This might seem like a redundant question, but please hear me out first:
I'm working with a React Frontend and a Node Backend. I'm using JWT to deal with user authentication. Right now, I'm having trouble actually working with the JWT and performing the authentication. Here's where I'm stuck:
~ I try setting the token as an http cookie in my backend. If i work with postman, I see the token being set. However, when I use req.cookies.token to try and receive the token cookie to perform validation in the backend, I get an undefined value. Am I supposed to be sending the cookie from the frontend to the backend somehow? I feel like this is the part that I am missing.
Please advise!
SO I can give you an alternative solution to handling session making use of express-session and connect-mongodb-session this has tend to been the popular and somewhat secure solution for server session handling
Firstly you will need the following packages
npm i express-session connect-mongodb-session or yarn add express-session connect-mongodb-session
Now that we have packages that we need to setup our mongoStore and express-session middleware:
//Code in server.js/index.js (Depending on your server entry point)
import expressSession from "express-session";
import MongoDBStore from "connect-mongodb-session";
import cors from "cors";
const mongoStore = MongoDBStore(expressSession);
const store = new mongoStore({
collection: "userSessions",
uri: process.env.mongoURI,
expires: 1000,
});
app.use(
expressSession({
name: "SESS_NAME",
secret: "SESS_SECRET",
store: store,
saveUninitialized: false,
resave: false,
cookie: {
sameSite: false,
secure: process.env.NODE_ENV === "production",
maxAge: 1000,
httpOnly: true,
},
})
);
Now the session middleware is ready but now you have to setup cors to accept your ReactApp so to pass down the cookie and have it set in there by server
//Still you index.js/server.js (Server entry point)
app.use(
cors({
origin: "http://localhost:3000",
methods: ["POST", "PUT", "GET", "OPTIONS", "HEAD"],
credentials: true,
})
);
Now our middlewares are all setup now lets look at your login route
router.post('/api/login', (req, res)=>{
//Do all your logic and now below is how you would send down the cooki
//Note that "user" is the retrieved user when you were validating in logic
// So now you want to add user info to cookie so to validate in future
const sessionUser = {
id: user._id,
username: user.username,
email: user.email,
};
//Saving the info req session and this will automatically save in your mongoDB as configured up in sever.js(Server entry point)
request.session.user = sessionUser;
//Now we send down the session cookie to client
response.send(request.session.sessionID);
})
Now our server is ready but now we have to fix how we make request in client so that this flow can work 100%:
Code below: React App where you handling logging in
//So you will have all your form logic and validation and below
//You will have a function that will send request to server
const login = () => {
const data = new FormData();
data.append("username", username);
data.append("password", password);
axios.post("http://localhost:5000/api/user-login", data, {
withCredentials: true, // Now this is was the missing piece in the client side
});
};
Now with all this you have now server sessions cookies as httpOnly
Related
I'm trying to set up cookie authentication in my Angular/Express app.
I'm using cookie-session to configure the cookie :
app.use(
cookieSession({
name: "marketplace-session",
secret: RSA_PRIVATE_KEY,
httpOnly: true,
secure: true,
sameSite: 'lax'
})
);
Then in my login route I generate a token and put it in the cookie :
const token = jwt.sign({userId: user._id}, RSA_PRIVATE_KEY, {
expiresIn: '24h'
});
req.session.token = token;
And in my logout route I destroy the cookie session :
req.session = null;
Client-side, I used an interceptor to add "withCredentials: true" to every request sent to the server :
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
req = req.clone({
withCredentials: true
});
return next.handle(req);
}
The problem is that after logout, the cookie is still stored by the browser and sent in every request, which means that the user can still access restricted routes after logout. I'm not sure if I should also remove the cookie client-side, as it's my understanding that the cookie should only be treated in the backend.
I am creating a react app and I was adding functionality of registering users.
Everything was successful but I am unable to access Passport User property in socket I used the same code given in socket.io example
const session = require("express-session");
const passport = require("passport");
io.use(wrap(session({ secret: "cats" })));
io.use(wrap(passport.initialize()));
io.use(wrap(passport.session()));
io.use((socket, next) => {
if (socket.request.user) {
next();
} else {
next(new Error("unauthorized"))
}
});
This example works fine if domain is same but when I use CORS I am unable to access the passport property in session.
my react app domain is localhost:3000 and socket server domain is localhost:5000
Assuming that you are using same protocol and same domain but different ports it should still work fine if you setup your client and server with cors flags, e.g
// server-side
const io = new Server(httpServer, {
cors: {
origin: "https://example.com",
allowedHeaders: ["my-custom-header"],
credentials: true
}
});
// client-side
import { io } from "socket.io-client";
const socket = io("https://api.example.com", {
withCredentials: true,
extraHeaders: {
"my-custom-header": "abcd"
}
});
The sample above was taken from socket.io docs: https://socket.io/docs/v4/handling-cors/
However, the above configuration will work only if client/server are sharing the same top level domain and same protocol. e.g. client: https://example.com, server: https://server.example.com
I spent some time to figure out myself why:
client: http://127.0.0.1:3000 does not work with server: https://127.0.0.1:8000, notice the protocol difference.
