Skip to main content

Troubleshooting

Module not initialized

Make sure @quik/authorization is registered in your bootstrap module and appears after its dependencies.

Token verification always fails

Utils.JWT.verify/verifyWithReason check the token's signature, algorithm, issuer, and audience against auth.jwt.secret, auth.jwt.algorithm, auth.jwt.issuer, and auth.jwt.audience. A mismatch on any of these (for example, a token signed with a different auth.jwt.secret) causes verification to fail silently (verify returns false) or throw InvalidTokenError (verifyAndDecode).

Unknown security scheme

Referencing a security scheme name that was never registered with SchemesStore.add throws UnregisteredAuthorizationStrategyError. Register the scheme before decorating routes with it.

Common Errors

  • quik.errors.authorization.invalid-token: no token was provided, or the token failed verification.
  • quik.errors.authorization.must-be-authenticated: AuthDecorators.CanAccess was used but event.user is not set.
  • quik.errors.authorization.must-be-unauthenticated: AuthDecorators.Unauthenticated was used but event.user is set.
  • quik.errors.authorization.forbidden-access: the authenticated user lacks the required permission.
  • quik.errors.authorization.assurance-level-too-low: the user's assurance level is below the level required by RequireAssuranceLevel.
  • quik.errors.authorization.missing-required-authentication-factor: none of the required factors were completed.
  • quik.errors.authorization.unregistered-authorization-strategy: an unregistered security scheme name was used in a decorator.
  • quik.errors.authorization.unregistered-basic-auth-callback: basic auth is used without a registered callback.
  • quik.errors.authorization.invalid-http-security-scheme / invalid-api-key-security-scheme / invalid-api-key-location / invalid-openid-security-scheme / invalid-oauth2-security-scheme / invalid-oauth2-flow-definition: SchemesStore.add rejected a malformed scheme definition.
  • quik.errors.authorization.at-least-one-flow-required: an OAuth2 scheme was registered with no flows defined.