I’m trying to do some basic JWT validation on board views/item views etc.
I have a board view at say:
https://xxxx.example.app/my-board-view
When the board view is displayed, it has a sessionToken
request parameter (actually a JWT token) passed through to it from monday:
https://xxxx.example.app/my-board-view?sessionToken={sessionToken}
…which I should be able to validate against the “Signing secret” from “Basic information” here (for my app):
https://myinstance.monday.com/apps/manage/:app_id/app_versions/:app_version/sections/appDetails
I have this as MONDAY_SIGNING_SECRET
in my javascript server side code.
So basic validation should look something like this:
import jwt from 'jsonwebtoken';
...
const sessionToken = new URLSearchParams(location.search).get('sessionToken') || null;
if (!sessionToken) {
// throw error(401, 'No token found.');
}
try {
const payload = await jwt.verify(sessionToken, MONDAY_SIGNING_SECRET);
// all good, continue
// now add all the logic here...
} catch (err: any) {
// throw error(401, 'Token is invalid.');
}
I’m finding that if I use this code with the signing secret, it always fails.
I get this error:
error JsonWebTokenError: invalid signature
at /path/to/node_modules/jsonwebtoken/verify.js:171:19
at getSecret (/path/to/node_modules/jsonwebtoken/verify.js:97:14)
at module.exports [as verify] (/path/to/node_modules/jsonwebtoken/verify.js:101:10)
...
- Does the signing secret work with board views etc?
- Or am I doing something fundamentally wrong?