With cors configurations in place, it works fine if I use http://127.0.0.1:8000 for server.
PS: If you need to use different top domains, be aware of SameSite policy that might be in place for your browser: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
This policy might restrict your cookies to be sent to server.
so... if different protocol or domains, you should make sure that you session cookie has SameSite flag set as 'none', via:
const session = require('express-session');
...
// Session setup
const sessionConfig = {
secret: 'secret', // Session secret
resave: false, //don't save session if unmodified
saveUninitialized: false, // don't create session until something stored
cookie: {
sameSite: 'none',
secure: true,
}
}
const sessionMiddleware = session(sessionConfig);
app.use(sessionMiddleware);
...
io.use(wrap(sessionMiddleware));
both sameSite and secure properties are needed if you are playing with https:// protocol
My attempts at logging in are not getting saved to express session in production. I am saving the session in Mongo Store and the sessions are coming up in MongoAtlas as modified (they way they should appear), but for some reason the server is not recognizing that there is an existing session and is making a new one. When I enable express-session debug, it logs express-session no SID sent, generating session on each request to the server. This makes me think that the session id isn't getting sent with the request and that the problem has something to do with my client and server being on different domains (my client address is https://example.com and my server is on https://app.example.com. I originally had my client on https://www.example.com but changed it thinking that the cookie was getting mistaken for a 3rd party cookie (maybe it still is).
My client is hosted on Firebase Hosting and my Express server is hosted on Google Cloud Run
my express-session settings
app.set('trust proxy', true)
app.use(session({
secret: 'myappisasecret',
resave: false,
saveUninitialized: false,
secure: true,
store: new MongoStore({mongooseConnection: mongoose.connection}),
cookie: {
maxAge: 1000 * 60 * 60 * 24 * 7, // 1 week
sameSite: 'lax',
secure: true,
domain: 'mysite.com'
},
proxy: true // I think this makes the trust proxy be useless
}))
Below is my coors server stuff. This code is located above the code above, but I don't think it is causing any issues, but think that it might be important to include.
let whitelist = ['https://app.example.com', 'https://www.example.com', 'https://example.web.app', 'https://example.com']
let corsOptions = {
origin: (origin, callback) => {
if (whitelist.indexOf(origin) !== -1 || origin === undefined) {
callback(null, true)
} else {
console.log('Request Origin blocked: ', origin)
callback(new Error('Request blocked by CORS'))
}
},
credentials: true
}
app.use(cookieParser('myappisasecret'))
app.use(cors(corsOptions))
Since the server wasn't receiving a session id, I thought that maybe my client wasn't sending one so I added credentials: 'include' to my client request code
const reqHeaders = {
headers: {
"Content-Type": "application/json"
},
credentials: 'include' as any,
method: "GET"
}
fetch('https://app.example.com/u/loggedIn', reqHeaders)
.then(res => etc...
When this request gets submitted expression-session debug logs:
express-session saving z3ndMizKoxivXR0N9LBZYkPhDG65uvF2 and then
express-session split response
This makes me think that as it tries to save my user data to the session, it gets overwritten at the same time with an initial session data. I have set resave: false. But even then I still get express-session no SID sent with every request sent to the server.
Apparently when hosting with Firebase and Cloud Run cookie headers get stripped due to Google's CDN cache behavior.
Here's the documentation that describes that:
https://firebase.google.com/docs/hosting/manage-cache#using_cookies
I have no clue how to implement sessions now. F
In my server.js code below I am setting up a middleware that should pass through Shopify OAuth and then redirect to the / route.
The '/' route, and its redirect url, are loaded in an iframe inside the shopify Admin area. I do see the page that / redirects to. But no cookies are present.
Related to the cookie settings, I am accessing this route in a web browser and on a secure https connection.
