axios : How exactly to preserve session after successful authorization and send with subsequent request - while testing without browser

Question

In this test case am sending an axios post request with userId and password to ExpressJS server running with passportjs local. Server respond with status code 200, and send appropriate header with set-cookie.

I need subsequent request to be treated as authorized request, for that tried following options, but none seems to be working. It getting rejected with status code 401.

First call with userid and password, responded with status 200

const userDoc = {
    userId: 'test-user-1',
    userName: 'Test User 1',
    emailId: 'test.user.1@abc.xom',
    password: 'test-password'
} ;

let resp

resp = await axios({method : 'post', url : 'http://localhost:4040/auth/local', data : {userId: userDoc.userId, password: userDoc.password },withCredentials: true   })

following options are used to send next request

1. send cookies received as part of 1st request

    const headers = { headers : {Cookie: resp.headers['set-cookie'][0] } };
   

2. send header as it is received as part of 1st request

    const headers = { headers : resp.headers};
   

3. send withCredentials: true along with above headers.

Second call is made with either of above option

resp = await axios({method : 'post', url : 'http://localhost:4040/v1/master/account', data : accountDoc , headers, withCredentials: true})

4. used httpAgent, keepAlive with axios instance

const axios = require('axios')
const http = require("http")
const httpAgent = new http.Agent({keepAlive : true , timeout :1000})
const instance = axios.create({httpAgent})

const resp1 = await instance({method : 'post', url : 'http://localhost:4040/auth/local', data : {userId: userDoc.userId, password: userDoc.password, } , withCredentials: true })

const resp2 = await instance({method : 'post', url : 'http://localhost:4040/v1/master/account', data : accountDoc , withCredentials: true })

Rejected with status code 401

--   Error: Request failed with status code 401
at createError (/home/Projects/FinAccounts2003/node_modules/axios/lib/core/createError.js:16:15)
at settle (/home/Projects/FinAccounts2003/node_modules/axios/lib/core/settle.js:17:12)
at IncomingMessage.handleStreamEnd (/home/Projects/FinAccounts2003/node_modules/axios/lib/adapters/http.js:269:11)
at IncomingMessage.emit (events.js:412:35)
at endReadableNT (internal/streams/readable.js:1334:12)
at processTicksAndRejections (internal/process/task_queues.js:82:21)

Server code is standard passport-js local code, which working well with browser.

It may be duplicate of some of the questions, solutions given are 1) withCredentials: true, already tried above 2) Authorization: Bearer ${token} - not applicable in this case, in passport js, cookie is directly set, and not getting token.

Answer 1

One solution that worked for me was using the modules tough-cookie and axios-cookiejar-support. I combined them in a persistent-client.js file, and then I was able to maintain the session between requests (commonJS):

const axios = require('axios').default;
const { CookieJar } = require('tough-cookie');
const { wrapper } = require('axios-cookiejar-support');

module.exports = function () {
    const jar = new CookieJar();

    const client = wrapper(axios.create({ jar }));

    return client;
}

Answer 2

There are two different ways to send the session authorization token from the server to the client (web browser)

1. Via (HttpOnly) response headers.
2. Via the response body.

And there are two different ways to authorize client requests (send the session token from the web browser to the server.)

A. Automatic: HttpOnly headers

B. Manual: Authorization: Bearer [TOKEN]

Usually method 1 is used with method A, and method 2 is used with method B. I think you are mixing them up.

If the server is using Set-Cookie to send the session token, then I think the browser automatically sends the session token automatically on all future requests (to the same domain).

Can you confirm what the actual contents of the set-cookie header are from the server? Note you will probably not be able to check this via JS if these are HttpOnly cookies; inspect the dev console "Network" tab. You can also check to see if any new cookies were set from the "Application" tab.

If the client does actually need to manually send the token via headers, the header needs to fit a specific Authorization cookie format. (Which you are not doing. You are simply echoing the headers received from the server.)

See my response to a similar question.

Answer 3

I don't believe you should be using any third party packages for this, especially not if they're directly accessing the cookies using javascript (which is an XSS security vulnerability). Cookies should be set using secure and http-only and never be accessed using Document.cookie directly.

• Make sure that passport is actually setting your cookie and that you're correctly sending back the cookie on the login. Verify that it's been set in your browser.

• Make sure that you have CORS enabled in express, that you've specified the domain you're making requests from and that you've enabled credentials in CORS.

• Make sure that you're using withCredentials on your axios requests.

• Make sure that you've set the cookie using the correct domain and path.