devise-jwt: JWT::VerificationError - Signature verification raised

Hi! I’m setting up an API that used devise and devise-jwt for authentication and I followed up all the steps in order to make it work. However, whenever I tried to sign in within my BackEnd i’ receive a 401 response.

So I dug up on the code and found that within warden.authenticate! was raising an error and being rescued by:

      def authenticate!
        user = UserDecoder.new.call(token, scope)
        success!(user)
      rescue JWT::DecodeError
        fail!
      end

Following that lead, I found that the error being raised was a JWT::VerificationError - Signature verification raised, however I created my secret key using rails secretas proposed in the configuration guide. Here’s the line in my config/initializers/devise.rb

  config.jwt do |jwt|
    jwt.expiration_time = 3.hours
    jwt.secret = ENV.fetch('DEVISE_JWT_SECRET_KEY') { 'db70e50ec08feabaa1f05c65dadfc8057fb774052ff8fe7bc90b6d4001bfb681bbd6c26fbf06b77f39078270093948a5fd9ea09fac495fc9f7aab43241836dcf' }
  end

I even tried running it with the ENV variable forced and just plain value in the config just to test if it was something wrong with fetch method from ENV but it still doesn’t work, any help?

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 22 (11 by maintainers)

Most upvoted comments

If someone else happens to have this issue again, in my case it was because i already had Authorization bearer token saved in my local storage from a different app (i was developing a react app on the same port) so it was trying to sign in setting an invalid token. So it was fixed by clearing out the local storage.

+16
marlonmantilla on Oct 1, 2018

The comment from waiting-for-dev is what helped me after all. Turns out, when devise_for is in a scope, devise needs a namespace for the user param:

scope :api do
    devise_for :users, as: :api, defaults: { format: :json }
  end

will expect {"api_user": {"email": "email@gmail.com", "password": "password"}}

+5
niuage on Aug 9, 2020

I guess that you had a wrong user param. I don’t remember now how devise uses namespaces and so in order to name scopes, but maybe it should have been something like staging_user.

You are welcome. Happy this works for you not. Closing the issue, then.

+1
waiting-for-dev on Nov 8, 2017

The first thing an user does is send a request to sign_inproviding e-mail and password, at that point, the request is sent without an Authorization Header. I was expecting devise to return me a JWT token which I’d store within my front-end application (react redux in this case).

After that, every request to my API would have an Authorization Header Bearer <token>

+1
elisoncampos on Nov 8, 2017

So I might be doing something wrong with my sign_in flow and maybe my error doesn’t have anything to do with jwt? Because im sending a POST to sign_inpassing e-mail and password in order to retrieve the token which then I’ll use for requesting routes protected by authentication but that’s where im getting the 401 error.

+1
elisoncampos on Nov 8, 2017
Read more comments on GitHub
← wails: Wails dev/build very slow on Windows compared to MacOS/Linux
devise-jwt: Authorization header is not being returned →