Verifying a token

[msr-kelvin-marques]

I'm using Next.js and I'm trying to set the middleware as an auth guard for the internal API routes. Using Auth0 for auth and via @auth0/nextjs-auth0 SDK. Trying jose for the token verification.

This is how my current code is looking like:

  const JWKS = jose.createRemoteJWKSet(
    new URL(`${process.env.AUTH0_ISSUER_BASE_URL}/.well-known/jwks.json`)
  );

  try {
    const response = await new Promise<NextResponse>((resolve) => {
      jose.jwtVerify(token, JWKS, {
        issuer: `${process.env.AUTH0_ISSUER_BASE_URL}/`,
        audience: process.env.AUTH0_AUDIENCE,
        algorithms: ['RS256'],
      })
      .then(({payload, protectedHeader}) => {
        resolve(NextResponse.json(payload))
      })
      .catch((error) => {
        resolve(NextResponse.json(
          { message: "Authentication failed: Invalid token", error },
          { status: 401 }
        ))
      })
    });

    return response;
  } catch (error) {
    return NextResponse.json({ error }, { status: 500 });
  }

I'm passing a valid token for an active session, but I cannot get anything but

{
    "message": "Authentication failed: Invalid token",
    "error": {
        "code": "ERR_JWS_INVALID",
        "name": "JWSInvalid"
    }
}

What would I be missing?

[panva]

Hello

What would I be missing?

I dunno, what does the error message say?

[panva]

Can you log the token value passed to jwtVerify please? I suspect you're slicing that from the authorization header and maybe, just maybe, you're cutting off part of the token.

[panva]

Or maybe you're passing the full value of the authorziation header and you're not handling the token type Bearer infront of the actual token.

[msr-kelvin-marques]

The Bearer type is there. Unfortunately I cannot share the token.

[panva]

Yeah so, Bearer <JWT> is not the token you should be passing to verify. Just the JWT.

[msr-kelvin-marques]

omg I feel so dumb... It worked. Thank you @panva !