Bitrot in auth0-express-sample?

Help
1

I’m unable to get the auth0-react-sample to connect to the auth0-express-js-sample as per the otherwise excellent auth0 blog post.

When I attempt the fetch in auth0-react-sample, I get an immediate “Failed to fetch” result (in the error handler).

I’ve attempted the same URL from a command line using wget and passing the bearer token.

Using wget, any attempt to connect to the port (6060) that auth0-express-js-sample is listening on results in an TLS complaint:

wget --header="Authorization: 'Bearer "elided'" --secure-protocol=TLSv1 https://tms.byron.zeetix.com:6060
--2022-10-05 17:38:17--  https://tms.byron.zeetix.com:6060/
Resolving tms.byron.zeetix.com (tms.byron.zeetix.com)... 172.30.2.147
Connecting to tms.byron.zeetix.com (tms.byron.zeetix.com)|172.30.2.147|:6060... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

Since the connection appears to be established correctly, I interpret the complaint to mean that auth0-express-js-sample is not properly completing the handshake with any attempt to connect to it.

I’ve adjusted the clientOrigins as follows:

const clientOrigins = [
  "https://localhost:4040",
  "https://tms.byron.zeetix.com:4040",
  "https://covid.tms.byron.zeetix.com:4040",
  "http://localhost:4040",
  "http://tms.byron.zeetix.com:4040",
  "http://covid.tms.byron.zeetix.com:4040",
  ];

I therefore don’t think I’m seeing a CORS issue.

I’m able to use wget with other ports and services, and they all work fine.

I invite guidance about how to get the auth0-express-js-sample running.

BTW, this is all running on a robust AWS EC2 instance running an update-to-date Rocky Linux v8.6 system.

I’m not well-versed in nodejs, but I do have several other node express services that work fine. My next step is to create my own version of auth0-express-js-sample from scratch (it doesn’t look like there’s much there).

Is there some easy or straightforward work-around or update that will get me through this bottleneck?

2

Update: I’ve at least made a little progress.

I can now at least get into auth0-express-js-sample from wget on a command line. I removed the --secure-protocol=TLSv1 argument and changed it to http as per the recipe. I used a token harvested from a current front-end session. Now I get the following:

 wget --header="Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkNYRWpPVnFyMnZKT1ptejV0RG95diJ9.eyJpc3MiOiJodHRwczovLzAtMC16ZWV0aXgudXMuYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDYxMjAyYjg3MTkzMjIzMDA2YTZiMjkyYyIsImF1ZCI6WyJodHRwczovL2V4cHJlc3Muc2FtcGxlIiwiaHR0cHM6Ly8wLTAtemVldGl4LnVzLmF1dGgwLmNvbS91c2VyaW5mbyJdLCJpYXQiOjE2NjQ5OTQ1NTMsImV4cCI6MTY2NTA4MDk1MywiYXpwIjoiejJiS2JMOVlqNFhCMzZ2SUtld3I2bkdhb0locUlHYXYiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIn0.s3paNvkRElgTu7tqQCjDMirMcvfWvMdl6lFqZk5AMkK9wWnWlRoPFTLcw4-OUuhxiNqKiJJaAmxh2pN2DXGYadLGUyjFQSVHD6nKU_ggSu2WBDq1pjoN16m2W6RQOPKHUk7osznuhdVKF2m5Nh7yMsHG7St8XwjkT_fr7QSYIq-x-wPob8PeXvb2sZ5y3zJwF7ZevOIUSecqbc4gMCIUiaEALhyP9RpdwOaTf7w240Jkw0TxNR-0kq-PcPfkHpqjvxM789TMF-nQBvevI3DsDJjaPHHJZawf6kZfqyx-ngYFDB9PuY0aWCCjdrB0e5EkP8wMG90iWfba0lZihl0aWg" http://tms.byron.zeetix.com:6060/api/messages/protected-message
--2022-10-05 18:30:11--  http://tms.byron.zeetix.com:6060/api/messages/protected-message
Resolving tms.byron.zeetix.com (tms.byron.zeetix.com)... 172.30.2.147
Connecting to tms.byron.zeetix.com (tms.byron.zeetix.com)|172.30.2.147|:6060... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
2022-10-05 18:30:18 ERROR 500: Internal Server Error.

