[Coldbox 5.6.2][Lucee 4.5.5] Problem implementing the updated JWT Services

Communities ColdBox HMVC
1

Hello,

I am working with the new JWT Validator. My code “works” when I test it using Postman. I can hit the /login endpoint with my username/password and a token is returned. When I use that token in the header of my request to a secured endpoint it works. When I hit the /logout endpoing the token is invalid and I can’t reach my secured endpoints with it.

Here is the part that makes me think even though that “works” it really isn’t working. If I request two different auth tokens, then logout one of them, neither of the tokens are valid any longer. Hmmm… ?

Second, even though I get expected results using Postman to test my api, when I try to configure Zapier it gets stuck in a 401 authentication loop. The login request returns 200 with the token, but then when Zapier tries to test a secured endpoint it throws a 401 and loops back to attempting to authenticate. I have confirmed Zapier is passing around the right token and the endpoints all work if I whitelist all of the handlers. Oh, and I have confirmed the 401 that Zapier is hitting is the default set by invalidAuthenticationEvent. I’ve changed all other 4xx errors to 403 to make sure I didn’t have embedded loops.

This lead me to try calling jwtAuth().parseToken(event.getHTTPHeader(‘x-auth-token’)) within one of my secured endpoints. It fails with

Type: InvalidTokenUser
Message: The user () was not found by the user service

Digging deeper this shows that sub is blank within the token payload.

When I output the decoded token from my login endpoint I see

{
“message”: “Token created and it expires in 60 minutes”,
“data”: “”,
“payload”: {
“iat”: 1571762332,
“cid”: “B5E81C1A-72D8-480E-8C1B-E922D219F6F1”,
“role”: “user”,
“scopes”: [
“write”,
“read”
],

“iss”: “http://my.domain.local/”,
“sub”: “”,
“exp”: 1571765932,
“jti”: “A3CF651280621F5D8E9EECBA1CA74D81”
}
}

Sub is blank? Do I need to set sub to my custom ID (currently cid)? Or is this provided by the system?

I’m sure I have other errors in what I’m doing but this is where I’m currently stuck in my debugging process.

Thanks for any help on this. I appreciate it.

Jeff

2

Here is my workaround

Coldbox.cfc (3.87 KB)

CampaignReports.cfc (3.43 KB)

APIAuth.cfc (1.6 KB)

UserService.cfc (2.2 KB)

User.cfc (2.08 KB)

3

Further debugging on my part has demonstrated to me that the JWT Validator process isn’t firing at all. Nothing on the list at https://coldbox-security.ortusbooks.com/jwt/jwt-validator#validator-process is occurring.

I also doubt that storage is working properly. It seems the configuration within Coldbox.cfc isn’t being used properly.