Should I change the port from 3000 on an Express app / Nginx for security - express

Should I change the port from 3000 on an Express app and Nginx for security, or doesn't matter? I have it set to get the port number from aws parameter store, would this be more secure than storing it as an environmental variable on the server? If I should change the port what is a good number to change it to?
const param = require('./param');
param.getSecret('po').then((port) => {
app.listen(port, () => {
console.log("Express server running on: " + port)
})
});
param.js
const AWS = require("aws-sdk");
const ssm = new AWS.SSM({ region: "us-east-1" });
// const ssm = require('./aws-client');
const getSecret = async (ss) => {
console.log(`Getting secret for ${ss}`);
const params = {
Name: ss,
WithDecryption: true
};
const result = await ssm.getParameter(params).promise();
return result.Parameter.Value;
};
module.exports = { getSecret };
session
param.getSecret('ss').then((secret) => {
app.use(session({
proxy: true,
secret: secret,
resave: false,
saveUninitialized: true,
cookie: { secure: true }
}))
console.log("SECRET: " + secret)
});

Related

Saving an express-session in socket.io

I can not understand why my sessions do not want to be saved.
Each time I connect, I get a new session id, but if I just go (through the browser) to tessocket.local, the session is saved and already when called through the socket, it is normally determined. That's actually the question - how to defeat it?
Forcing the session to be saved after io.on("connection" doesn't help.
If you remove transports: ["websocket"] - polling starts working, but then the session is not defined at all through the socket.
client.js
const socketOptions = {
"force new connection" : true,
"reconnectionAttempts": "Infinity",
"timeout" : 10000,
"transports" : ["websocket"]
};
// #ts-ignore
socket = io('https://tessocket.local',socketOptions)
// #ts-ignore
socket.onAny((event, ...args) => {
console.log(event, args);
});
return socket
server.js
const app = require('express')(),
http = require('http'),
https = require('https'),
// http = require("http"),
fs = require( "fs" ),
path = require("path"),
eSession = require("express-session"),
MongoDBStore = require('express-mongodb-session')(eSession),
store = new MongoDBStore({
uri: 'mongodb://admin:admin#localhost:27017/tmp?authSource=admin',
collection: 'sessions'
});
options = {
key: fs.readFileSync(path.resolve(__dirname, "../minica/test.local/key.pem")),
cert: fs.readFileSync(path.resolve(__dirname, "../minica/test.local/cert.pem")),
},
server = https.createServer(options, app)
const io = require("socket.io")(server, {
cors: "http://test.local:3000",
transports: ["websocket"]
}),
session = eSession({
secret: "my-secret",
resave: true,
saveUninitialized: true,
store,
cookie: {
httpOnly: false, // key
maxAge: null,
path: "/",
secure: true,
sameSite: 'none'
},
}),
sharedsession = require("express-socket.io-session");
// Attach session
app.use(session);
// Share session with io sockets
io.use(sharedsession(session));
io.on("connection", function(socket) {
// Accept a login event with user's data
console.log(socket.handshake.session.id)
socket.on("login", function(userdata) {
socket.handshake.session.userdata = userdata;
socket.handshake.session.save();
});
socket.on("logout", function(userdata) {
if (socket.handshake.session.userdata) {
delete socket.handshake.session.userdata;
socket.handshake.session.save();
}
});
});
server.listen(443);
socket.io#4.4.1
express#4

Passport user object in request not available in getInitialProps when server is on a different port

I have my express server on a different port than my client-side nextjs project.
I know when you have a server on the same port you can use getRequestHandler with next that passes the user object to be accessible with getInitialProps in the client-side.
const express = require("express");
const next = require("next");
const app = next({ dev: true });
const handle = app.getRequestHandler();
app.prepare().then(() => {
const server = express();
// adds passport session
require("./middlewares").init(server);
const apolloServer = require("./graphql").createApolloServer();
apolloServer.applyMiddleware({ app: server });
server.all("*", (req, res) => {
return handle(req, res);
});
server.listen(port, (err) => {
if (err) throw err;
});
});
My passport implementation is as follows
const config = require("../config");
const session = require("express-session");
const passport = require("passport");
exports.init = (server, db) => {
require("./passport").init(passport);
const sess = {
name: "pid",
secret: config.SESSION_SECRET,
cookie: { maxAge: 2 * 60 * 60 * 1000 },
resave: false,
saveUninitialized: false,
store: db.initSessionStore(),
};
if (process.env.NODE_ENV === "production") {
server.set("trust proxy", 1);
sess.cookie.secure = true;
sess.cookie.httpOnly = true;
sess.cookie.sameSite = 'none';
sess.cookie.domain = process.env.DOMAIN;
}
server.use(session(sess));
server.use(passport.initialize());
server.use(passport.session());
};
And running the following on the express server, I can see req.user returning the user object.
app.use((req, res, next) => {
console.log(req.user);
next();
});
In a page in my nextjs app, in getInitialProps req.user is undefined
Home.getInitialProps = async (ctx) => {
const { req } = ctx;
const { user } = req;
console.log(user);
..........
};
Is there a way to either access the passport user object via SSR in nextjs or a different method to authorize and user on a page?
I do have a Github Repo with instructions on how to run the app in the README.md

