Hey there all I am struggling with a very strange issue, I have a react app where the user can log in and the JWT token gets saved in the local Storage so on refresh of the page the user is still logged in, and it works as it should.
But I have my server and the app running from a Ubuntu server now for production with nginx set up and on the refresh of the page the user is always logged out, although on the reload before the page is loaded in the console i can log out the token bearer.
Why can that be?
Do you guys have any tips?
Related
I'm hosting a web application built with NestJs and React (NodeJs) in an IIS Server with IIS Node. To secure my app, I'm using a system with JWT Token + Refresh Token and Windows Authentication to automatically get the connected user and so generate tokens.
Everything (almost) is working fine, but I have a problem with the Windows Authentification. Each time the JWT Token of my application expired (so the API returns a 401 error page) and only after a refresh of the navigator page, the navigator prompt again the pop up to set windows credentials. The logic use case on this is that one day you're using the webapp, and some days later you want to use the app again, but your token is expired, 401 error, windows credentials is prompting.
If the token expires, and the user simply navigate to another page (so no page refresh with my React SPA) there's no problem, the JWT token is refreshed with the refresh token thanks to the API.
I've already tried some stuff:
Disable Loopback Check
Enable Anonymous and Windows Authentication
Changing some random settings
But I haven't found a solution yet.
My goal is to only have the Windows Credentials display once, when the user visits the page for the first time.
As I'm out of ideas, I'm considering setting a JWT that never expire, but of course it's not a great solution.
Thank you very much for your help!
I ended up using a custom 4xx code to handle my 401. So if my API is sending me a 499 http, I know it mean for my frontend that the session is expired. Hence, I don't have the prompt for Windows Credentials.
I'm using azure app service built in authentication to log in users to my web app. Since I have some pages that user can access without authentication I have allowed anonymous access in app service auth configuration.
It works as intended for the current session. But when the user closes the browser or opens a new window, the authentication is lost. The user is required to login again.
Is there any way to keep the user logged in?
What I do currently:
On sign in button click,
direct the user to /.auth/login/microsoftaccount, after successful login I call ./auth/me to get the user claims/details and then login the user. Then I do a http post to https://appname.azurewebsites.net/.auth/login/microsoftaccount to validate the tokens that I got from /.auth/me and I also get a session token from this post request (which I don't know what to use for).
I use the custom headers set by the app service for authentication on the backend. App service auth docs
Is this the right way of doing authentication using app service. If so is there any way that we can keep the user logged in to app service auth and not ask them to sign every time they open the website.
Is there any way to cache the tokens?
It is normal that you need to login again after close your browser or open in a new window, because the life cycle of session is from opening the window to closing the window.
You could consider using cookie coordinating with session. Session is on server side, we cannot see it, but we could set the time out value. Cookie is on client side, we could save some authentication information to stay login, but it is not safe.
So I am building a sample Reactjs app where I am using Google OAuth for authetication. The Oauth is taken care by a node application using passport.js
The react app is running on localhost:3000 while the node app is running on localhost:5000. I have setup some proxy using createproxymiddleware to communicate between them.
In the React app , on the / route I have a login screen. When the user clicks on on the Login button , the user is redirected to /auth/google. The proxy kicks in and it gets redirected to localhost:5000/auth/google where the oAuth flow starts and the user can log in.
Passport.js takes care of the flow and then the user is redirected to /home/dashboard which is basically localhost:3000/home/dashboard.
The above flow is working fine. But the problem I face is that I want to keep track on the React side whether the user is logged in or not. If he is logged in and visits localhost:3000/ he must be redirected to localhost:3000/home/dashboard else if he is not logged in and tries to visit localhost:3000/home/dashboard he must be redirected to localhost:3000.
How can I achieve this?
thanks for trying to help me.
My setup:
1 Apache Webserver with shibboleth Service Provider
2. Node Js Server / api
3. Angular Frontend
4. PostgreSQL database
What I am doing and what I want to do:
I go to my web apps URL
https://myurl.com
Apache sends me to a shibboleth authentication side and after a successful login it will send me to the start page of my app. -> works
Now I want to login the user directly to my app if there is the same username in the database as the one I got from shibboleth. -> not working
(I don’t now how to manage this without saving the DB pw for the user somewhere on the server)
At the moment the user needs to login with his DB credentials in my Frontend. After pressing the login button on my angular app there is a post request sent to my node api.
A database object will be created with pg promise library and now the user is able to get data from the database and will be logged in.
I can’t get a password from the shibboleth authentication server. I only get the user name.
I will try to add some code tonight.
What is the best way to login the user to the database after shibboleth authentication?
So I have this problem on my site that after I logged in as a facebook user and after I clicked few links, NGINX error page will come out. But when I test it on another browser that does not logged in as a facebook user, it won't give an error.
By the way I used 'express-mysql-session' as my session store.