes or how they would be different than GET routes.
I looked at this tutorial from Auth0 website, which is using a Passport strategy: https://auth0.com/blog/create-a-simple-and-secure-node-express-app/#Accessing-Guarded-Routes But I thought passport was the same as the checkJwt...just using different middleware to accomplish the same thing. Am I mistaken?
I originally followed this tutorial to set everything up: https://auth0.com/blog/complete-guide-to-react-user-authentication/
I also looked at this Auth0 Quickstart regarding permissions and scopes: https://auth0.com/docs/quickstart/backend/nodejs/01-authorization It kind of made it sound like not adding scopes or permissions and setting it up like the private without scopes would allow full access to the routes, but now I'm back to wondering if I need to set up those permissions for post...but there isn't much documentation on how that works.
Can anyone point me in the direction of a better tutorial for securing and accessing my POST routes?