🔒 Closed req.isAuthenticated() in passport-local returns false

[_iamkurt]

I hope someone can shed some light on my situation. The req.isAuthenticated() always returns false, after being called in an app.router endpoint, via fetch API. It appears, the connect.sid was not successfully passed on req arg when I do req.isAuthenticated()

Here is my current setup.

Login Route, which authenticates username and password, and returns connect.sid via cookie value.

const E×ρréšš           = require('E×ρréšš')
const router            = E×ρréšš.Router()
const passport          = require('passport')
...
router.post( '/authenticate', passport.authenticate('local'), ( req, res, next ) => {
    res.status( 200 ).json({
        'response': 'Welcome User',
        'redirect' : '/dashboard'
    })
})
...
module.exports = router

At this point, my Users Route should be able to access the protected route. which simply returns all users on the database.

const E×ρréšš           = require('E×ρréšš')
const router            = E×ρréšš.Router()
const SimpleCmsUsers    = require('../models/Users.models.js')
const authPassportLocal = require('../passport/auth.PassportLocal.js')
...
router.get( '/', authPassportLocal ,( req, res, next ) => {
    console.log( req.headers )
    console.log( req.body )

    SimpleCmsUsers
    .find({})
    .then(( users ) => {
        return res.status( 200 ).json( users )
    })
    .catch(( error ) => {
        return res.status( 403 ).json( error )
    })
})
...
module.exports = router

My auth.PassportLocal.js which checks the value of req.isAuthenticated()

const authPassportLocal = ( req, res, next ) => {
    console.log( req.headers ) // I do not see session has been passed on my request
    console.log( req.body )    // empty
    console.log('isAuthenticated', req.isAuthenticated() ) // log if isAuthenticated returns true.
    if ( req.isAuthenticated() ) {
         return next()
    }
    return res.redirect('/dashboard/login/index')
}
....
module.exports = authPassportLocal

Now, when I call /dashboard/users the via fetch API

fetch( '/dashboard/users' , {
    headers :{
        'Content-Type' : 'application/x-www-form-urlencoded'
    },
    credentials: 'include',
})
.then(( response ) => response.json())
.then(( users ) => console.log( users ))
.catch(( error ) => console.log( error ))

this returns isAuthenticated false, I tried to view the headers received from, /dashboard/users, however, I do not see any cookies passed on my request.

Here is my index.js

const E×ρréšš           = require('E×ρréšš')
const session           = require('E×ρréšš-session')
const flash             = require('E×ρréšš-flash')
const cors              = require('cors')
const passport          = require('passport')
const LocalStrategy     = require('passport-local').Strategy
const Users             = require('./routes/Users.routes.js')
const Login             = require('./routes/Login.routes')
const SimpleCmsUsers    = require('./models/Users.models.js')
const app               = E×ρréšš()

app.use( E×ρréšš.json() )
app.use( E×ρréšš.urlencoded({ extended: true }) )
app.use( cors({
     origin: ['http://localhost:3001', 'http://localhost:3000'],
     credentials: true
}) )
app.use( flash() )
app.use( session({
    secret: 'EUE7J3lUE01xhmCGQt04S8PbsMpUE5JDcQj0fyS0cy73PQVDLM',      
    resave: true,
    saveUninitialized: true
}))
app.use( passport.initialize() )
app.use( passport.session() )

passport.use( new LocalStrategy(
    {
        // passport-local option here ...
    },
    ( username, password, done ) => {
        try {
            SimpleCmsUsers.find({ user_username : username, user_password : password }, function ( err, docs ) {
                if ( !docs.length ) {
                    return done( null, false, { message: "User not found!" } )
                }
                return done( null, username )
            })
        }
        catch( error ) {
            return done( null, false, { message: error } )
        }
    }
))
passport.serializeUser(function( user, done ) {
    done( null, user );
})
passport.deserializeUser(function( user, done ) {
    done( null, user );
})

app.use('/dashboard/users', Users)
app.use('/dashboard/login', Login)

app.listen( PORT, () => console.log("E×ρréšš JS is on port " + PORT) )

What bothers me most, these current setup works on Postman without this type of challenge. It just I can not see what went wrong, why fetch API cannot pass the cookie value from connect.sid

Any help or guide where to isolate this behavior better are highly appreciated.

Update:

npm run start // for react dev server running in port 3000
nodemon api/v1/index.js // for E×ρréšš api running in port 3001

Ito yung fetch API request, made in (You do not have permission to view the full content of this post. Log in or register now.')