In the “debug” console of VisualStudio Code (where I’m running the server), I see the following in response to this wget:

API Server listening on port 6060
UnauthorizedError {name: 'UnauthorizedError', message: 'jwt audience invalid. expected: 6129637993ecfd0040e1a435', code: 'invalid_token', status: 401, inner: JsonWebTokenError, …}

In the embedded terminal, I see this:

UnauthorizedError: jwt audience invalid. expected: 6129637993ecfd0040e1a435
    at /home/tms/auth0_samples/auth0-express-js-sample/node_modules/express-jwt/lib/index.js:105:22
    at /home/tms/auth0_samples/auth0-express-js-sample/node_modules/jsonwebtoken/verify.js:167:16
    at getSecret (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/jsonwebtoken/verify.js:90:14)
    at Object.module.exports [as verify] (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/jsonwebtoken/verify.js:94:10)
    at verifyToken (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/express-jwt/lib/index.js:103:13)
    at nextTask (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/async/dist/async.js:5789:27)
    at next (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/async/dist/async.js:5797:13)
    at /home/tms/auth0_samples/auth0-express-js-sample/node_modules/async/dist/async.js:327:20
    at Immediate.<anonymous> (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/jwks-rsa/lib/integrations/express.js:41:14)
    at processImmediate (internal/timers.js:466:21) {
  code: 'invalid_token',
  status: 401,
  inner: JsonWebTokenError: jwt audience invalid. expected: 6129637993ecfd0040e1a435
      at /home/tms/auth0_samples/auth0-express-js-sample/node_modules/jsonwebtoken/verify.js:167:21
      at getSecret (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/jsonwebtoken/verify.js:90:14)
      at Object.module.exports [as verify] (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/jsonwebtoken/verify.js:94:10)
      at verifyToken (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/express-jwt/lib/index.js:103:13)
      at nextTask (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/async/dist/async.js:5789:27)
      at next (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/async/dist/async.js:5797:13)
      at /home/tms/auth0_samples/auth0-express-js-sample/node_modules/async/dist/async.js:327:20
      at Immediate.<anonymous> (/home/tms/auth0_samples/auth0-express-js-sample/node_modules/jwks-rsa/lib/integrations/express.js:41:14)
      at processImmediate (internal/timers.js:466:21)
      at process.callbackTrampoline (internal/async_hooks.js:130:17)
}

This all tells me that the wget request is at least able to connect to the server, even though it’s passing invalid arguments.

I’ve changed the value of REACT_APP_SERVER_URL in the .env of the front-end to match the wget url:

REACT_APP_SERVER_URL=http://tms.byron.zeetix.com:6060

When invoked from the front-end, I still see no evidence that the fetch is getting to the backend at all.

3

I finally got this working.

There were several issues, some in my code and some in the sample.

The most important issue is that for a variety of reasons, I must use https for all calls. This may be an artifact of my development stack.

The solution path that worked for me was to replace auth0-express-js-sample with a new service that expects and handles https calls. I did this by adding https, fs, and several other packages to a newly-generated node-express service.

At the top of authz/checkJWT, I had to update the require of express-jwt to read as follows:

const { expressjwt: jwt } = require("express-jwt");

This change apparently comes with the more recent version of express-jwt that I’m using.

I made some similar minor changes in messages.router.js and messages.service.js.

All of this meant that I was able to use the following in the .env for auth0-react-sample:

REACT_APP_SERVER_URL=https://my.domain.name.com:6060

Note that it uses https. Also note that because it uses genuine certificates, there must be an actual domain name rather than localhost.

For others running on AWS EC2 instances, another gotcha is that there must be an entry in /etc/hosts that maps the local domain name to the PRIVATE AWS EC2 IP address. This constraint is imposed by the AWS security architecture.

I also found and fixed a bug in my backend configuration – I had been using the “ID” of the auth0 API rather than its “Identifier” as the value of AUTH0_AUDIENCE.

Having slogged through all these changes, everything now works as advertised.

This was a worthwhile exercise, as I’ve learned a lot about how all this works. It might be nice to update the excellent example to use https connections everywhere, even though that does entail having valid certificates.

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.