I'm using Express and Passport.js in my project. I handle login and logout users. But, if the user does not logout, i don't handle expired session. I want to handle expired session or i want to access current session list in the server. Are there any methods for this?
Related
I'm trying to get the userId inside the websocket listener i've done a ton of google searches about the topic but without any progress.
I'm using passport ,express-session packages.
Please be more specific regarding user ID's. I see you are using passport to implement your session authentication. What particular passport authentication are you using? Passport Google Auth, passport Discord etc., there are plenty. Generally, the session data is what you are looking for if the user id is stored that way.
The session cookie or session store will contain the authentication data you are looking for. If you are using express-session, this information can be obtained by looking at the "req.user" aka Request user. Whatever you store for session data will come up in the req if the user is authenticated through Passport.
I'm using React as my client and ExpressJs as the server. When a user clicks on the logout button, should I send a request to the server to clear the cookie or should I do it from the client-side?
Both. I'd use passport.js to manage the server side stuffs and use their tutorial https://www.passportjs.org/tutorials/password/ for sessionid authentication. On the server, once you ping the logout route, it will invalidate any sessionid passed to authenticated routes and not let you pass. The problem with not using both, is after logout is visited and only it is invalid on the server, your sessionid will not be valid for authenticated routes. The user would appear to have the same access, but once they try to access routes, it will drop a 401 error. The problem with only using client side logout then, would be that the user would not be able to see what they can access, but anyone that has managed to steal the sessionid would still be able to use their account!
I am using Express, Passport and SequelizeSessionStore to enable user login and session perserve.
I have configuration that automatically logout user when he not refreshed website for more than 30 minutes. User is redirected to login page.
How to inform user about this? How I can dig information from passport or express right after user is logged out to create alert message on fronmtend? I want it just once and just when user is logged out automatically.
EDIT: Seems that SequelizeSessionStore just remove session from database after configured time. I can't find a way how to distinguish between normal logout and automatic logout
I have an express + postgres backend, and I'm using passport-facebook for FB oauth.
If a user hits my app at / without having a valid token in localStorage, they're taken to /login.
My /login page (where you're greeted with the familiar "Continue with Facebook" message) is server rendered (for various reasons). Upon clicking this button, I either verify the user if they exist and send them a session cookie with the initial JWT, or create a new user and send them a session cookie with the initial JWT. In both cases, the success condition is that they are redirected to / and served the SPA assets.
One of the first things the SPA does is take the JWT from the session cookie and put it into localstorage, and then deletes the cookie.
Is this a terrible approach, or is it valid in my use case?
You are using the session cookie as a means to store the JWT on the client. This means that you create a server session that will remain open until it expires, by spending server resources
Session cookies are not readable from javascript, so I guess you make a request to the server to get the JWT, right?
The process does not seem problematic, but I think you could optimize it by sending in your redirection process directly the JWT in the response using a regular cookie with set-cookie header. The cookie will be stored in client and you could access it directly
I have a Node.js application that offers several different routes in front of MongoDB. I need to make sure that only authenticated requests can access these routes.
Ideally, I want to set it up so that a username and password comes in to the API, and in a response we give them back a token. I don't mind managing the tokens inside MongoDB myself, but I need to make sure that the token we give back can make authenticated requests. I don't want to force the user to send their credentials each time, just the token.
I've read for a few days about passport, and there's currently 307 strategies. Which strategy am I describing here?
Which strategy am I describing here?
You are describing a Local Strategy.
As per their description:
This module lets you authenticate using a username and password in your Node.js applications.
I don't want to force the user to send their credentials each time, just the token.
Passport auth strategies just provide various ways to authenticate (or in simple terms login) the user, not how to persist that login. Login persistence is usually done with user sessions.
One way you can solve this is to combine the local strategy with the express session middleware. Combination of the two allows for a fairly simple auth system that requires the user to login once and then persists the session.
In a typical web application, the credentials used to authenticate a user will only be transmitted during the login request. If authentication succeeds, a session will be established and maintained via a cookie set in the user's browser.
Each subsequent request will not contain credentials, but rather the unique cookie that identifies the session. In order to support login sessions, Passport will serialize and deserialize user instances to and from the session.
PassportJS docs give an example how to achieve this.
For this you should prefer generating JWT tokens for a the login and then using the token to always authenticate user actions.
Following steps are need to implement this style of token login system
generate token on login
verify when token supplied and use the decoded data to identify user
use should proper middleware in order to protect your api.
Here is a link you could follow:
https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens