JWT - invalid signature | NestJS | Page 1

fierce night Oct 16, 2022, 10:29 AM

#

Hi - first-time poster here!

I'm facing a very strange problem where my JWT tokens all of the sudden are invalid. But only in my production environment, not local, not staging (this env is basically a mirror of prod).

Everything was working for a bit more than a month, but starting a few days ago, I encountered the "invalid signature" error. I haven't touched this part of the system since creating it, so, I'm very confused. And now I've struggled with this for some time, and I cannot fix it, or reproduce it...

I've read related posts, but they all boil down to signing something incorrectly, or the env vars being null. I checked this and none of these are the case.
This happened from one day to the next, and as mentioned, I've not touched this part of the system.

This is the full error log from my NestJS service:

attached image

This is the error I log out on Sentry:

{
message: invalid signature, 
name: JsonWebTokenError, 
stack: [Filtered]
}

This is how I sign:

const token = this.jwtService.sign(payload, {
      secret: this.configService.get("JWT_SECRET"),
      expiresIn: `${+this.configService.get("JWT_EXPIRATION_TIME")}s`,
    });

This is how I verify:

const payload: TokenPayload = this.jwtService.verify(token, {
        secret: this.configService.get("JWT_SECRET"),
      });

Some help would be greatly appreciated!

honest cedar Oct 16, 2022, 10:56 AM

#

Given you already ruled out undefined env vars, all I can think of is some proxy incorrectly forwarding the autorization header.

fierce night Oct 16, 2022, 11:01 AM

#

I will explore this option a bit - thanks for the response!
Though, my staging env is setup identically to my prod env in AWS (as much as it can be). And here, this is not a problem.

honest cedar Oct 16, 2022, 11:02 AM

#

I guess you'll need more logs then. The error itself is not very informative

fierce night Oct 16, 2022, 11:07 AM

#

What logs could be informative here?
I've now confirmed that a secret exists & a properly formatted token is received in prod.
I don't like prod debugging....

steady plover Oct 16, 2022, 5:08 PM

#

I would take the jwt and the secret to a jwt debugger like jwt.io and see if everything is valid in there

open compass Oct 16, 2022, 5:09 PM

#

I haven't touched this part of the system since creating it
Are you sure you don't just need to login again ? (previous token TTL hit)

fierce night Oct 17, 2022, 2:11 AM

#

steady plover I would take the jwt and the secret to a jwt debugger like jwt.io and see if eve...

It's only valid after I check the secret base64 encoded part in JWT.io.
I just tried setting encoding: "base64" in the signing. This breaks things even more. But it's probably a good clue.

Any suggestions on how to move forward here?

fierce night Oct 17, 2022, 2:13 AM

#

open compass > I haven't touched this part of the system since creating it Are you sure you d...

Would love it to be such a dumb mistake on my part, but unfortunately not. I've been at this for a few days and logged in many, many times.

But I'm sure that is probably is something super simple in the end.

fierce night Oct 17, 2022, 4:00 AM

#

As with so many of these posts, the resolution is that the OP has made some major oversight...
The problem was that I had recently made the staging environment. And part of my system is a chrome extension, which looks for a cookie with a token. It looks for it on a domain, with .includes and my prod domain is a subset of my staging domain. I had not updated the extension. It found the staging cookie, not the prod one. Of course, not for any of our actual users, just for me...

So, thank you guys so much for quick responses and a lot of help!

#JWT - invalid signature