0

I have an api (nodejs + express) running on azure webapp service and a frontend (nuxtjs) running locally and on cloudlfare. My auth flow uses passportjs LocalStrategy and worked fine when I developed it and ran the api locally. Now that I have deployed the api on azure app service, my front end always gets a 401 not authorized response. I am pretty sure it is not an issue with the frontend nuxt app since the problem occurs only when trying to use the azure hosted api.

I am using express-session with a postgres database to store session information.

const sessionPool = new Pool() //if this becomes problematic consider sessionPool.end() in logout
auth.use(session({
    resave: false,
    saveUninitialized: true,
    secret: process.env.SESSION_SECRET,
    cookie: {maxAge: 1000 * 60 * 60 * 24}, //one day
    
    store: new (require('connect-pg-simple')(session))({
        SameSite: 'none',
        pool: sessionPool,
        tableName: 'session'
      }),
}))

Everything seems to work right at first. The user credentials get sent to the backend, they are run against the database and if they match an existing user it creates a session and CLAIMS to send the user info in the response. (some of) the cookies exist on the front end, but it seems like some are missing. When running the application locally the front end stores 5 cookies but in production it only seems to store 3. All api calls that require authorization return 401 not authorized even though the client seems to have the right information and the backend shows they have a live session (I can see the session data in the db table).

//req.isAuthenticated() always returns false on the azure web app, but true when run locally
auth.get("/user", async (req, res) => {
    try {
      if (req.isAuthenticated()) {
        res.json({ user: req.user });
      } else {
        console.log("User not authenticated");
        res.sendStatus(401);
      }
    } catch (err) {
      console.log(err);
      res.sendStatus(500);
    }
  });

I believe it is an issue with the azure app service blocking my authorization flow. The app service is using the node 16 run time and windows os (so it's using iisnode). Anyone have any insight?

Matthew Davis
  • 1
  • 3
  • No, there's no issue with Azure App Service. You are doing some mistake. Code that works in localhost not always work on servers, they are different environments. Try config everything correctly, including check environment variables, database config, etc. – Jone Polvora Mar 31 '22 at 10:18
  • Hey @Matthew Davis! had it solved your problem else you can share more details so I can troubleshoot? – PunitSharma May 17 '22 at 05:51

1 Answers1

0

Azure app service is a reverse proxy, meaning client details aren't going to be as expected from a typical request. For example, the client IP address is available from the x-forwarded-for header instead.

You need to tell express that your app is running behind a proxy:

app.set("trust proxy", 1);

and at the same time, you should explicitly define the cookie domain and make sure httpOnly is enabled, to help prevent session theft from XSS attacks.

cookie: {
    domain: 'my.website.com',
    httpOnly: true,
    maxAge: 24*3600000, // 24 hours
}

Learn more about running express behind a proxy.

Crayons
  • 1,906
  • 1
  • 14
  • 35