Value appears saved to Express Session but not accessible inside subsequent route

Question

I have a problem saving data to the Express Session middleware. I am using a Vue.js frontend to communicate with the server which is running at localhost:8080. The server runs on localhost:3002.

I suspect that the interaction between the Vue app and the server may be the source of the problem as I have tried tests with a bare bones Express app that serves HTML as simple template literals and req.session.save() works fine.

Here is my code.

vue.config.js

module.exports = {
  "transpileDependencies": [
    "vuetify"
  ],
  devServer: {
    "https": true
  }
}

index.js(Express server)

const corsOptions = {
  origin: 'https://localhost:8080', // Have tried with and without these options 
  credentials: true,
};
app.use(cors(corsOptions));

// Set up app to use session 
let sess = {
  secret: 'What secret?', 
  resave: false, // Tried true
  saveUninitialized: false, // Tried true
  cookie: {secure: process.env.NODE_ENV=="prod",httpOnly: false}, // Tried true  
  store: MongoStore.create({ mongoUrl: process.env.DB_URL, 
    ttl: 14 * 24 * 60 * 60  }) // = 14 days. Default 
}

app.use(session(sess));

Login route where data is being set to the session.

  app.post('/api/login', async (req, res) => {
     ...
      request(options, function (error, response) { 
        if (error) throw new Error(error)
        let fm_res = JSON.parse(response.body)
        req.session.FM_TOKEN = fm_res.response.token
        req.session.save()
        console.log('TOKEN STORED IN SESSION :: ', req.session) // token present in session here
        res.json({message: 'Token saved in session...', status: 200})
      });

});

Separate route where token is not accessible.

// CHECK AUTH
app.post('/api/token_auth', async (req, res) => {
  let authToken = req.session.FM_TOKEN
  console.log('TOKEN FROM SESSION : ', authToken) // undefined
  ....

});

I have researched and tried various solutions suggested here on SO but nothing I have found from any answers has worked. Can anyone point me in the right direction to solve this one as I am out of ideas. Thanks in advance.

UPDATE

I have tested the above endpoints with with Postman and they work, i.e. the /api/token_auth has access to the token saved on the session. So, it appears the problem might be connected to the fact that my frontend is not using https but http to make these calls.

I have tried using httpOnly: false setting in the session.cookie as suggested in this SO answer, but it still doesn't work. I am out of ideas.

Does anyone know how https requirement can be circumvented for development purposes?

By chance, app.post('/api/token_auth') is inserted before app.use(session(sess))? — Cássio Lacerda, Apr 24 '21 at 23:39
@cassiolacerda No. All routes are declared after the app.use(session(sess)). Thanks for the reply! — mikeym, Apr 25 '21 at 03:12

Value appears saved to Express Session but not accessible inside subsequent route

0 Answers0