I have started moving an app from React to Sapper. I am new to SSR architecture and want to know what the best way is to store the user session and data.
I am using Firebase for my auth and database. After using the client side firebase API to get the session keys and other user data how would I store the data? I have seen some tutorials making a user.js store, but in the Sapper docs I see it recommends using the session store. So which is better? And what would be the flow from client side to the server side session store?
E.g. If I were to make a login folder under which I have the svelte component and the server side route. Would there be a post "endpoint" that would set the session.user?
It's a bit tricky. I managed to get this working with both client and server using a authentication middleware
https://github.com/itswadesh/sapper-ecommerce/blob/master/src/server.js
The best way I have found so far is using JWT's:
Either get a JWT from a third party (Google, facebook, github) or sign your own.
server.js:
express()
.use(
compression({
threshold: 0
}),
sirv('static', {
dev
}),
cookieParser(),
bodyParser.json({strict: false}),
bodyParser.urlencoded({ extended: false }),
async (req, res, next) => {
const token = req.cookies['AUTH']
const profile = token && !dev ? await getBasicUserInfo(token) : false
return sapper.middleware({
session: () => {
return {
authenticated: !!profile,
profile
}
}
})(req, res, next)
}
)
then with every request just add 'credentials':'include to your requests to the server.
you will have to verify the token on every request but this method makes you app super scalable
Related
I'm must say I'm very new to back end development,
I'm currently working on an exercise project of making a fake money poker website. I use Node.js socket.io/express-session/passport
At first, I mainly used express with a HTTP server listening on one port. Averagely Like this:
const express = require("express")
const app = express()
app.get('/home',connectEnsureLogin.ensureLoggedIn("/loginPage"),function(req, res) {
//console.log(req.user.username+": sessionId: "+req.sessionID);
return res.sendFile( __dirname+"/website/index.html");
}
);
const PORT = process.env.PORT || 5000;
app.listen(PORT, () => console.log("Poker site Server started on ${PORT})")
The website wasn't working very fast. When a client joined a poker table they needed to ask the server every second for new updates on the state of the game so that was a lot of HTTP requests coming into my server. So I decided without much theoretical certitude that it seemed like a good idea: To have the server use socket.io sockets to hand info for clients that are in poker tables, but when they are not in poker tables and are just browsing the site I use a HTTP server to handle their request. Code wise I feel I haven't really managed to do this correctly. My code with Express, express-session, and passport combined makes sure only to hand information to users authenticated. But since The socket.io servers seem totally separate from all the express code, they don't share the same authentication functionality as the express code. So I need to somehow link my express and socket.io code so I can check if a client is authenticated before handing him any info via sockets. here is the system I'm currently using I didn't put all my code but I tried to summarize the essential parts:
const express = require('express');
const app = express();
//i creat the http server that is somehow linked with my express app when this server is listening
//it will call express handling methods.
const http = require('http').Server(app);
const io = require('socket.io')(http);
const path = require("path");
const passport = require("passport");
const connectEnsureLogin = require('connect-ensure-login');
const AccountInfo = require("./AccountInfo").AcccountInfo;
const expressSession = require('express-session')({
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false
});
//passport setup
passport.use(AccountInfo.createStrategy());
passport.serializeUser(AccountInfo.serializeUser());
passport.deserializeUser(AccountInfo.deserializeUser());
//body parser
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
//Sessions
app.use(expressSession);
//!!!!here is where I connect socket.io with the sessions i found this in another forum.
// thanks to this code I can access the session that a client is using when their socket connects.
io.use(function(socket, next) {
expressSession(socket.request, socket.request.res, next);
});
//so when a clients socket connects i save his socket.id to his session.
io.on('connection',function(socket) {
console.log(`socket.io connected: ${socket.id}`);
// save socket.io socket in the session
socket.request.session.socketio = socket.id;
socket.request.session.save();
});
//once the clients socket is connected directly after the clients sends a HTTP "PUT" request
//and this code answers it.
app.post('/Table/ConnectSocketToTable',Utilities.ensureLoggedIn(),function(req, res)
{
//I retrieve the socket using the socket.id I had saved in the session.
