Good morning,
I've encountered a weird issue with my strapi-project. I have a standard user model which I query for info on the user's profile page via the /users/me endpoint. This was all working fine last week but as I tried logging in this morning, the authorization appeared to not work anymore. I log my user in via this code:
.... async submitForm() { axios.post(' { 'identifier': this.email, 'password': this.password }) .then((response) => { const { jwt, user } = response.data; window.localStorage.setItem('jwt', jwt); window.localStorage.setItem('userData', JSON.stringify(user)); router.push('/dashboard'); }) .catch((e) => { this.$store.commit('LOGIN_ERROR', e) }); }, ... Which then redirects to my dashboard which queries the /users/me endpoint like so:
let token = localStorage.jwt; axios.get(` { headers: { Authorization: `Bearer ${token}` } }) .then((response) => { console.log(response.data); }) A few days ago this was working fine, also the token variable used in the post contais the token returned from the backend after logging in. Now strapi gives me an error in the console:
[2021-10-16T07:16:52.568Z] debug GET /users/me (5 ms) 500 [2021-10-16T07:17:03.231Z] debug POST /auth/local (76 ms) 200 [2021-10-16T07:17:24.915Z] error TypeError: Cannot read property 'type' of null at module.exports (/home/user/WebstormProjects/strapi-project/node_modules/strapi-plugin-users-permissions/config/policies/permissions.js:35:14) at async /home/user/WebstormProjects/strapi-project/node_modules/strapi-utils/lib/policy.js:68:5 at async serve (/home/user/WebstormProjects/strapi-project/node_modules/koa-static/index.js:59:5) at async /home/user/WebstormProjects/strapi-project/node_modules/strapi/lib/middlewares/parser/index.js:48:23 at async /home/user/WebstormProjects/strapi-project/node_modules/strapi/lib/middlewares/xss/index.js:26:9 My first guess was that maybe something with axios was wrong e.g. that the token wasn't sent correctly in the request so I tried the same thing with webstorm's http client:
POST Content-Type: application/json { "identifier": "", "password": "..." } Which returns the user and token:
"jwt": "<TOKEN>", If I try using this token to authenticate the user, however a get a 401
GET Authorization: "Bearer <token>" Accept: application/json returns
{ "statusCode": 401, "error": "Unauthorized", "message": "Invalid token." } So I tried figuring out what was going on there and after an hour I noticed that when looking at the user in the backend the user didn't have the authenticated role assigned. When I changed this manually in the backend, the request authorization works again.
So can anyone maybe tell me what is going on here? Because from my understanding, when POSTing valid credentials to /auth/local the user's role should change to Authenticated, which was working some days back. Is there something I'm missing?
Any help would be greatly appreciated, greetings, derelektrischemoench
1 Answer
Okay, so let me reply to your first part:
"Because from my understanding, when POSTing valid credentials to /auth/local the user's role should change to Authenticated"
Answer is, not really. When you send valid credentials to the auth/local, Strapi just checks the database for matching username/email and password. If a user is found, then it fetches the role assigned that user and puts all the data in ctx.state.user.role. So you could have many other roles, like Viewer, Commenter etc with each having different set of access limits.
The different roles can be created here:
So depending on the roles assigned, Strapi will just fetch and store the values in ctx.state.user.role on each request via the strapi-plugin-users-permissions plugin for your convenience, so that you can easily check which user it is and which role it has in any controller or service file using the ctx from the request to provide any additional functionality.
You can check how it does it in the following file:
node_modules/strapi-plugin-users-permissions/config/policies/permissions.js
Now coming to what could have caused it:
Well it could have been you yourself. Possibly while saving the user or viewing user details you could have removed the role from the user and saved the record.
The other possibility could be a database switch.
It can also be a
Strapiversion upgrade that caused, but it's highly unlikely.You could have a
updatequery in the your code that updates theusermodel, where you might have missed the role parameter. So check your code once.