How to use Sessions for authentification in Node.js

Question

I've been trying to make an authentification system with Node.js for a small web app.

So far I've made a login route :

app.post('/login', async function(req, res) {
    let login = req.body.login;
    let password = req.body.password;

    let userId = await databaseUsers.verifyUser(login, password);

    if(userId != null) {
        req.session.userId = userId;
    }

    res.send(userId != null);
});

Then I created a protected route :

app.get('/homepage', requiresLogin, function(req, res) {
    res.sendFile(__dirname + '/client/homepage.html');
});

And a function that checks if the user is logged :

function requiresLogin(req, res, next) {
    if (req.session.userId) {
        next();
    } 
    else {
        res.send('You must be logged in to view this page.');
    }
}

Client-side, i'm using only JS, with the fetch API :

let url = "/login";
let headers = new Headers({
    "Content-Type": "application/json"
});
let init = {    
    method: 'POST',
    headers: headers,
    cache: 'default',
    body: JSON.stringify({'login': user.login, 'password': user.password})
};

let verif = await fetch(url, init);

Now when I log myself in, the server stores in the session the user's ID.

But when trying to reach /homepage, i get the 'not connected' error.

I could use a global variable to store the session but therefor multi-user would no longer be an option.

I also thought using cookies, like when the user successfully logs in, the server sends him a cookie.

But then how to handle the user's accesses to the pages ?

const session = require('express-session'); I used this line, if that's what you mean, — Steeven Diard, Mar 27 '18 at 13:23
`I also thought using cookies, like when the user successfully logs in, the server sends him a cookie` thats exactly was express session does :) — Jonas Wilms, Mar 27 '18 at 13:23
So the current code should send a cookie to the client if I'm correct ? — Steeven Diard, Mar 27 '18 at 13:25
app.use(session({ secret: 'work hard' })); I've set things up this way — Steeven Diard, Mar 27 '18 at 13:25
This is the beggining of my server file : ////////////////// // STATIC FILES // ////////////////// app.use(express.static(path.join(__dirname, 'client/'))); ///////////////// // BODY-PARSER // ///////////////// app.use(bodyParser.json()); ///////////// // SESSION // ///////////// app.use(session({ secret: 'work hard', resave: true, saveUninitialized: false })); — Steeven Diard, Mar 27 '18 at 13:30
It returns the mongoDb ID of the object which I checked is not null — Steeven Diard, Mar 27 '18 at 13:34
I just need to ask, the line _req.session.userID_ is enough to send the user a cookie ? If so, I checked in the brower, I don't have any new cookie after getting logged in — Steeven Diard, Mar 27 '18 at 13:36
yes it is. express-session reflects the data to the storage automatically. And well you actually found the problem yourself. `fetch` does not store cookies by default :) — Jonas Wilms, Mar 27 '18 at 14:05

How to use Sessions for authentification in Node.js

0 Answers0