passport-local cookie and session database handling

0
votes

I am currently trying to setup an oauth service for my current project. Being new to all this, I have read many articles on the subject, but I am still missing some pieces.

My environment is:

  • servers: node, express, passport
  • authentication: local strategy (using my own accounts / passwords)
  • I have a database with user/password ( passwords run through bcrypt)
  • web interface: react, server accesses through superagent

On my nodejs server, I am using these modules:

  • express
  • express-session
  • express-mysql-session
  • passport
  • passport-local
  • bcrypt

Different parts of the solutions are working: I can create new users, create new sessions, see their content in the express-mysql-session database.

However I am quite confused on the following:

  1. when my web client tries to access protected routes, I don't seem to be getting any cookie in the request. Is it that superagent will not send my passport cookie by default? I read somewhere that in single page apps, jwt might be more appropriate, is that linked to this problem?

  2. despite all I read, I am still confused about deserializeUser. My understanding is that with the passport-local solution, upon access, the web client will send the session cookie, which contains the session Id. Passport will fetch further information concerning this session from database, and then continue to handle the request. Does this session info retrieval happen automatically (in express-mysql-session?)? Or do you have to "manually" do it in deserializeUser (many examples show a User.findById call in there)? If you have to do it "manually", it means that you have to access the express-mysql-session db using another connection than the one this module is using?

  3. to log out, is req.logout() enough to ensure the session is erased from the session db entirely?

1
node.jsexpresssessionpassport.jspassport-local

1 Answers

0
votes

Answers I found so far:

  1. One has to add the withCredential method to superagent, to get it to send authentication cookies:
    res = await superagent
      .get(url)
      .withCredentials()
      .send();

On the CORS side of things, on the server, the 'credentials' option is required if using the 'cors' npm module, for instance:

app.use(cors({
  origin: ['http://localhost:3003'],
  methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
  credentials: true,
}));

  1. All session information is automatically retrieved by these modules. However, many example show this call going back to the user database to get more information (rights, other info). The goal is to avoid having the same information in two locations (sessions db, and user profiles db), and having these getting out of sync (when an account gets closed etc...)

  2. req.logout() disconnects the session, but the session information sticks around in the database. The following question put me on the right track: how to delete cookie on logout in express + passport js?. You need to use req.logout, res.session.destroy, and while you're at it res.clearCookie to delete the client cookie:

router.post('/logout/',
  (req, res) => {
    req.logout();
    res.status(200).clearCookie('connect.sid', {
      path: '/',
      secure: false,
      httpOnly: false,
      domain: 'place.your.domain.name.here.com',
      sameSite: true,
    }).end();
    req.session.destroy();
  },

Session is disconnected, database cleaned, cookie gone.