Auth0 token - Node Jsonwebtoken - Cloudflare Workers

Hello!

  1. I’m using the react auth0 provider to get an Auth0 token.
  2. I’m taking this TOKEN and passing it via url param (as a test for now, eventually it would be a header) and try to decode it using jsonwebtoken verify function
  3. The token is not getting verified.

This is my code (I’m setting type = “webpack” in my wrangler.toml so I can import modules):

import { verify } from 'jsonwebtoken'

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  const url = new URL(request.url)
  const { searchParams } = url
  let token = searchParams.get('token')

  if (url.pathname === '/auth') {
    try {
      verify(
        token,
        STRING_SECRET,
        { algorithms: ['RS256'] },
        function(err, payload) {
          console.log('payload', err, payload)
        },
      )
    } catch (err) {
      console.log('error decoding', err.message, err.name)
    }
  }

  return new Response('No response', {
    headers: { 'content-type': 'text/plain' },
  })
}

The console.log(‘payload’, err, payload) is not showing an err or a payload . This is what the Cloudflare logs are showing:

"logs": [
    {
      "message": [
        "payload",
        {},
        null
      ],
      "level": "log",
      "timestamp": 1654695913617
    }
  ],

How can I verify this token? Appreciate any ideas.

Thank you!

Hi @tools1,

Welcome to the Auth0 Community!

Are you seeing a valid token in your worker? You can print it and decode manually using jwt.io.

Is your secret set up correctly? You may want to consider fetching it directly from your tenant using the code snippet here:

Hi @dan.woda, FYI the provided solution above doesn’t actually work in Cloudflare Workers - but at no fault of Auth0. The node-jsonwebtoken and jwks-rsa packages require nodejs builtins and globals. Cloudflare Workers is nodejs “like”, but not actually full nodejs apis. They do offer the ability to turn on a compatibility mode which uses https://github.com/ionic-team/rollup-plugin-node-polyfills/ to emulate all the nodejs stuff. But sadly it still fails with the jwks-rsa package.

The most obvious dependency here is using the nodejs http and https libraries to make requests instead of the fetch api which are now standardized in all browsers and nodejs >=17.5. The same would apply to the nodejs crypto module vs browser JS crypto APIs.

Also FYI, Cloudflare removed their Workers+Auth0 blog post/sample this year due to a security flaw (I think it was not validating the JWT after it was returned from authorization server). So there is no good samples available today for CloudFlare+Auth0.

Ideally, the auth0 packages would be updated to have the option of using browser native APIs for http requests and crypto. But I realize that may not be a quick/easy task.

1 Like

@benstechlab Thanks for the added info!