I am using Google Chrome Version 79.0.3945.88 (Official Build) (64-bit). I'm also using EditThisCookie browser extension to see the cookies that are present for the domain.
Can anyone tell why the cookies I am trying to set in server.js are failing to set?
import "isomorphic-fetch";
require("dotenv").config();
import Koa from "koa";
import Router from "koa-router";
import session from "koa-session";
import authorizeForShopify, {verifyRequest} from "#shopify/koa-shopify-auth";
const koa = new Koa();
const router = new Router();
const {SHOPIFY_BUYUSED_API_KEY, SHOPIFY_BUYUSED_API_SECRET, SHOPIFY_BUYUSED_SCOPES} = process.env;
koa.keys = [SHOPIFY_BUYUSED_API_SECRET];
koa.use(session({secure: true, sameSite: "none"}, koa));
////// Shopify OAuth //////
koa.use(authorizeForShopify({
apiKey : SHOPIFY_BUYUSED_API_KEY
, secret : SHOPIFY_BUYUSED_API_SECRET
, scopes : SHOPIFY_BUYUSED_SCOPES.split(",")
, afterAuth(ctx: Koa.Context): void {
console.log(`=====inside afterAuth()=====`); // I don't see this log statement
const {shop, accessToken} = ctx.session;
console.log({ // also I do not see this one
message : "from inside afterAuth()"
, shop
, accessToken
});
// cookie setting
const cookieOptions = {
httpOnly: true,
secure: true,
signed: true,
overwrite: true
};
// neither cookie is present in EditThisCookie
ctx.cookie.set("buyUsed_shopName", shop, cookieOptions);
ctx.cookie.set("buyUsed_generalToken", accessToken, cookieOptions);
ctx.redirect("/");
}
}));
////// Routing //////
router.get('/', async ctx => {
// ctx.body = "Koa server running, '/' route triggered"
ctx.redirect("https://storage.cloud.google.com/buy_used/consoleLog.js");
});
koa.use(verifyRequest());
koa.use(router.routes())
.use(router.allowedMethods());
const port: number = Number(process.env.PORT) || 8080;
koa.listen(port, undefined, undefined, () => console.log(`=====Koa listening on port ${port.toString()}=====`));
In the case of Koa, the methods to work with cookies are ctx.cookies.get and ctx.cookies.set. Thus, the lines should be changed to:
// neither cookie is present in EditThisCookie
ctx.cookies.set("buyUsed_shopName", shop, cookieOptions);
ctx.cookies.set("buyUsed_generalToken", accessToken, cookieOptions);
It works when setting, "secureProxy: true"
ctx.cookies.set('jwt', token, { httpOnly: true, secure: true, sameSite: "none", secureProxy: true });
I have an issue testing the Express app with Supertest, using the 'cookieSession' from Express.
Everything works fine, when I use session from Express, but cookieSession just doesn't work with PassportJS properly.
I am using PassportJS to authenticate the user and set the user to request object (req.user). So the /login works as expected, it returns the right set-cookie header, but on the next request, the authentication fails, which doesn't set the req.user property with the user object, even though it is deserializing/serializing user properly
Environment
Versions:
Express: 4.16.2
PassportJS: 0.3.2
Supertest: 2.0.1
Superagent: 2.3.0
This is how I initialize the superagent:
import * as supertest from 'supertest';
import * as superagent from 'superagent';
import app from '../../app';
const request = supertest.agent(app);
I run login before the tests (using async/await feature):
await request.post('/login').send({
email: 'some#email.com',
password: 'plainpassword'
});
Then I make first request to the backend for retrieving data:
const readResponse: superagent.Response = await
request.post('/getData').send(requestBody);
And this is where it fails. It returns me the status code 401, beacuse PassportJS doesn't provide the user data to request object. Is it not in req.user perhaps?
In the app.ts I set the cookieSession and passportJS session like that:
app.use(cookieSession({
keys: [process.env.SESSION_SECRET],
maxAge: 24 * 60 * 60 * 1000 * 14 // 14 days
}));
app.use(passport.initialize());
app.use(passport.session());
BUT: If I use the normal session (which is storing data in the database):
app.use(session({
resave: true,
saveUninitialized: true,
secret: process.env.SESSION_SECRET,
cookie : {
expires: false
},
store: new MongoStore({
url: process.env.MONGODB_URI || process.env.MONGOLAB_URI,
autoReconnect: true
})
}));
app.use(passport.initialize());
app.use(passport.session());
then everything works like a charm (except that I have some other issues, which was the reason why I switched to cookieSession.
Thanks!