Verify JWT token

turtlebits · October 12, 2020, 6:42pm

Is there a way to verify JWT without a function?

I have netlify-identity-widget setup for my site, and I can login to Netlify and my frontend has the access token.

However, without the secret key for the token, my backend cannot verify then token hasn’t been tampered with. Is there a way to do this? I do not wish to use functions as I have an existing backend.

I was assuming using a proxy would reject requests with an unverified token, but this is not the case. I have signed proxy redirects setup, but that allows me to verify that the requests are coming through the proxy, but does not verify the token.

futuregerald · January 14, 2020, 6:07pm

Hi there @turtlebits,

Right now there is no way to get your account’s JWT secret. What I generally do is use a Netlify function to authenticate the token. Another option is to use a signed proxy redirect so you can confirm that the request is coming via Netlify. More info on JWS can be found at https://www.netlify.com/blog/2017/10/17/introducing-structured-redirects-and-headers/#signed-proxy-redirects

turtlebits · January 14, 2020, 6:22pm

Thanks, a signed proxy redirect just allows me to verify if a request to my backend is coming via the netlify proxy, but there is no way to verify the JWT payload. So someone can just post to my proxy URL with a tampered token. (I double checked - the proxy doesn’t try to verify the JWT by sending a tampered token through it).

Dennis · January 23, 2020, 5:24pm

Hi @turtlebits, I’m currently investigating a possible solution to your question. I’ll update here once I confirm the solution.

laurenyz · September 15, 2020, 4:17pm

Hi @Dennis! Were you successful in finding a solution?

marcus · September 21, 2020, 9:13pm

Dennis will likely be able to give you a longer answer later, but you might want to look into this area of our docs: https://docs.netlify.com/routing/redirects/rewrites-proxies/#signed-proxy-redirects

Dennis · September 22, 2020, 5:54pm

Right, so the signed proxy redirects can definitely help with making sure your external url has a way to identify requests from your netlify site.

But if you also want to validate your JWT against your site’s Identity instance, you will need to do as @futuregerald mentioned and use a Netlify Function in conjunction with https://github.com/netlify/gotrue-js#get-current-user. If you invoked your Netlify Function with the appropriate Authorization header (Authorization: Bearer <JWT here>), our system will populate the context.clientContext object. You can then use this to information your function whether the request is valid or not. And example might look like: https://github.com/netlify/gotrue-js#get-a-user.

Between the two options, that hopefully gets you what you need.

Sorry for the long delay in updating here.

laurenyz · September 23, 2020, 1:37am

Thank you for the suggestions, @marcus & @Dennis!

yuyokk · October 9, 2020, 10:39pm

Hi @futuregerald

More info on JWS can be found at https://www.netlify.com/blog/2017/10/17/introducing-structured-redirects-and-headers/#signed-proxy-redirects

Will you please advice on how to verify x-nf-sign header?
I was able to sign the requests but now struggling to find the right way to verify the signature.

Thank you!

UPDATE: used jws https://github.com/auth0/node-jws#readme and it is working!