No JWT halts the api entirely | NestJS | Page 1

heavy raven Sep 26, 2024, 5:29 PM

#

When I target the endpoint that requires the JWT token, bu I dont incldue this JWT token, the API halts and stops processing other requests. I guess this should not be the correct behaviour?

I get the unauthorized response on the postman, but stilll the API halts. I am expecting to receive the unaith reposne, but still process other requests.
it is just using authGuard("jwt") built in. No custom. Same for the strategy
i get this error:

throw err || new common_1.UnauthorizedException();

UnauthorizedException: Unauthorized
this happens on this piece of code inside the package passport:

handleRequest(err, user, info, context, status) {
    if (err || !user) {
        throw err || new common_1.UnauthorizedException();
    }
    return user;
}

seems to throw a exception that is not handle properly, so it halts the api.

any idea how to avoid teh halting?

heavy raven Sep 26, 2024, 5:45 PM

#

to reproduce, just set a nestjs app with

#

@Injectable()
export class JwtAuthPermissionsGuard extends AuthGuard('jwt')

#

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
constructor() {
super({
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
ignoreExpiration: false,
secretOrKey: JWT_SECRET,
});
}

#

those are default features already

#

built in

neon badge Sep 26, 2024, 5:46 PM

#

Okay. Can you create a reproduction repository? This seems like a bug and I'd like an easy way to reproduce it

heavy raven Sep 26, 2024, 5:47 PM

#

oke

heavy raven Sep 26, 2024, 6:11 PM

#

hey, I found the bug

#

I was having some knowledge inside teh canActive(), overriding it. But I was calling the super.canActivate()

#

what I found is that if you dont ccall super.canActivate() at the end of teh call, it fails

#

you cannot all it before... and do some logic later on

#

@neon badge

neon badge Sep 26, 2024, 6:13 PM

#

Strange. So you weren't calling super.canActivate() at all and it was causing a problem?

heavy raven Sep 26, 2024, 6:14 PM

#

I send you the piece of cose: ` canActivate(
context: ExecutionContext,
): boolean | Promise<boolean> | Observable<boolean> {
const isPublic: boolean = this.reflector.get(
'isPublic',
context.getHandler(),
);
if (isPublic) return true;
//Verify JWT token

const proceed = super.canActivate(context);
if (!proceed) return false;

/*console.log('Checking for needed permissions');
const roles: string[] = this.reflector.get('roles', context.getHandler());
console.log(roles);

if (roles == undefined || roles.length === 0) return false; //return false to throw ForbiddenException

//Check user roles
const request = context.switchToHttp().getRequest();
console.log(request);
console.log(request.user);
const user: CustomerDto = request.user;
console.log(user);
console.log(roles[user.role]);
if (roles[user.role] === undefined) return false; */
return true;`

#

I shift super.canActivate() on the last return, to be the last line of execution and it works well

neon badge Sep 26, 2024, 6:16 PM

#

Oh, you need to await the super.canActivate() call if you do it in the middle of the method

heavy raven Sep 26, 2024, 6:16 PM

#

ahhh I see. how can I introduce teh await? i was getting error to make async the canActivate()

neon badge Sep 26, 2024, 6:17 PM

#

async canActivate(context: ExecutionContext): Promise<boolean>

heavy raven Sep 26, 2024, 6:17 PM

#

yeah, it is good

#

tanks you so much

#

realy appreciated

#

so much thanks!!

#No JWT halts the api entirely