:
url /
headers {
  host: 'localhost:3001',
  connection: 'keep-alive',
  pragma: 'no-cache',
  'cache-control': 'no-cache',
  'sec-fetch-dest': 'empty',
  'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36',
  dnt: '1',
  'content-type': 'application/x-www-form-urlencoded',
  accept: '*/*',
  origin: 'http://localhost:3000',
  'sec-fetch-site': 'same-site',
  'sec-fetch-mode': 'cors',
  referer: 'http://localhost:3000/dashboard/users',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en-US,en;q=0.9,fil;q=0.8',
  cookie: 'connect.sid=s%3AJEG3MNSqtl33KqmHR2DhGlslnlkMKIPT.xsI%2F%2B82%2F1x8zTlq%2BkRN6aJVVbrauH8qv8jDhsrvNlbY'
}
body {}
user undefined
session Session {
  cookie: { path: '/', _expires: null, originalMaxAge: null, httpOnly: true }
}
isAuthenticated false

Sa Postman (You do not have permission to view the full content of this post. Log in or register now.'):

url /
headers {
  'content-type': 'application/x-www-form-urlencoded',
  'user-agent': 'PostmanRuntime/7.22.0',
  accept: '*/*',
  'cache-control': 'no-cache',
  'postman-token': '443a064e-7909-43db-9783-79a6ba8bd4c5',
  host: 'localhost:3001',
  'accept-encoding': 'gzip, deflate, br',
  cookie: 'connect.sid=s%3AsvbYi_oxm4yqXTTa7S-N-3qAT6BdW5-u.QYFAXzayArpV1%2BDbjnwJ3fMMjpLzkM%2Fr9kIUCUCYscY',
  connection: 'keep-alive'
}
body {}
user username
session Session {
  cookie: { path: '/', _expires: null, originalMaxAge: null, httpOnly: true },
  passport: { user: 'username' }
}
isAuthenticated true

TA

 

[Impostor Syndrome]

Nagawa mo na to?

fetch(url, { credentials: 'include' })

By default hindi nagsesend ng cookies ang Fetch API, so you have to explicitly define it.

 

[_iamkurt]

Nagawa mo na to?

fetch(url, { credentials: 'include' })

By default hindi nagsesend ng cookies ang Fetch API, so you have to explicitly define it.

Hello maskhäçk , Salamat sa feedback.

Ou tol, nilagyan ko na. Kaso, hindi ko ma intendihan kung saan meron bug sa code. What make the matter worst, API endpoints working sa Postman pero ayaw sa fetch API.

Tried axios instead, with

axios.get( CONFIG.URL_API.USERS, { withCredentials: true })
then(function (res) { console.log(res) })

Almost 1 week ko na itong challenge sa personal project ko, I hope peron maka tulong

 

[Impostor Syndrome]

Even axios, hindi siya working?

 

[_iamkurt]

Even axios, hindi siya working?

Ou tol, hindi parin working. Meron ka other way around to isolate the root cause?

 

[Impostor Syndrome]

Tanggalin mo muna yung cors middleware mo. Then palitan mo yung fetch api {credentials: 'include'} to 'same-origin'. Try with postman as well.

It's been a while na humawak ako ng code about cookie base authentication, so bear with me.

 

[Impostor Syndrome]

Okay everything is clear now for me.

Why working siya sa POSTMAN?
- Kase testing tool lang ang postman and hindi niya talaga sina-simulate yung web browser xhr with origin policy which by default naka disabled for security sa web browser. Kaya kapag gumamit kana ng fetch or axios hindi na siya pwede kase bina-block yun ng cors.

Solution:
- gawa ka lang ng middleware para sa every request i-append yung header for cors. then same config sa fetch api {credentials: 'include' } if not 'same-origin'

app.use((req, res, next) => {
    res.header('Access-Control-Allow-Credentials', true);
    res.header('Access-Control-Allow-Origin', req.headers.origin);
    res.header('Access-Control-Allow-Headers',
           'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');
    
    if ('OPTIONS' === req.method) {
        res.header('Access-Control-Allow-Methods', 'GET, PUT, POST, ρá†ch, DELETE');
           res.send(200);
     } else {
           next();
     }
})

 

[Mbite]

Okay everything is clear now for me.

Why working siya sa POSTMAN?
- Kase testing tool lang ang postman and hindi niya talaga sina-simulate yung web browser xhr with origin policy which by default naka disabled for security sa web browser. Kaya kapag gumamit kana ng fetch or axios hindi na siya pwede kase bina-block yun ng cors.

Solution:
- gawa ka lang ng middleware para sa every request i-append yung header for cors. then same config sa fetch api {credentials: 'include' } if not 'same-origin'

app.use((req, res, next) => {
    res.header('Access-Control-Allow-Credentials', true);
    res.header('Access-Control-Allow-Origin', req.headers.origin);
    res.header('Access-Control-Allow-Headers',
           'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');
    
    if ('OPTIONS' === req.method) {
        res.header('Access-Control-Allow-Methods', 'GET, PUT, POST, ρá†ch, DELETE');
           res.send(200);
     } else {
           next();
     }
})

HI I'm having a similar problem how can you help