let socket = io.sockets.sockets.get(req.session.socketio);
let player = GetPlayerFromAnyTable(req.user.username);
if(player==null)//the player can't be in two tables at once
{
//since now we are in an express callback, express made sure that the client is indeed
//authenticated with the middle-ware: "Utilities.ensureLoggedIn()" also just before I made sure
//the client is not in another table. So we are good to go we can now link the socket to the table
//and have the client receive all the info about the state of his table
socket.join("table-"+req.session.passport.table);
req.user.socket = socket;
let table = GetTable(req.session.passport.table);
table.sitPlayer(req.user);
}
else
{
//the player is already connected so we just update his socket to a new one
player.requestUnseat=false;
player.account.socket =io.sockets.sockets.get(req.session.socketio);
}
socket.on('chatMessage', function(data,time) {
socket.to("table-"+req.session.passport.table).emit("chatMessage",req.user.username,data,time);
console.log(`send chat message : ${data}`);
});
socket.on('disconnect', function() {
GetTable(req.session.passport.table).requestUnsitUsername(req.user.username);
console.log(req.user.username +" was disconnected so now requesting unsit");
});
console.log("the socket of "+req.user.username+" has being connected to table-"+req.session.passport.table);
return res.sendStatus(200);
});
So for me, the way I'm doing this seems pretty bad since "app.post('/Table/ConnectSocketToTable'...)" and "io.on('connection',...)" are two different request listening functions I feel I should probably just do everything in one.
So should I do all the checks in the "io.on('connection',...)" function and somehow manage to make sure the client is authenticated within the callback of io.on('connection',callback) ?
or should I find a way to make the socket connection happen in the initial HTTP call the client uses to join a table, which is what I initially wanted?
But really I'm kinda lost because I'm telling myself maybe I don't even need Express anymore and I should just use socket.io for everything. I seem to clearly lack the general understanding that would allow me to know what approach I should be going for so any help is welcome. I started doing this self-made exercise to get into server-side development but also if there is any other recommended exercise to start up with back-end development I'm definitely interested in hearing about it.
From random testing I found out how to authenticate to my express session from the socket code you don't actually have to do it in the callback of io.on('connection',callback) you just need to add a few more middleware functions like this:
//connecting express sessions
io.use(function(socket, next) {
expressSession(socket.request, socket.request.res, next);
});
//connecting passport
io.use(function(socket, next) {
passport.initialize()(socket.request, socket.request.res, next);
});
//connecting passport sessions
io.use(function(socket, next) {
passport.session()(socket.request, socket.request.res, next);
});
//check if client is authenticated returns error if authentication failed
io.use((socket, next) => {
console.log("started socket Connection");
if(!socket.request.isAuthenticated&&socket.request.isAuthenticated())
{
socket.request.session.socketio = socket.id;
socket.request.session.save();
console.log("table "+socket.request.session.passport.table);
console.log("user.username "+socket.request.user.username);
console.log(`is authentificated`);
next();
}
else
{
console.log(`failed socket connection`);
next(new Error("unauthorized"));
}
});```
I am using Expressjs and the Auth0 API for authentication and ReactJs for client side.
Because of the limitations of the Auth0 API (spoke with their team) I am sending updated user details to my backend and then using app.set() to be able to use the req.body in another route.
I need to call the app.patch() route automatically after the app.post() route has been hit.
The end goal is that the users data will be updated and shown client side.
const express = require('express');
const cors = require('cors');
const path = require('path');
const app = express();
require('dotenv').config()
const { auth } = require("express-openid-connect");
app.use(express.json());
app.use(cors());
app.use(express.static(path.join(__dirname, 'build')));
app.use(
auth({
issuerBaseURL: process.env.AUTH0_ISSUER_BASE_URL,
baseURL: process.env.BASE_URL,
clientID: process.env.AUTH0_CLIENT_ID,
secret: process.env.SESSION_SECRET,
authRequired: false,
auth0Logout: true,
})
);
app.get('/', async (req, res) => {
res.sendFile(path.join(__dirname, 'build', 'index.html'));
});
app.get('/api', async (req, res) => {
const stripe = require('stripe')(`${process.env.REACT_APP_Stripe_Live}`);
const invoice = await stripe.invoices.list({
limit: 3,
});
res.json(invoice);
});
app.post('/updateuser', (req, ) => {
app.set('data', req.body);
})
app.patch(`https://${process.env.AUTH0_ISSUER_BASE_URL}/api/v2/users/:id`,(req,res) => {
let val = app.get('data');
req.params = {id: val.id};
console.log(req.params);
})
app.listen(process.env.PORT || 8080, () => {
console.log(`Server listening on 8080`);
});
I'd suggest you just take the code from inside of app.patch() and make it into a reusable function. Then it can be called from either the app.patch() route directly or from your other route that wants to do the same funtionality. Just decide what interface for that function will work for both, make it a separate function and then you can call it from both places.
