400 Bad Request if Authorization Bearer token used

Question

I\'m using PostMan to troubleshoot an odd 400 error with my Angular / NodeJS app.

I\'m trying to GET https://example.com/login.html and the request has

Answer 1

As it turns out, the issue was related to my implementation of JWT. For some reason, one user continued to receive a token that caused these 400 errors, even though the token was verified as valid using JWT.io.

I made two significant changes that fixed the issue:

1. I was embedding the full user profile (long JSON) in the token payload. I reduced it to just their userid, both for performance reasons (far smaller size) and just in case something in the complex payload was causing the issue.

2. I switched from JWT-Simple to jsonwebtoken in my node implementation.

I'm just glad that worked. My next step was to switch from 'Authorization' to 'x-encoded-auth' or some other custom name.

Answer 2

@James, I don't have enough reputation to post a comment on your answer, but I thought it would be helpful to others struggling with this issue to state that your suggestion to reduce the complexity/size of the signed user indeed resulted in resolving similar issues I was experiencing. This was on my list of performance optimizations anyway - but it didn't occur to me that it could be a cause for error in this scenario - so you deserve the credit... thanks!

For readers - there are some useful links in this SO thread about max size for tokens: What is the maximum size of JWT token?

And this is a tool I use to check the validity of a generated tokens... https://www.base64decode.org/

Hope this justifies the upgrade from comment to answer!