S
Supabase2y ago
Akuze

How to verify JWT on Edge Functions

I'm working on a Shopify app that calls an edge function when a button is clicked. I am currently sending the anon key in the Authentication header, and I can pick that up on the edge function. However, when I try to verify the JWT, I receive an error that it is not base64encoded. My function looks like this: 
async function verifyJWT(jwt: string): Promise<boolean> {
  const encoder = new TextEncoder();
  const secretKey = encoder.encode(JWT_SECRET);
  try {
    await jose.jwtVerify(jwt, secretKey);
  } catch (err) {
    console.error(err);
    return false;
  }
  return true;
}
async function verifyJWT(jwt: string): Promise<boolean> {
  const encoder = new TextEncoder();
  const secretKey = encoder.encode(JWT_SECRET);
  try {
    await jose.jwtVerify(jwt, secretKey);
  } catch (err) {
    console.error(err);
    return false;
  }
  return true;
}
I have pulled in JWT_SECRET from my supabase secrets and verified that this, and other variables are coming through correctly. I'm new to JWT and not sure if I am doing the right steps. I want to enable JWT on the edge function to make it more secure, but have currently been unable to accept and process the JWT properly. If anyone could help me by providing a real-world example of this in an edge function, or explaining what I might be doing wrong, it would be much appreciated. Thanks
3 Replies
Juliano
Juliano2y ago
Do you send the JWT in the authorization header? If so, do you also send the Bearer prefix? If you do that, you should not take into account this prefix while verifying the JWT. If you still get errors doing that, I recommend you using the jsonwebtoken npm package. That's what I use and it works well. I use it like so: 
import * as jwtModule from 'npm:jsonwebtoken'
import * as envVariablesModule from './env-variables.ts'

const decodedToken = jwtModule.verify(token, envVariablesModule.JWT_SECRET)
import * as jwtModule from 'npm:jsonwebtoken'
import * as envVariablesModule from './env-variables.ts'

const decodedToken = jwtModule.verify(token, envVariablesModule.JWT_SECRET)
Akuze
AkuzeOP2y ago
I put the anon_key in the authorization header and did strip out the Bearer prefix on the backend. I am wondering if I made a mistake in assuming that i use the anon_key? Should i be using my own custom JWT instead?
Juliano
Juliano2y ago
Well, the anon_key is not a JWT. Otherwise every one would have the same permission on your db. It is a public API key used to authenticate client-side requests. It provides access to your Supabase project, but with restricted privileges. The anon key is meant for operations that do not require a user to be authenticated, such as fetching public data. For client to server communication (supabase db), you can get a JWT by using the supabase-js library with the supabaseClient.auth.signInWithPassword() method for example. For server to server communication, you can create a supabaseClient as an admin. Or, if you need something custom, like me in some cases, you can create your own JWT via the JWT_SECRET and verify it on each server when they receive a request.

Did you find this page helpful?