XData Server and TJwtMiddleware


I have created a XData Server with a Service which is supposed to check the given jwt for specific claims to either return a result or to return an unauthorized message.

For this I added this to the server.pas file:

Added Sparkle.Security and Sparkle.Middleware.Jwt to uses

Added Module.AddMiddleware(TJwtMiddleware.Create('Test1234')); right after Module := TXDataServerModule.Create(...

In GetDataServiceImplementation.pas I added Sparkle.Security and XData.Sys.Exceptions to uses
Then I added these lines to function GetDataService.GetData(scrit1, scrit2: String): TList<String>;
  // Prüfen ob der Benutzer authentifiziert ist
  Benutzer := TXDataOperationContext.Current.Request.User;
  if Benutzer = nil then
    raise EXDataHttpUnauthorized.Create('User not authenticated');
  // Prüfen ob der Benutzer die Berechtigung hat
  if not (Benutzer.Claims['admin'].AsString = 'P') then
    raise EXDataHttpForbidden.Create('Not enough privileges');
However when I debug this, Benutzer := TXDataOperationContext.Current.Request.User; returns nil for Benutzer.

I'm using the REST Debugger and added the token as a Header parameter with the name authorization and the value is Bearer jwt
The token is valid and the fact that the function is called shows that XData deenms the token properly signed.

What is going wrong here? I'm using the most recent version of Aurelius, Sparkle and XData

Please advise
Did some more debugging. In TJwtMiddleware.ProcessRequest I checked the content of Auth which is filled with Context.Request.Headers.Get('authorization'). There I can see that Auth starts with: Bearer%20. Then the check whether Auth starts with Bearer and blank fails, because it starts with Bearer%. That is the reason why the token is not recognized.
Now I need to find out why Bearer%20 is put at the beginning of the Header's authorization parameter.
I found the culprit. There were two issues:
  1. REST Debugger: When adding the Header Parameter authorization the checkbox at the bottom stating to not encrypt the value must be checked. That will prevent replacing blank with %20
  2. My jwt has a claim exp defined as a double value. This raises an Excepton in TJwtMiddleware.IsTokenExpired and then the token is deemed to be invalid. Once exp was removed from the jwt all was working as expected.
I did some retrospect investigation on the exp claim in the documentation and found a couple of references. I think it would help to point to this topic in the jwt-Authentication section of the documentation.

I think I'm good now.