express jwt - Authentication Middleware Issue

Question

I'm setting up a Token based authentication using express-jwt but the middleware which sends an error message if the token is missing or invalid is not working.

index.js file

const express = require('express');
const router = express.Router();
const {getAllUsers: findUser} = require('../controllers/users');
const {register: registerUser, login: loginUser} = require('../controllers/authentication');
const jwt = require('express-jwt');
const auth = jwt({
secret: process.env.JWT_SECRET,
userProperty: 'auth'
});
// users
router
.route('/users', auth)
.get(findUser);

// registration
router
.route('/register')
.post(registerUser);

// login
router
.route('/login',auth)
.post(loginUser);

module.exports = router;

Users Controller:

const mongoose = require('mongoose');
const User = mongoose.model('Users');

let getAllUsers = (req,res) => {

 User.find((err,user)=>{
  if(user){
      res
          .status(200)
          .json({user})
    }
   });
};

module.exports = {
   getAllUsers
};

app.js file:

require('dotenv').load();
const express = require('express');
const path = require('path');
const favicon = require('serve-favicon');
const logger = require('morgan');
const cookieParser = require('cookie-parser');
const bodyParser = require('body-parser');
const passport = require('passport');

require('./app_api/models/db');
require('./app_api/config/passport');

const index = require('./app_server/routes/index');
const apiRoutes = require('./app_api/routes/index');


const app = express();

// view engine setup
app.set('views', path.join(__dirname, 'app_server','views'));
app.set('view engine', 'ejs');

// uncomment after placing your favicon in /public
//app.use(favicon(path.join(__dirname, 'public', 'favicon.ico')));
app.use(logger('dev')); 


   app.use(bodyParser.json());
   app.use(bodyParser.urlencoded({ extended: false }));
   app.use(cookieParser());
   app.use(express.static(path.join(__dirname, 'public')));



 app.use(passport.initialize());

   app.use('/', index);
   app.use('/api', apiRoutes);

   //error handlers
  // catch unauthorised errors
  app.use(function (err, req, res, next) {
    if (err.name === 'UnauthorizedError') {
        res.status(401).send('invalid token...');
    }
});
// catch 404 and forward to error handler
app.use(function(req, res, next) {
  const err = new Error('Not Found');
  err.status = 404;
  next(err);
});

// error handler
app.use(function(err, req, res, next) {
  // set locals, only providing error in development
  res.locals.message = err.message;
  res.locals.error = req.app.get('env') === 'development' ? err : {};

  // render the error page
  res.status(err.status || 500);
  res.render('error');
});


module.exports = app;

I am setting the middleware on users route which returns a list of all users. But only authorized users should be able to access that list.

The middleware does not seem to be working as I can still get the users list even if I do not send a token. What am I doing wrong?

Please Note: Im using POSTMAN to test this.

---

Update (Figured out the problem):

It was a very simple fix can't believe I didn't see it before. The issue was where I was placing auth.

I was placing it after the route url like so:

router
 .route('/users', auth)
 .get(findUser);

When the correct way of doing this is:

router
 .route('/users')
 .get(auth, findUser);

The above fixed my issue.

Answer 1

According to README in the repository, you should check if user property is present in the request.

The JWT authentication middleware authenticates callers using a JWT. If the token is valid, req.user will be set with the JSON object decoded to be used by later middleware for authorization and access control.

Your findUser function should handle it

function findUser(req, res) {
  if (!req.user) return res.sendStatus(401);
  // do something else
}

You might also consider changing userProperty to requestProperty.