CakePHP 3 JWT-Auth gives 401 Unauthorized error

Question

I'm using CakePHP 3.6 and JWT Auth to enable token-based authentication in my application and frontend is written in Angular 6.

My login controller is like

<?php
namespace App\Controller\Api;

use Cake\Event\Event;
use Cake\Http\Exception\UnauthorizedException;
use Cake\Utility\Security;
use Crud\Controller\Component\CrudComponent;
use Firebase\JWT\JWT;

class UsersController extends AppController
{
    public function initialize()
    {
        parent::initialize();
        $this->Auth->allow(['add', 'token']);
    }

    public function token()
    {
        $user = $this->Auth->identify();
        if (!$user) {
            throw new UnauthorizedException('Invalid username or password');
        }

        $this->set([
            'success' => true,
            'data' => [
                'token_type' => 'Bearer',
                'expires_in' => 604800,
                'token' => JWT::encode([
                    'sub' => $user['id'],
                    // 'exp' => time() + 604800
                ],
                    Security::getSalt())
            ],
            '_serialize' => ['success', 'data']
        ]);
    }
}

AppController.php contents

namespace App\Controller\Api;

<?php
use Cake\Controller\Controller;

class AppController extends Controller
{
    use \Crud\Controller\ControllerTrait;

    public function initialize()
    {
        parent::initialize();

        $this->loadComponent('RequestHandler');
        $this->loadComponent('Crud.Crud', [
            'actions' => [
                'Crud.Index',
                'Crud.View',
                'Crud.Add',
                'Crud.Edit',
                'Crud.Delete'
            ],
            'listeners' => [
                'Crud.Api',
                'Crud.ApiPagination'
            ]
        ]);

        $this->loadComponent('Auth', [
            'storage' => 'Memory',
            'authenticate' => [
                'Form' => [
                    'fields' => [
                        'username' => 'email',
                        'password' => 'password'
                    ],
                    'finder' => 'auth'
                ],
                'ADmad/JwtAuth.Jwt' => [
                    'parameter' => 'token',
                    'userModel' => 'Users',
                    'finder' => 'auth',
                    'fields' => [
                        'username' => 'id'
                    ],
                    'queryDatasource' => true
                ]
            ],
            'unauthorizedRedirect' => false,
            'checkAuthIn' => 'Controller.initialize'
        ]);
    }

}

On sending request from the angular application to generate token works fine and following response is received.

But when using the token to send the request to other endpoints giving an error

401: Unauthorized access

The request/response header has token

What I tried?

• I tried with disabling exp while generating an access token.
• tried with disabling debug in CakePHP application.

It is working great when CakePHP server application is run locally.

Answer 1

in your .htaccess try this rule (if mod_rewrite is activated) :

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

With the Bitnami stack of LAMP (on EC2 AWS instance for example), the php-fdm module filter the header of every requests, and the "authorization" header is screwed up.

With this line, you can force to create a $_HTTP variable with the original Authorization header.

Regards

Answer 2

Check in cakephp code if you are receiving the AUTHORIZATION in headers.