For some reason (which I don't really understand, but seems to happen to lots of people), people forget that the code inside of routes can also be put into functions and shared just like any other Javascript code. I guess people seems to think of a route as a fixed unit by itself and forget that it can still be broken down into components and those components shared with other code.
Warning. On another point. This comment of yours sounds very wrong:
and then using app.set() to be able to use the req.body in another route
req.body belongs to one particular user. app.set() is global to your server (all user's requests access it). So, you're trying to store temporary state for one single user in essentially a global. That means that multiple user's request that happen to be in the process of doing something similar will trounce/overwrite each other's data. Or worse, one user's data will accidentally become some other user's data. You cannot program a multi-user server this way at all.
The usual way around this is to either 1) redesign the process so you don't have to save state on the server (stateless operations are generally better, if possible) or 2) Use a user-specific session (like with express-session) and save the temporary state in the user's session. Then, it is saved separately for each user and one user's state won't overwrite anothers.
If this usage of app.set() was to solve the original problem of executing a .patch() route, then the problem is solved by just calling a shared function and passing the req.body data directly to that shared function. Then, you don't have to stuff it away somewhere so a later route can use it. You just execute the functionality you want and pass it the desired data.
As an exercise in learning NodeJS, I am building a sort of API with ExpressJS that responds to web requests. As of right now, there are three routes in the program, '/login', '/register', and '/changePassword'. All of these methods do not need any sort of token to be processed.
However, every other route I plan to add to the program, (for example, a '/post' route) would require that the user authenticate themselves with a token obtained from a POST request to '/login' with the correct credentials.
TO verify the Token, I have written a middleware function:
module.exports.validateToken = function (req,res,next) {
const token = req.headers['x-access-token']
console.log(`validateToken() - TOKEN: ${token}`)
if (token) {
//Make sure the token is valid[...]
next()
}else {
return res.status(401).send({
message: 'Missing token',
success: false
})
}
}
My question is, how do I apply this middleware to only the routes that would require authentication?
I've thought of just creating another Router object, and calling it like this:
const tokenValidator = require('./util').validate.validateToken
// Router used for any actions that require user-authentication
const authRouter = new app.Router()
authRouter.use(tokenValidator)
But would this interfere at all with my original, authentication free routes?
// Initiate the routes that don't need auth
const routes = require('./routes')(app)
Thanks in advance, I am more of a Java developer, so a lot of the Javascript quirks have left me stumped.
Let's say your middleware is in "./middleware/auth"
I would create a base route for which the middleware should be applied, e.g.
app.use("/private", require("./middleware/auth"));
This will invoke your auth middleware, on any route which starts with '/private'
Thus, any API controller which requires auth should then be defined as:
app.use("/private/foo", require("./controllers/foo"));
Your middlware function will be invoked for any route within /private, before it hits your controller.
And any that do not require your middleware, should simply stay outside of the 'private' api context, e.g.
app.use("/", require("./controllers/somecontroller"));
In Expressjs, every middleware you add, gets added to the middleware stack, i.e. FIFO.
Thus, if you have certain routes, which you'd like to have no authentication, you can simply keep their middlewares above others.
app.use('/', indexRouter);
app.use('/users', usersRouter);
app.use(<<pattern>>, authenticate)
Additionally, you can try using nodejs basic-auth module for authentication
Hope this helps!
I am getting a very frustrating error. When I make the google OAuth request in my local development environment it is working perfectly. (using passport authentication). Pushing to Heroku I am getting a status 200 versus the status 302 I get in development that redirects me to the google oauth login page. The screen is just showing up blank with no errors. I have tried to intentionally put an error with the client ID, but it isn't even registering the request at all.
Log-In
Brings me to a blank screen on heroku, and registers no request at all.
Please Help!
