“没有可用的验证密钥";尝试访问由Devise JWT保护的API时 [英] "No verification key available" when attempting to access API secured by Devise JWT
问题描述
我安装了gem devise-jwt
.我可以执行登录请求,并作为回报收到授权令牌,但是当我尝试访问安全的端点时,会收到消息:无验证码.
这是我的 config/initializers/devise.rb
文件中的内容:
config.jwt做| jwt |jwt.secret = Rails.application.credentials.secret_key_jwtjwt.dispatch_requests = [['POST',%r {^/users/sign_in $}],['GET',%r {^/$}]]jwt.request_formats = {用户:[:json]}jwt.expiration_time = 8.hours.to_i结尾
我可以正常登录并获得授权令牌:
blaine @ devbox:〜/langsite/backend [master] $ curl -D--X POST -d"user [email] =brlafreniere@gmail.com& user [password] = blaine"http://localhost:3001/users/sign_in.jsonHTTP/1.1 201已创建X-Frame-Options:SAMEORIGINX-XSS-Protection:1;模式=阻止X-Content-Type-Options:nosniffX-Download-Options:noopenX许可跨域策略:无推荐人政策:严格起源于交叉起源地点:/内容类型:application/json;字符集= utf-8授权:承载eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIwZWNjMmIzNi04ZmZiLTQ2Y2QtYTZkNi1iZGRjZmU4YTQxNmMiLCJzdWIiOiIxIiwic2NwIjoidXNlciIsImF1ZCI6bnVsbCwiaWF0IjoxNjA1ODQ4MDQ2LCJleHAiOjE2MDU4NzY4NDZ9.66Hg_NG3E79-ybC4rJK_XkkSxpLcWHWTlOiw96hyvjgETag:W/"cfe36cdecee4080492f63e8c8f0c091b"缓存控制:max-age = 0,私有,必须重新验证X-Request-Id:c961fc61-a1b4-49f0-bc16-63f19a0abd22X运行时:0.279213变化:起源传输编码:分块
似乎我也暴露了Authorization标头:
Rails.application.config.middleware.insert_before 0,Rack :: Cors做允许做起源'*'资源('*',标头::any,公开:[授权"],方法::any)结尾结尾
我的用户模型:
class用户<应用记录包括Devise :: JWT :: RevocationStrategies :: JTIMatcher#包括默认的devise模块.其他可用的是:#:可确认,:可锁定,:超时,:可追踪和:omniauthable设计:database_authenticatable,:registerable,:recoverable,:rememberable,:validatable,:jwt_authenticatable,jwt_revocation_strategy:自我结尾
我很困惑,任何帮助表示赞赏.谢谢.
TLDR;确认实际上已设置 jwt.secret
我遇到了同样的问题,在我的情况下,这是由于通过 systemd
启动Puma时未正确读取 jwt.secret
引起的.
config.jwt do | jwt |jwt.secret = ENV ['JWT_SECRET_KEY']#为空白,仅当通过systemd或其他守护程序启动时jwt.dispatch_requests = [['POST',%r {^/login $}]]jwt.revocation_requests = [['DELETE',%r {^/logout $}]]jwt.expiration_time = 2.weeks.to_i结尾
由于某种原因,在远程服务器上,通过 systemd
服务启动时, env ['JWT_SECRET_KEY']
为空.但是,手动启动Puma时,效果很好.
我通过硬编码字符串作为秘密发现了这一点.突然起作用了.
config.jwt do | jwt |jwt.secret ="012345678901234567890123456789"#突然工作jwt.dispatch_requests = [['POST',%r {^/login $}]]jwt.revocation_requests = [['DELETE',%r {^/logout $}]]jwt.expiration_time = 2.weeks.to_i结尾
如果 jwt.secret
为空,则无论出于何种原因,它仍将生成 auth令牌
.像您一样,这让我失望了,因为它使我认为我的设置是正确的.
要测试是否遇到类似问题,请暂时将乱码作为秘密.如果可行,那么您走在正确的轨道上
显然,您不应该对字符串进行硬编码,而应调查并确认您的机密已正确输入到上述配置中.
对我来说,这意味着在 systemd
服务配置中指定一个 EnvironmentFile
,其中包含 key = value
对(非常类似于 dotenv
文件).
