I'm merging two little apps into one, that is supposed to be accessed via two subdomains. To do so I'm using the module "express-subdomain". I'm trying to use Passport so when a user logs in in the first app, he is logged in in both apps. However using req.isAuthenticated() I can indeed login in the "first" app, but then I'm not in the "second" one.
I'm searching for any solution to have a passport authentification in the first subdomain and being logged in in the second one, including keeping two disctinct apps if needed.
Assuming that passport is correctly configured for a local strategy, as well as the routers and the rest of the app. Here is what it looks like :
app.js
// <- requires etc
var passport = require('./configurePassport.js')(require('passport'));
var app = express();
app.use(cookieParser());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended: true}));
app.use(expressSession({
secret: 'bestSecretEver',
resave: false,
saveUninitialized: false
}));
app.use(passport.initialize());
app.use(passport.session());
// and others
var firstRouter = express.Router();
firstRouter.use('/public', express.static(__dirname + '/first/public'));
firstRouter.use(favicon(__dirname + '/first/public/favicon.ico'));
// <- setting first router's GET, POST etc
app.use(subdomain('sub1', firstRouter)); // for sub1.example.com
var secondRouter = express.Router();
secondRouter.use('/public', express.static(__dirname + '/second/public'));
secondRouter.use(favicon(__dirname + '/second/public/favicon.ico'));
// <- setting second router's GET, POST etc
app.use(subdomain('sub2', secondRouter)); // for sub2.example.com
Any idea ?
Look into where you're saving your cookies for authentication purposes. Make sure you have it saved to the root domain. ie: *.example.com and not sub1.example.com
Using passport local authentication, login works, I click getStatus button and it works, then logout works. But after logout, I click BACK in the browser, it can still display the full content of getStatus. The console log in isAuthenticated() still says "you are logged in". This is the simplified code:
var express = require('express');
var passport = require('passport');
var net = require('net');
var bodyParser = require('body-parser');
var http = require('http');
var multer = require('multer');
var cp = require('child_process');
var exec = require('child_process').exec;
var sys = require('sys');
var path = require('path');
var util = require('util');
var session = require('express-session');
var crypto = require('crypto');
var sqlite3 = require('sqlite3');
/////////////////////////////////////////////////
var LocalStrategy = require('passport-local').Strategy;
var db = new sqlite3.Database('./myPassword.db');
passport.use(new LocalStrategy(function(username, password, done)
{
console.log("step 2: Client sent you user: " + username + " password: " + password);
db.get('SELECT slat FROM users WHERE username = ?', username, function(err, row)
{
if (!row) return done(null, false);
console.log("step 4");
db.get('SELECT username, id FROM users WHERE username = ? AND password = ?',
username, password, function(err, row)
{
console.log("step 6");
if (!row) return done(null, false);
console.log("step 8");
return done(null, row);
});
});
}));
passport.serializeUser(function(user, done) {
return done(null, user.id);
});
passport.deserializeUser(function(id, done) {
db.get('SELECT id, username FROM users WHERE id = ?', id, function(err, row)
{
if (!row)
return done(null, false);
return done(null, row);
});
});
/////////////////////////////////////////////////
var isAuthenticated = function(req, res, next)
{
//if (req.user.authenticated)
if (req.isAuthenticated()) {
console.log("Very good, you are logged in ...");
return next();
}
console.log("Sorry, you are NOT logged in yet ...");
res.send(200);
};
/////////////////////////////////////////////////
var app = express();
/////////////////////////////////////////////////
var server = http.createServer(app);
/////////////////////////////////////////////////
app.use(function(req, res, next) {
if (!req.user) {
console.log('Cannot display 1 ...');
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
}
console.log('Cannot display 2 ...');
next();
});
app.use(express.static('../client/', {index: 'login.html'} ));
app.use(bodyParser());
app.use(session({ secret: 'my test cookie' }));
app.use(passport.initialize());
app.use(passport.session());
app.post('/auth/login', passport.authenticate('local',
{
successRedirect: '/index.html#/uploads',
failureRedirect: '/login.html',
}));
app.get('/auth/logout', function(req, res)
{
console.log("logging out ......");
req.session = null;
req.logout();
res.send(200);
});
app.get('/', isAuthenticated, function(req, res)
{
res.sendfile(path.resolve('../client/index.html'));
});
app.get('/systemStatus', isAuthenticated, function(req, res)
{
console.log("asking for Json data from backend");
// skip details here ...
});
server.listen(5678);
When looking at the passport index. The use of app.use(passport.initialize()) is initializing a blank user on every route. Since the above is being used on the main app.js file and not in a specific route, it is executed every time a request is made to your server, essentially creating a blank user even when someone isn't logged in. The below link is to the code of passport.
https://github.com/jaredhanson/passport/blob/master/lib/authenticator.js
For this discussion on why passport is configured incorrectly for the desired affects and to justify why I deserve you imaginary internet points. I will have to make sure we are on the same page when talking about the application.