Server-Side Passport:
// .use is generic register
passport.use(
new GoogleStrategy(
{
clientID: keys.googleClientID,
clientSecret: keys.googleClientSecret,
// need url for where user should go on callback after they grant permission to our application on google auth page
callbackURL: "/auth/google/callback",
// have to authorize this callback url in the google oauth console.developors screen because of security reasons
proxy: true // trust the proxy our request runs through so heroku callbacks to the correct url
},
async (accessToken, refreshToken, profile, done) => {
// after authenticated on the next get request to google it will call this with the accessToken, aka callback function
// console.log("access token", accessToken);
// console.log("refresh token", refreshToken);
// console.log("profile", profile);
// check to see if user id already exists before saving it to DB so it does not overlap...mongoose query...asynchronous operation
// using async await
const existingUser = await User.findOne({
googleId: profile.id
});
// get promise response
if (existingUser) {
// already have record
// finish passport auth function
return done(null, existingUser); // passes to serialize user so serialize can pull that user id
}
// we don't have a new record so make one
const user = await new User({
// creates new model instance of user
googleId: profile.id
}).save(); // have to save it to DB
// get promise from save since asynchronize, then finish with response
done(null, user); // passes to serialize user so serialize can get that id
}
)
); // create new instance of GoogleStrategy
Server-Side API:
app.get(
"/auth/google", // passport, attempt to authenticate the user coming in on this route
passport.authenticate("google", {
// google strategy has internal code, that is 'google', so passport will know to find the google passport authenticator
scope: ["profile", "email"] // options object
// specifies to google we want access to this users profile and email information from their account, these are premade strings in the google oauth process not made up
})
);
// in this callback route they are going to have the code, and google will see that and it will handle it differnetly by exchanging the code for an actual profile, it will call the next part of the GoogleStrategy, aka the accessToken to be saved to Database
// #route GET auth/google/callback
// #desc Get callback data from google to redirect user if signed in
// #access Private can only access this after signed in
app.get(
"/auth/google/callback",
passport.authenticate("google"),
// after authenticate process is done, send user to correct route
(req, res) => {
// redirect to dashboard route after sign-in
res.redirect("/surveys");
// full HTTP requrest, so it reloads versus AJAX request which uses react and redux and is much faster
}
);
Client - Side
<div
className="collapse navbar-collapse nav-positioning"
id="navbarNav"
>
<ul className="navbar-nav">
<li className="nav-item google-link">
<a className="nav-link" href="/auth/google">
Google Login
</a>
</li>
</ul>
</div>
Index.js
// Route file, or starter file
const express = require("express");
// node.js does not have support from E6,
// so we use common js modules
// import vs require :
// common vs ES6
// bring in mongoose
const mongoose = require("mongoose");
// tell express it must make use of cookies when using passport
const cookieSession = require("cookie-session");
const passport = require("passport");
// pull in body-parser middleware to get req.body
const bodyParser = require("body-parser");
// connect it to DB in keys so it is not posted to github
const keys = require("./config/keys");
//connect mongoose
mongoose.connect(keys.mongoURI);
// ########## MODELS ################
// THIS MUST BE ABOVE WHERE YOU USE IT, SO ABOVE PASSPORT
require("./models/User");
require("./models/Survey");
// don't have to require recipient because its included inside Survey
// pull in passport service, we are not returning anything in passport, so we do not need const passport because nothing to assign
require("./services/passport");
// Generate a new application that represents a running express app
const app = express(); // vast majority use single app
// this will listen for incoming requests, and route them on to different route handlers
// parser so every time a req has a req.body comes in then it will be assigned to the req.body property
app.use(bodyParser.json());
app.use(
cookieSession({
// age for auth cookies to last... 30 days
maxAge: 30 * 24 * 60 * 60 * 1000,
// give cookie a key
keys: [keys.cookieKey]
})
);
// tell passport to use cookies
app.use(passport.initialize());
app.use(passport.session());
// done with authentication flow
//require that file returns a function, which is then immediately called with the app object
require("./routes/authRoutes")(app);
require("./routes/billingRoutes")(app);
require("./routes/surveyRoutes")(app);
if (process.env.NODE_ENV === "production") {
// if in production make sure express will serve up production assets
// like main.js
app.use(express.static("client/build"));
// Express will serve up index.html file if it doesn't recognize the routes
const path = require("path");
app.get("*", (req, res) => {
res.sendFile(path.resolve(__dirname, "client", "build", "index.html"));
});
}
// dynamically figure out what port to listen to... Heroku, heroku will inject env variables in moment of deploy, but only works in production not development environment
const PORT = process.env.PORT || 5000; // if heroku port exists assign it that, else, assign it 5000
app.listen(PORT); // listen for requests and route them to the correct handler on port 5000
/* ###### HEROKU PREDEPLOY ##### */
// specifiy node version and start script for heroku in package.json
// make .gitignore for dependencies which should not be committed on deploy, heroku will install them itself
// app.use wires up middleware for our application
// ############### TIPS
/*
Google first, because its been asked before...
