I am using express-jwt to create middleware, jwtCheckMiddleware:
function getTokenFromRequest(req) {
...
throw Boom.badRequest("JWT missing")
}
async function isNotRevokedCallback(req, payload, done) {
...
}
const jwtCheckMiddleware = expressJwt({
secret: ....,
credentialsRequired: true,
isRevoked: isNotRevokedCallback,
getToken: getTokenFromRequest
})
At one point in development, the JWTs issued lacked a JTI property. Newly issued tokens hold the JTI property.
A request lacking a JWT is quickly rejected; getTokenFromRequest throws an error. This works great.
A request with an old JWT -- lacking the JTI -- just times out.
There is a null-check inside isNotRevokedCallback on the JTI; I throw an error when the JTI is undefined. Could it be that the expressJwt middleware constructor is not catching this error properly, leading to timeout?
isNotRevokedCallback is loosely based on https://github.com/auth0/express-jwt#revoked-tokens
According to the documentation the isRevoked function callback should have a signature of function(req, payload, done). The argument passed as done is in turn a function with a signature function(err, revoked) that should be invoked once the check to see if the token is revoked or not is complete.
If the JWT in question does not have a jti claim and you need to trigger an error then you should be calling done(new YourError()) to signal that an error occurred.
You did not include your actual implementation so it's impossible to say for sure that this is the cause, however, it does seem a good candidate.