1

Im trying to create a cookie-session to authenticate users in my routes, when the use logs in i set the session:

router.post('/login', (req, res, next) => {
    model.User.findOne({
        email: req.body.email,
        password: hash(req.body.password)
    }).lean().exec().then(
        user => {
            if (!user) {
                return res.status(401).send({message: 'Invalid email and/or password'});
            }
            req.session.user = user;
            req.session.authorized = true;
            console.log(req.session);
            return res.send({token: createJWT(user)});
        }
    ).catch(next);
});

that console log shows the session correctly but then when i try to authenticate my routes 

const {Router} = require('express');
const winston = require('winston');

module.exports = router => {
    winston.info('Loading public-api...');
    router.use('/', require('cors')(), require('./public-api')(Router()));

    router.use('/api', require('cors')(), require('./api')(Router().use(global.app.security.authorize())));

    router.use('/auth', require('cors')(), require('./auth')(Router()));
};

then the authorize service

module.exports = () =>
    (req, res, next) => {
    console.log(req.session);
        if (req.session.authorized) {
            req.user = req.session.user;
            return next();
        }
    };

here req.session is empty.

Edit: i think i know where the error is from my server is hosted in localhost:6000 but the client in localhost:3000 how can i make it work.

Nicolas Albarracin
  • 207
  • 1
  • 5
  • 16
  • What do you mean the client is at 3000 while the server is at 600o? – Horia Coman Aug 11 '18 at 22:26
  • different ports, different applications, i have a react.js application making the request to this server and i cant seem to find why the session is not getting saved – Nicolas Albarracin Aug 11 '18 at 22:32
  • Who sets the session cookie? What domain does it have? By default cookies are not cross-domain. You need a lot of cors machinery to make it work. – Horia Coman Aug 11 '18 at 22:37
  • im a bit new to this, didn't know that, maybe my aproach is bad, what i want to do is to authenticate my routes, so only certain users are allow to acces the routes. – Nicolas Albarracin Aug 11 '18 at 22:48
  • You can definitely configure cors to allow cross-domain cookies. Check access-control-allow-credentials and the credentials option to the fetch API. Otoh, you're probably overengineering stuff by having two services from the outset. Try with a single one, which does both rendering and APIs. – Horia Coman Aug 12 '18 at 10:06
  • @NicolasAlbarracin do you need more help with your issue? if my answer didn't help you, you are probably setting the session wrong. Could you post your session config code so we can have a look? – c-chavez Sep 21 '18 at 20:42
  • were you ever able to solve this? @NicolasAlbarracin – Aniket Kariya Apr 28 '21 at 14:11

1 Answers1

0

If both apps run in different servers (different host or ports), you can set a proxy for your client app towards your server app so that the client app runs in the same server as your server app. In this way requests will be made within the same server (host and port).

package.json in client app

"proxy": "http://localhost:6000"
c-chavez
  • 7,237
  • 5
  • 35
  • 49