I was able to get this to work, finally.
The main point of confusion was that it was not working with older users in my system.
It may be that in the past I created some users with a sub key that is not their user id. I can’t figure out what the sub might have been. And I don’t see any way to figure it out? So I think I’m going to have to create new users and port over the data associated with those users to the new users.
Some random notes about how this ended up working, in case it helps someone someday:
I create a user. This is the Mongo Record:
Then I verify that user by providing a token supplied in the verification email.
Then I authenticate that user to my system, accepting email and password…
And returning a token…
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6ZmFsc2UsInVzZXIiOiJreXR5ZmVAb25la2lzc3ByZXNhdmUuY29tIiwic3ViIjoiNjFiM2JmNmYzZjc2NDQwMDE2Nzk3MDY2IiwiYXVkIjoiZnVua3ktcmFkaXNoLXR3ZHh2IiwiYXV0aG9yIjoiIiwiaWF0IjoxNjM5MTY5OTAzLCJleHAiOjE2MzkyNTYzMDN9.ShCk95HD-BiZp80jujg6xdFwOpXZXsq0XCboIzHMRjl8a1_9ixseb8JskbYFczKkt9tSejI8tjzzMymO3WRZjxp0bzKg6qlNAfhzKzCzsDOTPMpjNtl9W95RY-0PVH7N7G5l_yUqFumfn6_JtPJQ1AGOQXyJcZWuLMNHHek0-BRReRN8wjcPLKVA5E7yGi1VFKSm38IyiQl7I1ZsiFjuP60AU9xu9_yqMhg9vY4JrIGgCdz6dNT_XHL5jxW4C0DtR89hhsXLTeNrod7xi-OVshPScq2efSunVNVryhAZNolOSHTeoIAHRRP2GeS73er5s979JyzVNUprUEoQwFI27w
Here’s what the payload looks like:
{
"admin": false,
"user": "kytyfe@onekisspresave.com",
"sub": "61b3bf6f3f76440016797066",
"aud": "funky-radish-twdxv",
"author": "",
"iat": 1639169903,
"exp": 1639256303
}
So I then use that token in a realm credential and login.
const credentials = Realm.Credentials.jwt(token)
return realmApp.logIn(credentials)
And here’s the response, a new Realm user.
{
"id": "61b3c21290cda269ec058e8f",
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJiYWFzX2RldmljZV9pZCI6IjYxYjNjMjEyOTBjZGEyNjllYzA1OGVjYiIsImJhYXNfZG9tYWluX2lkIjoiNWYwY2E5Zjk1NWJhYjVkZWZhODI5ZGM5IiwiZXhwIjoxNjM5MTcyMzc5LCJpYXQiOjE2MzkxNzA1NzksImlzcyI6IjYxYjNjMjEzOTBjZGEyNjllYzA1OGYwMiIsInN0aXRjaF9kZXZJZCI6IjYxYjNjMjEyOTBjZGEyNjllYzA1OGVjYiIsInN0aXRjaF9kb21haW5JZCI6IjVmMGNhOWY5NTViYWI1ZGVmYTgyOWRjOSIsInN1YiI6IjYxYjNjMjEyOTBjZGEyNjllYzA1OGU4ZiIsInR5cCI6ImFjY2VzcyJ9.hC807g-l0mNML9wgQ94VtNQUJZoUD8JQ61HFbFVCqC4",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJiYWFzX2RhdGEiOm51bGwsImJhYXNfZGV2aWNlX2lkIjoiNjFiM2MyMTI5MGNkYTI2OWVjMDU4ZWNiIiwiYmFhc19kb21haW5faWQiOiI1ZjBjYTlmOTU1YmFiNWRlZmE4MjlkYzkiLCJiYWFzX2lkIjoiNjFiM2MyMTM5MGNkYTI2OWVjMDU4ZjAyIiwiYmFhc19pZGVudGl0eSI6eyJpZCI6IjYxYjNiZjZmM2Y3NjQ0MDAxNjc5NzA2NiIsInByb3ZpZGVyX3R5cGUiOiJjdXN0b20tdG9rZW4iLCJwcm92aWRlcl9pZCI6IjVmYmM2ZWE1YjUyZjRiODdiM2IzZGM5NyJ9LCJleHAiOjE2NDQzNTQ1NzksImlhdCI6MTYzOTE3MDU3OSwic3RpdGNoX2RhdGEiOm51bGwsInN0aXRjaF9kZXZJZCI6IjYxYjNjMjEyOTBjZGEyNjllYzA1OGVjYiIsInN0aXRjaF9kb21haW5JZCI6IjVmMGNhOWY5NTViYWI1ZGVmYTgyOWRjOSIsInN0aXRjaF9pZCI6IjYxYjNjMjEzOTBjZGEyNjllYzA1OGYwMiIsInN0aXRjaF9pZGVudCI6eyJpZCI6IjYxYjNiZjZmM2Y3NjQ0MDAxNjc5NzA2NiIsInByb3ZpZGVyX3R5cGUiOiJjdXN0b20tdG9rZW4iLCJwcm92aWRlcl9pZCI6IjVmYmM2ZWE1YjUyZjRiODdiM2IzZGM5NyJ9LCJzdWIiOiI2MWIzYzIxMjkwY2RhMjY5ZWMwNThlOGYiLCJ0eXAiOiJyZWZyZXNoIn0.2ejD0bvSzmb6ZZJx34WV67eJNGhjOrrBGrcSWaSPiPw",
"profile": {
"type": "normal",
"identities": [{
"id": "61b3bf6f3f76440016797066",
"providerType": "custom-token"
}],
"data": {
"name": "kytyfe@onekisspresave.com",
"admin": false
}
},
"state": "active",
"customData": {}
}
So then I trigger a password reset email to that account, including a password reset token.
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2MWIzYmY2ZjNmNzY0NDAwMTY3OTcwNjYiLCJpYXQiOjE2MzkxNzA5ODUsImV4cCI6MTYzOTI1NzM4NX0.Qr7pVfeyAQRtVhAfFAVv721Pw5xaWqRbRT_jUJejyXfFAtDcwvBRAKXnE1iwAct0XS62schikkl5VedOSkRTLFXjezsSw6HKGNK-8RnPw2osnihNEfYwgC9ZC-LVT3TfY0aGNmwI8TtN9VxbHWrvZWRPaa6x0tBBq2NjpjYXn1uaCkaMmasmH-y5wmbYOf5cU3O56Ywf69s5EeHAAUtlabWOyJbDt9dEUGm631L-PcVBE9qXKFtyu_3Vug6c8ZhT7fZw1WT_5x3k-9YAKPHTh2BLtapdDIq0S9hGSsgBzqxI5dtfYj2WSyXbmcvGaWdiaiDxV6ksoHieP_RYJMLvFw
And that token payload decodes to this:
{
"userId": "61b3bf6f3f76440016797066",
"iat": 1639170985,
"exp": 1639257385
}
So then I hit my endpoint to change the user’s password.
And I verify that the password hash on that mongo record has changed.
Which means I can now authenticate to my system with the new password.
I authenticate to my system and return this token…
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6ZmFsc2UsInVzZXIiOiJreXR5ZmVAb25la2lzc3ByZXNhdmUuY29tIiwic3ViIjoiNjFiM2JmNmYzZjc2NDQwMDE2Nzk3MDY2IiwiYXVkIjoiZnVua3ktcmFkaXNoLXR3ZHh2IiwiYXV0aG9yIjoiIiwiaWF0IjoxNjM5MTcxOTA0LCJleHAiOjE2MzkyNTgzMDR9.rKiF5QndEXhbtSxQzbZnk-wArmrgYFR2fAOa-FUz4SPaQP1Un5g0dRc2aZX_qnEpwLIMQscRIUNOZ0K0pGa8Jdq668kcbjXlMR_TmC5WoB3_hd5tRaNei6w8y555QWpZan1tcElOHnB_TsAALcmG7HgeEmBkZ-Cf6oj582RgCGAWhQH9UL2HbC-R3fuA12DvfhBsaMyb5r9J_jPEUQSTmDg2zfLjAjVjvG6EqaWkw45iao9J8bMWxw_xaxnSwR3EZLAqu7-m_QnhDZCqJvvvljqxi273on9yQHQ2o4P7x5mZlerwcrDcnqp0Eo2sDV0i0JKav3T3sKYbJpE4CfescQ
Where the payload looks like this:
{
"admin": false,
"user": "kytyfe@onekisspresave.com",
"sub": "61b3bf6f3f76440016797066",
"aud": "funky-radish-twdxv",
"author": "",
"iat": 1639171904,
"exp": 1639258304
}
The sub is the same…
But when I try to connect to Realm using that token…
Apparently it totally works… WTF!