Passport auth doesn't seems work across port. The solution is put a ngnix in front.
Local passport authorization on different ports

Port error when deploying express server with OIDC to Azure App Service

I am attempting to deploy a server to an azure app service. The server code can be found below.
The error I am getting from the log stream is:
2020-11-18T23:36:06.088Z ERROR - Container [container name] didn't respond to HTTP pings on port: 8080, failing site start. See container logs for debugging.
I have PORT set to 8080 and I know that config is picking up as I can see "Server listening on port 8080" in the logs. I have tried changing WEBSITES_PORT to 80 and 8080 as I saw that other posts, but I think my issue is different.
This site was working prior to my adding auth with OIDC libraries.
The app works locally with the server code below.
const https = require('https')
const express = require('express')
const path = require('path')
const app = express()
const fs = require('fs')
const key = fs.readFileSync('./key.pem')
const cert = fs.readFileSync('./cert.pem')
require('dotenv').config()
app.use(express.json())
app.use(express.urlencoded({
extended: true
}))
app.use(express.static('express'))
var cors = require('cors')
const OktaJwtVerifier = require('#okta/jwt-verifier')
const session = require('express-session')
const {
ExpressOIDC
} = require('#okta/oidc-middleware')
var getUserInfo = require('./getUserInfo')
// session support is required to use ExpressOIDC
app.use(
session({
secret: 'this should be secure',
resave: true,
saveUninitialized: false,
cookie: {
httpOnly: false,
secure: true,
},
})
)
const oidc = new ExpressOIDC({
issuer: process.env.ISSUER || 'https://[custom auth server domain].gov/oauth2/default',
client_id: process.env.CLIENT_ID || 'xxxxxxxxxxxxxxxxx',
client_secret: process.env.CLIENT_SECRET || 'xxxxxxxxxxxxxxxxxx',
redirect_uri: process.env.REDIRECT_URI ||
'https://localhost:3000/authorization-code/callback',
appBaseUrl: process.env.APP_BASE_URL || 'https://localhost:3000',
scope: 'openid profile',
})
// ExpressOIDC attaches handlers for the /login and /authorization-code/callback routes
app.use(oidc.router)
app.use(cors())
app.options('*', cors())
app.get('/userinfo', (req, res) => {
let domain = 'dev'
if (req.isAuthenticated()) {
getUserInfo.userRequest(res, req.userContext, domain)
}
})
app.get('/authStatus', (req, res) => {
if (req.isAuthenticated()) {
res.send(req.userContext.userinfo)
}
})
app.post('/forces-logout', oidc.forceLogoutAndRevoke(), (req, res) => {
// Nothing here will execute, after the redirects the user will end up wherever the `routes.logoutCallback.path` specifies (default `/`)
})
var linkObj = {not relevant links used hrefs on html based on env}
// default URL for website
app.get('/', function(req, res) {
res.sendFile(path.join(__dirname + '/express/index.html'))
//__dirname : It will resolve to your project folder.
})
// FAQ Path
app.get('/help', function(req, res) {
res.sendFile(path.join(__dirname + '/express/help.html'))
//__dirname : It will resolve to your project folder.
})
app.get('/links', (req, res) => {
res.json(linkObj)
})
app.post('/forces-logout', oidc.forceLogoutAndRevoke(), (req, res) => {
// Nothing here will execute, after the redirects the user will end up wherever the `routes.logoutCallback.path` specifies (default `/`)
})
// default URL for website
app.get('*', function(req, res) {
res.sendFile(path.join(__dirname + '/express/index.html'))
//__dirname : It will resolve to your project folder.
})
const port = normalizePort(process.env.PORT || '3000')
if (process.env.PORT) {
const server = https.createServer(app)
server.listen(port)
} else {
const server = https.createServer({
key: key,
cert: cert
}, app)
server.listen(port)
}
console.debug('Server listening on port ' + port)
function normalizePort(val) {
var port = parseInt(val, 10)
if (isNaN(port)) {
// named pipe
return val
}
if (port >= 0) {
// port number
return port
}
return false
}

I believe it's this line that could be giving you issues:
const port = normalizePort(process.env.PORT || '3000')
I'd try changing it to:
const port = normalizePort(process.env.PORT || '8080')
You'll also need to change these lines to have your public URL, not localhost:
redirect_uri: process.env.REDIRECT_URI ||
'https://localhost:3000/authorization-code/callback',
appBaseUrl: process.env.APP_BASE_URL || 'https://localhost:3000',
After you change these, you'll need to update your app on Okta to your production redirect URI.