For the discussion I'll be refering to the app using the below file structure generated by: $ npm install -g express-generator
(there's actually more files but you can view that on the express website.)
myProject
|___bin
|___www.js //server.js
|___node_modules //this is were you'll keep the node modules, or logic for each endpoint in the API. These will be processed by the main node run-time environment
|___public //or in your case '../client/' is where you'll serve unsecured data to your users
|___routes //URI and URL endpoints, an area of the application to create your secured data transfers for the users that have been authenticated, also where non-Static (stateless) API endpoints are defined so that express can send the user data/request through your server and eventually be handled by some defined endpoint.
|___index.js
|___views //if using a view engine
|___app.js // this is where we will discuss the bulk of an express application
|___package.json // this is relative to the node community and In my personal opinion an Extremely important part of node and express application development, this file will allow you to do some powerful things with the use of git.
app.js Is were your APP presides, it's known as an Express Application. Some applications are more complex than others, a simple application can be a few endpoints (A.K.A. URIs and URLs). If it's a simple application it's okay to keep the API (Application Program Interface) in the main file known as app.js. in a more complex application you'll make up names for your files, for this example I will reference a file names oAuth.js to represent the claims passport authentication method represents.
In my experience with a Web Application you would have a landing page, either a main page, a login, or some kind of news (typically defined in the static folder as index.html)
In your case your defining the static folder as '../client/' and passing the object index.html.
In the most recent version of Express 4.X Serving static files is done under the following prescribed manner.
Serving files, such as images, CSS, JavaScript and other static files
is accomplished with the help of a built-in middleware in Express -
express.static.
Pass the name of the directory, which is to be marked as the location
of static assets, to the express.static middleware to start serving
the files directly. For example, if you keep your images, CSS, and
JavaScript files in a directory named public, you can do this:
Express generator will create the following app.js file which is configured a very important way. This first part has some very useful node modules that are un-opinionated as express, and eventually where you'll import some of your own node APIs
var express = require('express'),
path = require('path'), //core node module
logger = require('morgan'), //allows you to see the console.logs during development and see incoming and outgoing messages to the server. It also displays `console.log()` defined in any node_module, express route, and express app file.
cookieParser = require('cookie-parser'), //helps when trying to handle cookies
bodyParser = require('body-parser'); //helps when parsing certain types of data
routes are like mini express applications, remember when we first discussed how some applications can become more complex than others? This is how you manage the complexity so your application can grow and flourish. Assuming you wish to add new features for your loving and wonderful users.
var route = require('.routes/index',// this is importing the the logic of the URI and URL enpoint to this file. It will be referenced as the second argument in the route and configuration references below.
oAuth = require('.routes/oauth') // this is the file where you'll place all of the passport logic you have previously wrote. Any other authenticated routes need to be defined in this file.
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'jade'); //alot of people are also using EJS equally if not more
Now setup the basic middlewares provided by express-generator
app.use(logger('dev'));
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(bodyParser.json({ type: 'application/vnd.api+json' }));
app.use(cookieParser());
app.use(express.static(path.join(__dirname, 'public'))); //this style declaration ensures you hit what ever directory you want to by changing public as long as that directory exists.
route URI and URL endpoints being defined by you to -->express. It takes the form of strings and a reference to it's route at the top of this file
app.use('/', routes); //unsecured landing page
this express object usage will allow you to define APIs, authorized and unAuthorized routes. This is where you will declare your reference to the authenticated portion of the Express Application. Any portion of the application declared above app.use('/auth/',oAuth) will NOT be authenticated. Any portion declared below the /auth/ portion of your URIs and URLs. will be authenticated.
app.use('/auth/', oAuth);
some extras that the express generator will place in the app file which are extremely useful.
// catch 404 and forward to error handler
app.use(function(req, res, next) {
var err = new Error('Not Found');
err.status = 404;
next(err);
});
// development error handler
// will print stacktrace
if (app.get('env') === 'development') {
app.use(function(err, req, res, next) {
res.status(err.status || 500);
res.render('error', {
message: err.message,
error: err
});
});
}
// production error handler
// no stacktraces leaked to user
app.use(function(err, req, res, next) {
res.status(err.status || 500);
res.render('error', {
message: err.message,
error: {}
});
});
Because you are polluting your applications namespace with un-needed complexity it is inadvertently causing you undesired authentication affects. This goes deeper since it's relative to formatting and configuring your application program interface and how javascript files are executed in the Node run-time environment, as well as how the express application framework is meant to be used and configured when building complex applications that require authentication to access.
Now back to your question of why you keep getting an authenticated user although no one is logged in? It's because your use of app.use('some string or some middleware'). To fix the issue remove all of your authentication processing and move it to a route. In the above example it's referenced as oAuth.js. Define any routes that need authentication behind the passport middleware.
