0

I'm in the process of creating an authentication based web app. It works fine when only one session is running, but if a user on another session is logged in, it carries through to all sessions allowing everyone to see that user's information and use their permissions.

I've determined that this is because I handle all of my authentication backend from this post: Firebase Auth : User session carried to different browser

But I'd like to know whether there are any fixes without having to handle anything client-side. The post above doesn't give any fixes or advice.

This is the sign in route:

app.post('/postSignIn', function(req, res) {
  console.log(req.body);
  let password = req.body.password;
  let email = req.body.email;
  let user = firebase.auth().currentUser;
  if (user) {
    //TODO: Show user info is correct and redirect
    success = "You're already logged in!";
    res.render('login', {
      success: success
    })
  } else {
    firebase.auth().signInWithEmailAndPassword(email, password).catch(function(error) {
        var errorCode = error.code;
        var errorMessage = error.message;
        console.log(errorMessage)
        res.render('login', {
          error: errorMessage
        })
      })
      .then(

      ).catch(
        firebase.auth().onAuthStateChanged(function(user) {
          if (user) {
            success = "You're logged in!";
            res.render('login', {
              success: success
            })
          } else {
            res.render('login', {
              error: errorMessage
            })
          }
        })
      );
  }
})

And here is an example of how the auth states are checked:

app.get('/makeThing', function(req, res) {
  if (firebase.auth().currentUser) {
    res.render('makeThing')

  } else {
    res.render('things', {
      error: 'Login first.',
      things: things,
    })

  }
});

I thought this would handle different sessions, but it doesn't and firebase.auth().currentUser is remembered for all sessions, so if one user is logged in, all other sessions are logged into their account. It would be great if someone could describe either a front end or backend solution including a fix using something like Passport or Auth0.

The app is also being hosted on Heroku, so any fixes through there, such as running a different instance per user, would be appreciated as well.

Aero
  • 19
  • 7

1 Answers1

0

If anyone is having the same problem, use cookies! After researching for a while I determined that it was the best solution.

This overflow page does a good job of explaining how to use them. How to set cookie in node js using express framework?

This works because cookies are handled client side. I would recommend setting the cookies on log in and checking the current auth state through them instead of the Firebase current user functions. It worked for me!

Aero
  • 19
  • 7