{
"id": "61b3c21290cda269ec058e8f",
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJiYWFzX2RldmljZV9pZCI6IjYxYjNjMjEyOTBjZGEyNjllYzA1OGVjYiIsImJhYXNfZG9tYWluX2lkIjoiNWYwY2E5Zjk1NWJhYjVkZWZhODI5ZGM5IiwiZXhwIjoxNjM5MTczOTU0LCJpYXQiOjE2MzkxNzIxNTQsImlzcyI6IjYxYjNjODNhZjEyNzM5MDBkMGM2YmJhMCIsInN0aXRjaF9kZXZJZCI6IjYxYjNjMjEyOTBjZGEyNjllYzA1OGVjYiIsInN0aXRjaF9kb21haW5JZCI6IjVmMGNhOWY5NTViYWI1ZGVmYTgyOWRjOSIsInN1YiI6IjYxYjNjMjEyOTBjZGEyNjllYzA1OGU4ZiIsInR5cCI6ImFjY2VzcyJ9.koROJ_t9H5em1J7au4BRZIigNhNQ4AOHQj5d6N6BoEA",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJiYWFzX2RhdGEiOm51bGwsImJhYXNfZGV2aWNlX2lkIjoiNjFiM2MyMTI5MGNkYTI2OWVjMDU4ZWNiIiwiYmFhc19kb21haW5faWQiOiI1ZjBjYTlmOTU1YmFiNWRlZmE4MjlkYzkiLCJiYWFzX2lkIjoiNjFiM2M4M2FmMTI3MzkwMGQwYzZiYmEwIiwiYmFhc19pZGVudGl0eSI6eyJpZCI6IjYxYjNiZjZmM2Y3NjQ0MDAxNjc5NzA2NiIsInByb3ZpZGVyX3R5cGUiOiJjdXN0b20tdG9rZW4iLCJwcm92aWRlcl9pZCI6IjVmYmM2ZWE1YjUyZjRiODdiM2IzZGM5NyJ9LCJleHAiOjE2NDQzNTYxNTQsImlhdCI6MTYzOTE3MjE1NCwic3RpdGNoX2RhdGEiOm51bGwsInN0aXRjaF9kZXZJZCI6IjYxYjNjMjEyOTBjZGEyNjllYzA1OGVjYiIsInN0aXRjaF9kb21haW5JZCI6IjVmMGNhOWY5NTViYWI1ZGVmYTgyOWRjOSIsInN0aXRjaF9pZCI6IjYxYjNjODNhZjEyNzM5MDBkMGM2YmJhMCIsInN0aXRjaF9pZGVudCI6eyJpZCI6IjYxYjNiZjZmM2Y3NjQ0MDAxNjc5NzA2NiIsInByb3ZpZGVyX3R5cGUiOiJjdXN0b20tdG9rZW4iLCJwcm92aWRlcl9pZCI6IjVmYmM2ZWE1YjUyZjRiODdiM2IzZGM5NyJ9LCJzdWIiOiI2MWIzYzIxMjkwY2RhMjY5ZWMwNThlOGYiLCJ0eXAiOiJyZWZyZXNoIn0.xYRuCq_zlbI2kAjJCazKEVyB0sNSuP8xy24GHkV9Oqs",
"profile": {
"type": "normal",
"identities": [{
"id": "61b3bf6f3f76440016797066",
"providerType": "custom-token"
}],
"data": {
"name": "kytyfe@onekisspresave.com",
"admin": false
}
},
"state": "active",
"customData": {}
}