Now because your question is also regarding node and you mentioned in the comments that you are part of a scrum it's important to state that all of this information is contained on the express website which is where i initially linked my answer. Despite me telling you that you need a route and that passport was configured incorrectly. So any inflammatory comments "read the manual" are made because I feel that you didn't even investigate the link I sent in my initial answer, nor did you read any other part of the express frame work and their website. If you plan to understand any node_modules and complex frame works its equally important to read about them and do their tutorials, actually go through the node_modules when there is a getting started and/or they have API references. By blasting into application development without trying any portion of the framework basics will just make you spend more time coding bad breakable code. It will slow your development significantly if you aren't understanding how the node_modules function. The best way to understand their functionality is by reading them. That's all for my rant/advice for learning how to develop a web application. Ultimately you'll be able to reuse a lot of your tutorial code in a application.
I've been having problems trying to access stored session values! Once I've set the values and try access them from a new route, I get undefined! So basically I've got a login (POST) and in that request I set the session data, and then I have a show user details (POST) where I try and access the session data I've just stored.
Setup
// Setup express and needed modules #############################################
var express = require('express'),
session = require('express-session'),
cookieParser = require('cookie-parser'),
redis = require("redis"),
redisStore = require('connect-redis')(session),
bodyParser = require('body-parser');
var client = redis.createClient(), //CREATE REDIS CLIENT
app = express();
// Setup app
app.use(cookieParser('yoursecretcode'));
app.use(session(
{
secret: 'x',
store: new redisStore({
port: 6379,
client: client
}),
saveUninitialized: true, // don't create session until something stored,
resave: false // don't save session if unmodified
}
));
app.use(bodyParser.urlencoded({ extended: true}));
app.use(bodyParser.json());
app.set('trust proxy', 1) // trust first proxy
So as you've seen my setup, you know I'm using express sessions and Redis. Below is where I'm setting the session values! If I print out the session values here it works, but then If I try and access the session data in another route it returns undefined.
Routes
I send a http post request and set the session data:
router.route('/login/').post(function(req, res) {
req.session.userId = req.body.uId;
req.session.name = req.body.uName;
// THIS PRINTS OUT IF I TRY AND ACCESS THE SESSION DATA HERE
console.log("THIS PRINTS OUT --> " + req.session.name);
});
So now that the session values have been set, I can go access them right, no, I get undefined each time I try and log them out.
router.route('/user/printoutuserdetails').post(function(req, res) {
// THESE RETURN UNDEFINED
console.log(req.session.userId);
console.log(req.session.uName);
console.log("THIS PRINTS OUT --> " + req.session.name);
});
Does anyone have any idea what's happening? I've tried everything and looked everywhere and can't seem to find a way to get it to work!
Solved:
The reason this wasn't was because you're not suppose to use sessions when using a RESTFUL api.
I use express and express-session middleware to build a website, with session enabled. But some url such as /health-check' and/version-checkdo not need session, especially the/health-check`, which will generate a lot of useless session in db(the project use mongodb).I believe there is a good solution to solve the problem.
The following is a snippets of the session:
var session = require('express-session'),
passport = require('passport');
var app = express();
//other middleware.
// Express MongoDB session storage
app.use(session({
saveUninitialized: true,
resave: true,
secret: config.sessionSecret,
cookie: { maxAge: 2628000000 },
store: new mongoStore({
db: db.connection.db,
collection: config.sessionCollection
})
}));
// use passport session
app.use(passport.initialize());
app.use(passport.session());
//...
I suggest to create own middleware function and put there your session middleware as function, but with conditions e.g:
app.use(function(req, res, next){
if(...some condition...){//for example check url
//do something or nothing
next();//very important or request will freeze
} else {//otherwise run session
session({your options})(req, res, next);
}
});
instead your app.use(session())
in one custom middleware you can put any other middleware to add conditions. But when you want to wrap more then one middleware to single custom middleware be careful on 'next'. It can be use only once in middleware (multiple middlewares use use it multiple time). Then you have to create your own callback 'next'.
I set up session management in my node js/ express js website successfully. I stores session data in mongo db. I want the session to be valid for the users who log in for a couple of weeks. The code is as follows:
var cookieParser = require('cookie-parser');
var session = require('express-session');
var MongoStore = require('connect-mongo')(session);
app.use(cookieParser());
app.use(session({
store: new MongoStore({ mongoose_connection: db }),
secret: 'cookie_secret',
cookie: { maxAge: null }
}));
It works fine for normal users, but my problem is with web crawlers such as google bots and facebook bots. I still want them to crawl my website but I don't want their sessions to be stored in my mongo db. It's taking up lots of space and storage is increasing daily which costs me money.
How to selectively choose which sessions to be stored in the db. I can check for req.headers['user-agent'], but where to use it in my code? How to tell express-session not to store session sometimes?
You can use the session middleware conditionally, based on the User-Agent header. A simple example:
var sessionMiddleware = require('express-session')({
...configuration here...
});
app.use(function(req, res, next) {
var ua = req.get('user-agent');
// If the User-Agent header contains the string "Googlebot",
// skip the session middleware.
if (/Googlebot/.test(ua)) {
req.session = {}; // perhaps a bit too simple?
return next();
}
return sessionMiddleware(req, res, next);
});
It would depend on your actual use of req.session if the code above works, or if you need to mock req.session a bit better (for instance, if you use any of the req.session methods in your code,
you may need to mock those too).