Run in module
*/
I have the same issue with this problem too. I solve it by define an absoluteURI on the config keys. because google look at url callback at https:// and heroku path is http:// which it should be fix when you add proxy: true but it is not.
On the config keys add
dev: absoluteURI: localhost:5000
prod: absoluteURI: http://herokupath
// .use is generic register
passport.use(
new GoogleStrategy(
{
clientID: keys.googleClientID,
clientSecret: keys.googleClientSecret,
callbackURL: absoluteURI + "/auth/google/callback",
proxy: true
},
I believe the problem is that your app on heroku is only listening for http requests. If your link to the OAuth page has the form "https://your-domain.com/auth/google", then your app's routes will not match against that route (because of the https) and so your app will show a blank page, just like it will show for any route that it's not listening for.
One way to get around this problem and still use https (and therefore still show the secure logo next to the url) is to use https for every link except for this OAuth link. Your get and post requests within the app will be using http, but any link visible on the url will use https. Something like this would work:
app.use(function(req, res, next) {
if (process.env.NODE_ENV === "production") {
const reqType = req.headers["x-forwarded-proto"];
// if not https redirect to https unless logging in using OAuth
if (reqType !== "https") {
req.url.indexOf("auth/google") !== -1
? next()
: res.redirect("https://" + req.headers.host + req.url);
}
} else {
next();
}
});
And any frontend link that points to the OAuth login page should be an http link
Please take a look at this SO answer. It looks like your scope params need to be modified for the google auth to work.
I am working on a MEAN application, I am using Angular 4 for my project. For authentication, I have implemented the Passport js Local-strategy. And I am maintaining persistent session using Express-session. Things are working fine till here.
The Problem
In the same domain session works fine and I am able to authenticate the user. But in cross-domain, I am not able to maintain the session. It generates a new session id for each new request in cross-domain.
I then tried Passport-jwt but the problem with it is I don't have the control over user session. I mean I can't logout the user from the server if he is inactive or even on server re-start also the token don't get invalid.
So in simple words, I am looking for an authentication solution in Node js (Express js) in which I can manage authentication in cross-domain.
I have already seen some blog post and SO questions like this, but it doesn't help.
Thank you.
EDIT
Should I write my own code to achieve this? If so I have a plan.
My basic plan is:
The user will send credentials with the login request.
I will check for the credentials in the database. If credentials are valid, I will generate a random token and save it to the database, in the user table and the same token I will provide to the user with success response.
Now, with each request user will send the token and I will check the token for each request in the database. If the token is valid then I will allow the user to access the API otherwise I will generate an error with 401 status code.
I am using Mongoose (MongoDB) so I will be ok to check the token in each request (performance point of view).
I think this is also a good idea. I just want some suggestions, whether I am thinking in right direction or not.
What I will get with this:
The number of logged in user in the application (active sessions).
I can logout a user if he is idle for a certain interval of time.
I can manage multiple login session of the same user (by doing an entry in the database).
I can allow the end user to clear all other login sessions (like Facebook and Gmail offers).
Any customization related to authorization.
EDIT 2
Here I am shareing my app.js code
var express = require('express');
var helmet = require('helmet');
var path = require('path');
var favicon = require('serve-favicon');
var logger = require('morgan');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var dotenv = require('dotenv');
var env = dotenv.load();
var mongoose = require('mongoose');
var passport = require('passport');
var flash = require('connect-flash');
var session = require('express-session');
var cors = require('cors');
var databaseUrl = require('./config/database.js')[process.env.NODE_ENV || 'development'];
// configuration
mongoose.connect(databaseUrl); // connect to our database
var app = express();
// app.use(helmet());
// required for passport
app.use(function(req, res, next) {
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept');
if ('OPTIONS' == req.method) {
res.send(200);
} else {
next();
}
});
app.use(cookieParser());
app.use(session({
secret: 'ilovescotchscotchyscotchscotch', // session secret
resave: true,
saveUninitialized: true,
name: 'Session-Id',
cookie: {
secure: false,
httpOnly: false
}
}));
require('./config/passport')(passport); // pass passport for configuration
var index = require('./routes/index');
var users = require('./routes/user.route');
var seeders = require('./routes/seeder.route');
var branches = require('./routes/branch.route');
var companies = require('./routes/company.route');
var dashboard = require('./routes/dashboard.route');
var navigation = require('./routes/navigation.route');
var roles = require('./routes/role.route');
var services = require('./routes/services.route');
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'jade');
// uncomment after placing your favicon in /public
//app.use(favicon(path.join(__dirname, 'public', 'favicon.ico')));
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
// app.use(cookieParser());
app.use(express.static(path.join(__dirname, 'public')));
app.use(passport.initialize());
app.use(passport.session()); // persistent login sessions
app.use(flash()); // use connect-flash for flash messages stored in session
require('./routes/auth.route')(app, passport);
app.use('/', index);
app.use('/users', users);
app.use('/seed', seeders);
app.use('/branches', branches);
app.use('/companies', companies);
app.use('/dashboard', dashboard);
app.use('/navigation', navigation);
app.use('/roles', roles);
app.use('/services', services);
// catch 404 and forward to error handler
app.use(function(req, res, next) {
res.status(404).send({ status: 'NOT_FOUND', message: 'This resource is not available.'});
});
// error handler
app.use(function(err, req, res, next) {
// set locals, only providing error in development
res.locals.message = err.message;
res.locals.error = req.app.get('env') === 'development' ? err : {};
// render the error page
let errorObj = {
status: 'INTERNAL_SERVER_ERROR',
message: 'Something went wrong.',
error: err.message
};
res.status(err.status || 500).send(errorObj);
});
module.exports = app;
EDIT 3
For those who don't understand my problem. Explaining the problem in
simple words:
My Express server is running on port 3000.
In order to consume any API from the server, a user must be logged in.
When a user gets logged in from localhost:3000, the server checks the credentials(using Passport-local) and returns a token in the response header.
Now after login, when a user hits any API from localhost:3000, a predefined Header comes with passport-session and then passport verifies the user session using req.isAuthenticated() and all the things works as expected.
When a user gets logged in from localhost:4000 and the server send a token in response header (same as localhost:3000).
When after successful login, the user hits any API from localhost:4000 the passport js function req.isAuthenticated() returns false.
This was happening because in cross-domain the cookie doesn't go to the server we need to set withCredentials header to true at the client side.
I have set withCredentials header to true but still at the server the req.isAuthenticated() is returning false.
One possible solution to get around CORS/cookie/same-domain problems is to create proxy server that will mirror all requests from localhost:3000/api to localhost:4000, and then use localhost:3000/api to access the API instead of localhost:4000.
Best way for production deployment is to do it on your web server (nginx/apache).
You can also do it in node via express and request modules, or use some ready made middleware like this one:
https://github.com/villadora/express-http-proxy
Solution with this middleware is pretty straightforward:
var proxy = require('express-http-proxy');
var app = require('express')();
app.use('/api', proxy('localhost:4000'));
If you want to use sessions (ie. instead of jwt, etc) I think by default they are just in-memory so it will not work as your application scales to multiple hosts. It is easy to configure them to persist though.
See
https://github.com/expressjs/session#compatible-session-stores
You might have tried with passport-jwt. It generates tokens as per the JWT protocol on login. Your requirement is to blacklist the generated token when you logout. To achieve that, you can create a collection in mongodb named "BlacklistToken" with fields userid and token. When the user logs out, you can insert the token and userid in the collection. Then write a middleware to check whether the token is blacklisted or not. if it is redirect to login page.
did you already take a look here:
In this case, responses can be sent back based on some considerations.
If the resource in question is meant to be widely accessed (just like any HTTP resource accessed by GET), then sending back the Access-Control-Allow-Origin: * header will be sufficient,[...]
You may try this (allow any public IP) :
app.use(function(req, res, next) {
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Origin', '*'); // add this line
// res.header('Access-Control-Allow-Origin', req.headers.origin);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
It is normal that the second server re-create a new session, because assuming that you use Express-session, and according to the documentation:
Session data is not saved in the cookie itself, just the session ID. Session data is stored server-side.
Which mean that you need to find a way to synchronize servers session data ...
Assuming that you find a method to do that, when you will try to connect, both server will retrieve the same user session data and the second will not have to create a new session...
If I understand the problem correctly here, you want the user's session to be stateless on the server. So that whenever the user logs in, the session can be re-used in any instance of the server when you scale your application, or even if you were to just reboot your application.
To achieve this, what you need is to configure the express-session with a database solution. You can do this with mongo using this package https://github.com/jdesboeufs/connect-mongo.
However, best practice is to use something a bit more robust for this sort of use-case, like redis using this package https://github.com/tj/connect-redis.