How to sign a url with jwt

Hello

I have an app which has 2 separate forms on separate endpoints. App runs on expressjs.
All endpoints of the app are protected, if the user is not logged in they cannot get/post to the endpoints.

I would like to have a dynamic url for rendering the second form based on who filled out the first form.

I have managed to get everything working with generating random url ( e.g sGGjgSPyen).

But I’m getting problems when I try to generate a magic-link like thing… I would like to have authorization to the second form when I use the generated random url, not the token I signed the data with.

At the moment if from the first form post request is made, I am generating the url and then signing it with jsonwebtoken, and if I make a get request to the url I have generated I will verify the url.
But I am not authorized to make that get request. However, if I replace the token with the generated url I have access.

Am I missing something or how could I sign a token to url “sGGjgSPyen”, and then access the second form from the url.

Thank you in advance.

I make a get request to the url I have generated I will verify the url.
But I am not authorized to make that get request. However, if I replace the token with the generated url I have access.

How do you make this request? Where do you put that token, as query parameter in the URL, as POST body or as Bearer token in the header?

Since you’re, from my understanding, in full control of the resource server (the app that serves the second form), you should also be in control of how the token is being verified (which at the moment only you know). Maybe you can post the code snippet that handles the authorization on the backend. And also the raw requests to you make, to get a better understanding.

I am generating the url and then signing it with jsonwebtoken

That’s a JWT that you generate on our end, there’s no involvement of the Auth0 platform at that time (other than the initial login at the beginning, but that’s even before the user can submit the first form and thus also before the generation of the random url), right?

At the moment I thought to put it nowhere, I thought I could sign the generated URL and compare the tokens and go from there.

Code is as follows:

const express = require(‘express’);
const app = express();
const randomId = require(‘random-id’);
const jwt = require(‘jsonwebtoken’);

let len = 30;
let pattern = ‘aA0’;

app.post(‘/api/application’, (req, res) => {
const url = randomId(len, pattern)
jwt.sign(url, ‘secretkey’, (err, token) => {
res.json({
token,
url
})
})
})

app.get(‘/application/:url’, (req, res) => {
jwt.verify(req.params.url, ‘secretkey’, (err, authData) => {
if (err) {
res.sendStatus(403);
} else {
res.json({
message: ‘Access granted…’,
authData
})
}
})
})

app.listen(‘3000’, () => console.log(“Listening on port: 3000”))

We can even get rid of the first form… My goal is just to generate a random url and if I make a GET request to it, I would like to have access to it.

I think it wouldn’t really matter if I would just use the token as parameter in the URL, though I would like to keep the URL as slim as possible, because I would like to email the URL to customer, and the URL should be accessed only once, so there shouldn’t be problem that someone could retrieve the payload from the token.

In this case, sounds very similar to Get tokens for users who don't exist

Mentioned approach there is very basic; maybe that’s already sufficient for you. It doesn’t involve the JWT at all.

If my routes will be protected then I still have to use JWT, I guess.

Yes, but that can be just simply stored in a 2-column database table on your end, containing of user id (sub claim in JWT) and code.
Especially when one user can create multiple, let’s say, 100 of these URLs, you probably wouldn’t want to include that info in a JWT. I think that approach would work without over-engineering things.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.