how to use express-session in subscription

I'm using express-session as middleware for handling session and everything works just fine with queries and mutation. But I just can't figure out to do handle session for subscription.
const app = express();
const server = http.createServer(app);
const RedisStore = connectRedis(session);
const bootstrap = async () => {
await createConnection();
const schema = await createSchema();
const store = new RedisStore({
client: redis as any,
logErrors: true
});
const apolloServer = new ApolloServer({
schema,
context: ({req, res}: ExpressContext) => {
return ({req, res});
},
subscriptions: {
onConnect: (_, __, context: ConnectionContext) => {
console.log('context', context.request.headers);
}
}
});
const PORT = process.env.port || 4000;
app.use(cookieParser());
//Session middleware before resolvers
app.use(session({
store,
name: COOKIE_NAME,
secret: config.get('session_secret'),
resave: false,
saveUninitialized: false,
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === "production",
maxAge: 1000 * 60 * 60 * 24 * 365 // 1 year
}
}));
apolloServer.applyMiddleware({app});
apolloServer.installSubscriptionHandlers(server);
//`listen` on the http server variable, and not on `app`.
server.listen(PORT, () => {
console.log(`Server ready at http://localhost:${PORT}${apolloServer.graphqlPath}`);
console.log(`Subscriptions ready at ws://localhost:${PORT}${apolloServer.subscriptionsPath}`);
})
};
bootstrap().catch(e => console.log(e));
This is how I get userId in resolvers
req.session.userId;
How to use similar manner in websokckets.

Apollo express don't have express passport session

For our portal, i integrated my express server with passport to authenticate user. Once user authenticated need to fetch details for user from our api using same session from client. passport authentication working for my portal and able to see identity provider data for user logged in. but when any GraphQL call executed from react side, Apollo servers don't have user session in its request but express had.
Followed the steps mentioned here https://www.apollographql.com/docs/apollo-server/essentials/server.html#ssl but when setting up context for ApolloServer, req don't have passport in its session.
const express = require('express');
const session = require('express-session');
const { ApolloServer } = require('apollo-server-express');
const addResolveFunctionsToSchema = require('graphql-tools').addResolveFunctionsToSchema;
const mongooseConnection = require('./src/persistence/mongooseConnection');
const MongoSession = require('connect-mongo')(session);
const config = require('config');
const mongo = config.get('mongo');
const fs = require('fs');
const https = require('https');
const bodyParser = require('body-parser');
const cookieParser = require('cookie-parser');
const configSession = config.get('session');
const configPassport = config.get('passport');
const configCommon = config.get('common');
const resolvers = require('./src/resolvers');
const schema = require('./src/schema');
const uri = `${mongo.uri}/${mongo.database}`;
const app = express();
var passport = require('passport');
const SamlStrategy = require('passport-saml').Strategy;
const authRoute = require('./routes/auth');
const apiRoute = require('./routes/userDetails');
const Helmet = require('helmet');
require('reflect-metadata');
mongooseConnection.create();
let mongoOptions = {};
const mongoSessionStore = new MongoSession({
url: `${uri}`,
mongoOptions: mongoOptions,
collection: configSession.mongo.collection
});
addResolveFunctionsToSchema(schema, resolvers);
passport.use(
new SamlStrategy(
{
entryPoint: configPassport.entry_point,
// issuer: 'passport-saml',
protocol: 'https',
callbackURL: `${configCommon.dns}/${configPassport.callback_url}`,
// cert: adfsTokenSigningCert,
identifierFormat: null,
forceAuthn: true,
signatureAlgorithm: 'sha256',
acceptedClockSkewMs: -1
},
(profile, cb) => {
cb(null, profile);
}
)
);
passport.serializeUser(function(user, done) {
done(null, userData);
});
passport.deserializeUser(function(obj, done) {
done(null, obj);
});
app.use(cookieParser());
app.use(
session({
secret: 'project',
secret: configSession.config.secret,
resave: false,
saveUninitialized: false,
store: mongoSessionStore,
sameSite: true,
rolling: true,
name: 'project',
cookie: {
secure: true,
domain: configCommon.cookie_domain
}
})
);
// Initialize Passport
app.use(passport.initialize());
app.use(passport.session());
app.use(bodyParser.json());
app.use(
bodyParser.urlencoded({
extended: false
})
);
// setting up security headers
app.use(Helmet());
app.get('/s/health-check', (req, res) => {
res.send(`I am alive!!!!`);
});
app.use('/s/api', apiRoute);
app.use('/s/auth', authRoute); // API integration
const isDev = process.env.NODE_ENV !== 'prod';
const apolloServer = new ApolloServer({
schema,
resolvers,
context: ({ req }) => {
console.log(req) //req.session don't have passport in it
return {
req
};
}
});
apolloServer.applyMiddleware({
app,
path: '/graphql'
});
apolloServer.installSubscriptionHandlers(app);
https
.createServer(
{
key: fs.readFileSync(`./keys/server.key`),
cert: fs.readFileSync(`./keys/server.crt`)
},
app
)
.listen(process.env.PORT, () => {
console.log('Express server is running on port 9091');
});
// Handle uncaughtException
process.on('uncaughtException', err => {
console.log(err.message);
process.exit(1);
});

Double check that the request is sending the session cookies. I had the same problem, and I was using Graphql Playground as the client, and it disables sending the cookies by default. You can fix it by going to the settings in the top right of the playground, and setting "request.credentials": "same-origin". After I did that I saw the passport session initialized properly.