I have the gem devise-jwt
installed. I can perform a login request, and receive an Authorization token in return, but when I try to access a secured endpoint, I receive the message: No verification key available.
blaine@devbox:~/langsite/backend [master] $ curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIwZWNjMmIzNi04ZmZiLTQ2Y2QtYTZkNi1iZGRjZmU4YTQxNmMiLCJzdWIiOiIxIiwic2NwIjoidXNlciIsImF1ZCI6bnVsbCwiaWF0IjoxNjA1ODQ2NjczLCJleHAiOjE2MDU4NzU0NzN9.ZyqvylXeLZbrRM2V2s5qsyHxiGgElng58HwQ8qjOHCU" http://localhost:3001/quiz_sentences.json
{"error":"No verification key available"}
This is what I have in my config/initializers/devise.rb
file:
config.jwt do |jwt|
jwt.secret = Rails.application.credentials.secret_key_jwt
jwt.dispatch_requests = [
['POST', %r{^/users/sign_in$}],
['GET', %r{^/$}]
]
jwt.request_formats = { user: [:json] }
jwt.expiration_time = 8.hours.to_i
end
I can log in just fine and receive an Authorization token:
blaine@devbox:~/langsite/backend [master] $ curl -D - -X POST -d "user[email]=brlafreniere@gmail.com&user[password]=blaine" http://localhost:3001/users/sign_in.json
HTTP/1.1 201 Created
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Location: /
Content-Type: application/json; charset=utf-8
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIwZWNjMmIzNi04ZmZiLTQ2Y2QtYTZkNi1iZGRjZmU4YTQxNmMiLCJzdWIiOiIxIiwic2NwIjoidXNlciIsImF1ZCI6bnVsbCwiaWF0IjoxNjA1ODQ4MDQ2LCJleHAiOjE2MDU4NzY4NDZ9.66Hg_NG3E79-ybC4rJK_XkkSxpLcWHWTlOiw96hyvjg
ETag: W/"cfe36cdecee4080492f63e8c8f0c091b"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: c961fc61-a1b4-49f0-bc16-63f19a0abd22
X-Runtime: 0.279213
Vary: Origin
Transfer-Encoding: chunked
It seems that I have the Authorization header exposed as well:
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource('*',
headers: :any,
expose: ["Authorization"],
methods: :any
)
end
end
My user model:
class User < ApplicationRecord
include Devise::JWT::RevocationStrategies::JTIMatcher
# Include default devise modules. Others available are:
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
devise :database_authenticatable, :registerable, :recoverable,
:rememberable, :validatable, :jwt_authenticatable, jwt_revocation_strategy: self
end
I'm pretty much baffled, any help appreciated. Thanks.
TLDR; Confirm jwt.secret
is actually being set
I had this same issue, in my case it was caused because the jwt.secret
was not being read correctly, when starting Puma via systemd
.
config.jwt do |jwt|
jwt.secret = ENV['JWT_SECRET_KEY'] # was blank, only if starting via systemd or other daemon
jwt.dispatch_requests = [
['POST', %r{^/login$}]
]
jwt.revocation_requests = [
['DELETE', %r{^/logout$}]
]
jwt.expiration_time = 2.weeks.to_i
end
For some reason, on the remote server, when launching via systemd
service, env['JWT_SECRET_KEY']
was empty. However, when starting Puma manually, it worked fine.
I found this out, by hard coding a string as the secret. Suddenly it worked.
config.jwt do |jwt|
jwt.secret = "012345678901234567890123456789" # Suddenly worked
jwt.dispatch_requests = [
['POST', %r{^/login$}]
]
jwt.revocation_requests = [
['DELETE', %r{^/logout$}]
]
jwt.expiration_time = 2.weeks.to_i
end
If jwt.secret
is empty, it will still generate an auth token
for whatever reason. Like you this threw me off, as it made me assume my setup was correct.
To test if you're running into a similar issue, temporarily hardcode gibberish as the secret. If that works, then you're on the right track
Obviously you should not hard code the string, but rather look into and confirm that your secret is being fed correctly into the above config.
For me that meant specifying an EnvironmentFile
in the systemd
service configuration which contains key=value
pairs (much like a dotenv
file).
这篇关于“没有可用的验证密钥";尝试访问由Devise JWT保护的API时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!