2019-10-23 17:56:17 +02:00
# JWT validation
2019-10-24 15:08:42 +02:00
In this guide we will see how to validate a `JWT` (JSON Web Token) with a third party service.
2019-10-23 17:56:17 +02:00
2019-10-24 15:08:42 +02:00
When you sign in with the authentication route `POST /auth/local` , Strapi generates a `JWT` which lets your users request your API as an authenticated one.
2019-10-23 17:56:17 +02:00
```json
{
"jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNTcxODIyMDAzLCJleHAiOjE1NzQ0MTQwMDN9.T5XQGSDZ6TjgM5NYaVDbYJt84qHZTrtBqWu1Q3ShINw",
"user": {
"email": "admin@strapi .io",
"id": 1,
"username": "admin"
}
}
```
2019-10-24 15:08:42 +02:00
These users are managed in the application's database and can be managed via the admin dashboard.
2019-10-23 17:56:17 +02:00
2019-10-24 15:08:42 +02:00
We can now imagine you have a `JWT` that comes from [Auth0 ](https://auth0.com ) and you want to make sure the `JWT` is correct before allowing the user to use the Strapi API endpoints.
2019-10-23 17:56:17 +02:00
2019-10-24 15:08:42 +02:00
## Customize the JWT validation function
2019-10-23 17:56:17 +02:00
2019-10-24 15:08:42 +02:00
We have to use the [customization concept ](../concepts/customization.md ) to update the function that validates the `JWT` . This feature is powered by the **Users & Permissions** plugin.
2019-10-23 17:56:17 +02:00
Here is the file we will have to customize: [permission.js ](https://github.com/strapi/strapi/blob/master/packages/strapi-plugin-users-permissions/config/policies/permissions.js )
2019-10-24 15:08:42 +02:00
- We have to create a file that follows this path `./extensions/users-permissions/config/policies/permissions.js` .
2019-10-23 17:56:17 +02:00
- You will have to add in this new file, the same content of the original one.
Now we are ready to create our custom validation code.
## Write our own logic
First we have to define where write our code.
```js
const _ = require('lodash');
module.exports = async (ctx, next) => {
let role;
if (ctx.request & & ctx.request.header & & ctx.request.header.authorization) {
try {
const { id, isAdmin = false } = await strapi.plugins[
'users-permissions'
].services.jwt.getToken(ctx);
...
} catch (err) {
// It will be there!
return handleErrors(ctx, err, 'unauthorized');
}
```
2019-10-24 15:08:42 +02:00
The `jwt.getToken` will throw an error if the token doesn't come from Strapi. So if it's not a Strapi `JWT` token, let's test if it's an Auth0 one.
2019-10-23 17:56:17 +02:00
We will have to write our validation code before throwing an error.
2019-10-24 15:08:42 +02:00
By using the [Auth0 get user profile ](https://auth0.com/docs/api/authentication?http#get-user-info ) documentation, you will verify a valid user matches with the current `JWT`
2019-10-23 17:56:17 +02:00
```js
const _ = require('lodash');
const axios = require('axios');
module.exports = async (ctx, next) => {
let role;
if (ctx.request & & ctx.request.header & & ctx.request.header.authorization) {
try {
const { id, isAdmin = false } = await strapi.plugins[
'users-permissions'
].services.jwt.getToken(ctx);
...
} catch (err) {
try {
const data = await axios({
method: 'post',
url: 'http://YOUR_DOMAIN/userinfo',
headers: {
Authorization: ctx.request.header.authorization
}
});
// if you want do more validation test
// feel free to add your code here.
return await next();
} catch (error) {
return handleErrors(ctx, new Error('Invalid token: Token did not match with Strapi and Auth0'), 'unauthorized');
}
return handleErrors(ctx, err, 'unauthorized');
}
```
::: warning
2019-10-24 15:08:42 +02:00
In the code example we use `axios` you will have to install the dependency to make it work. You can choose another library if you prefer.
2019-10-23 17:56:17 +02:00
:::
