While building a Node.js backend for a client, login endpoints started returning 401. Investigation revealed all JWT token verifications were failing — the log showed JWT_SECRET was the literal string "undefined" instead of the actual secret. Here's the root cause and solution.
Encountered this issue while building a SaaS authentication system for a client. Here's the root cause and solution.
In Node.js ES Modules, import statements execute before dotenv.config(). If module-level code reads process.env.JWT_SECRET, it gets undefined, causing JWT signing to use the string "undefined" as the secret — no errors thrown, but all token verification fails. The fix: lazy initialization.
JWT login returns 200, but all subsequent requests return 401. Investigation reveals:
jwtVerify()console.log(process.env.JWT_SECRET) outputs undefined// jwt.ts — module-level code
import crypto from 'crypto';
// ❌ This line executes BEFORE dotenv.config(), JWT_SECRET is undefined
const SECRET = crypto.createSecretKey(
new TextEncoder().encode(process.env.JWT_SECRET)
);
The worst part: no error is thrown. new TextEncoder().encode(undefined) encodes the string "undefined" into bytes, producing a valid but wrong secret key.
ES Module import statements are statically hoisted:
// server.ts (entry file)
import { router } from './routes/auth'; // ← runs first
import { authenticateToken } from './middleware/auth'; // ← runs first
dotenv.config(); // ← runs AFTER all imported modules execute
Execution order:
import statements and builds the dependency graphjwt.ts's const SECRET = ... runs here)server.ts, runs dotenv.config().env is loaded into process.envSo jwt.ts module-level code reads process.env.JWT_SECRET as undefined.
Move secret initialization into a function — env var is read on first call, not at import time:
import crypto from 'crypto';
let _secret: crypto.KeyObject | null = null;
function getSecret(): crypto.KeyObject {
if (!_secret) {
const secretValue = process.env.JWT_SECRET;
if (!secretValue) {
throw new Error('JWT_SECRET environment variable not set');
}
_secret = crypto.createSecretKey(
new TextEncoder().encode(secretValue)
);
}
return _secret;
}
// Use getSecret() everywhere the key is needed
export async function generateToken(payload: any): Promise<string> {
return new SignJWT(payload)
.setProtectedHeader({ alg: 'HS256' })
.sign(getSecret()); // ← deferred until runtime
}
No dependency on entry file import order — safe regardless of when called.
// server.ts — ensure these lines come before ALL imports
import 'dotenv/config'; // or require('dotenv').config()
import express from 'express';
// ...other imports
Limitation: If another entry point (cron job, worker) forgets this line, the bug resurfaces.
require('dotenv').config() only guarantees order in CommonJS; ES Module import always executes before runtime code在为客户构建 SaaS 认证系统时遇到此问题,记录根因与解法。
Supabase Auth + FastAPI 集成有三个常见坑:JWKS 路径不是标准路径、ES256 签名需转换为 DER 格式、用户首次登录时本地数据库无记录。本文提供完整解决方案。
Encountered this issue while upgrading Node.js version for an enterprise SaaS system. Documenting the root cause and solution.
Node.js v24 changed Web Crypto API implementation. The jose library now requires keys to be KeyObject or CryptoKey type. Wrap your key with crypto.createSecretKey() to fix.