custom verify with invalid JWT signature.

[ankem]

I am using a custom verify method. When I tamper the signature part of the token I am getting a 500 error instead of 401.

• The code here gives null as decoded token if signature is not valid
• When my verify method returns isValid as false then the returned credentials are null as decoded value is null here
• Then toolkits unauthenticated method is called here
• Finally failing here with following error message and 500 status code

Debug: internal, implementation, error 
    AssertionError [ERR_ASSERTION]: Authentication data missing credentials information
    at new AssertionError (internal/assert.js:269:11)

Final response to client is

{
"statusCode": 500,
"error": "Internal Server Error",
"message": "An internal server error occurred"
}

Can you please let me know how to solve this issue.

[rjpcal]

I have the same issue (and confirmed this is still occurring in 10.1.0).

It seems like if JWT.decode() returns null around https://github.com/dwyl/hapi-auth-jwt2/blob/master/lib/index.js#L129, then the result should be similar to what happens in the following catch if JWT.decode() threw an exception.

Alternatively the code responding to the !isValid case after a custom options.verify() call (https://github.com/dwyl/hapi-auth-jwt2/blob/master/lib/index.js#L229) could return payload: { credentials: credentials } or payload: { credentials: credentials || decoded } instead of payload: { credentials: decoded }, so that at least the user-provided verify() function can control the credentials value and avoid the 500. But really as the writer of a custom verify() function I am surprised to have the function called with decoded being null because it seems like that indicates a jwt-level error that should have been rejected earlier in the code flow.

Otherwise as @ankem points out there seems to be no way to work around the 500 with any changes to user application code.

If either approach seems reasonable I could put a small PR together along those lines.

[rjpcal]

PR #352 submitted for this issue

[tinkeshwar]

HI,
Can anyone help me, please
I am getting 500 on token expire or invalid token,
my issue is something to do with ValidationError: "attributes" is not allowed in BOOM

Debug: auth, unauthenticated, error, token Error: Expired token at Object.raiseError (/var/www/html/dummies/tool/node_modules/hapi-auth-jwt2/lib/index.js:302:45) at Object.internals.authenticate (/var/www/html/dummies/tool/node_modules/hapi-auth-jwt2/lib/index.js:171:26) at processTicksAndRejections (internal/process/task_queues.js:93:5) at Object.authenticate (/var/www/html/dummies/tool/node_modules/hapi-auth-jwt2/lib/index.js:353:22) at exports.Manager.execute (/var/www/html/dummies/tool/node_modules/@hapi/hapi/lib/toolkit.js:60:28) at module.exports.internals.Auth._authenticate (/var/www/html/dummies/tool/node_modules/@hapi/hapi/lib/auth.js:258:30) at Request._lifecycle (/var/www/html/dummies/tool/node_modules/@hapi/hapi/lib/request.js:372:32) at Request._execute (/var/www/html/dummies/tool/node_modules/@hapi/hapi/lib/request.js:280:9) Debug: internal, error ValidationError: "attributes" is not allowed