I have an Express application that has a cookie-based authenticated route. I am using cookie-session to store auth tokens in the cookie.
I am developing a mobile app using Flutter and am using the requests package to manage cookies while making HTTP calls. I am able to make basic HTTP GET and POST calls.
My Express application has two routes - Sign In and Get Info. The route to Sign In authenticates the user and sets an auth token in the cookie using cookie-session. The Get Info gets information for an authenticated user, and the authentication is checked by a middleware.
The Express application is working as expected when I make calls using Postman or curl but is failing when I make calls using Flutter.
When I analysed the differences, I found that the Flutter application is adding an 'httponly' in the cookie, and consequently, the auth tokens are not being extracted. When making the same call using curl, it failed with httponly and worked when I removed the httponly flag in the cookie.
I tried toggling httponly in cookie-session by using sessionOptions and it has not worked.
Can someone help me out on this? I would be happy to provide additional information if it is required.
Related
I am setting up a next.js app and was planning on using next-auth's JWT strategy for auth. I understand how the workflow works to protect your next.js routes and api endpoints within your API folder, but I have a separate express.js server that handles an API to my database that this app will be using.
My question is, is there some way to send the JWT token to my express server along with any api calls, and hold the secret on that server as well to authenticate the session and give the user access to the api routes?
My thought was to do this either in a next-auth callback or just send the jwt token along when needed. I was just having trouble finding a way to view the full jwt server side. All of the server-side hooks next-auth provide parse out the data from the JWT.
Thanks for any insight.
Yes you can achieve this using the CredentialsProvider what you have to do is call your login endpoint to recive your JWT tokens once the user logged in and store them in next-auth session then you can access it using useSession() from anywhere to get the token you need and send it along with any REQUEST you want to send to your backend server.
tl;dr
I am trying to add cypress test for SPA but login does not work. Need help to set "AppServiceAuthSession" cookie.
Details
My single page application(SPA) is secured with Azure AD provider and uses authentication feature of Azure app service. When I login with credentials, app service responds with certain set-cookie headers which includes "AppServiceAuthSession". Once this cookie is added, application does not requires login on refresh.
As EasyAuth enabled, there is no custom code required and Azure app service handles authentication.
Cypress does not supports/recommends auto redirects. Logging in user prior to accessing SPA avoids redirects. As application does not have any custom code for login, MSAL and ADAL are not added to app which leverage browser localstorage to set tokens. There are two solutions I can think of:
Change authentication approach and use custom MSAL setup
Set "AppServiceAuthSession" cookie
Option 1 requires production code changes for cypress test which I believe is not recommended.
So need help to set "AppServiceAuthSession" cookie via cypress test.
I do not find any documentation around "AppServiceAuthSession" cookie, how to get it.
I tried this solution but its not working, probably it requires ADAL setup in application.
The AppServiceAuthSession is cookie which differs to token, so modify the configuration of Azure app to fetch from the access_token.
Locate the configuration->authsettings(resource is the clientId of Azure app which used to protect your apps)
"additionalLoginParams": [
"response_type=code id_token",
"resource=9hj2797f-29xf-4405-96x4-29g11hk4ce94"
],
And config the redirect_uri for Azure app like "AzureUrl + /login/aad/callback"
And you can fetch the access_token from the endpoint url.
*For more information on authentication and token check this link1 and link2
I am using keycloak to authenticate my Apollo server express API. Including the bearer token in the Apollo studio header is not enough to authenticate the studio as the request needs to contain certain cookies provided by keycloak that are set in the browser when I log into the front end app.
The front end sends this cookie along with the bearer token to the server. While I have the option to manually define an authentication token in Apollo studio, I don’t know of a way to attach the cookie to the request.
Interestingly enough, when I use postman to query my API, postman will actually extract the cookie in the browser that has already been set by logging into the front end and include it in any postman requests to the URL that corresponds to the cookie, so I can make authenticated requests with postman if I have already logged into my front end. Unfortunately Apollo studio does not do this.
How can I provide Authentication with the cookie from my Apollo studio? It’s a bit tricky since Apollo studio is not hosted by my backend application. Can I have express middleware to insert the cookie in requests coming from Apollo studio? What would this look like?
I’ve also heard talk about creating a proxy but I don’t really understand this option, is this a viable solution and how would it work?
Visual Explanation
So basically I have an Express REST API that handles login and everything, I need to create a new service in NextJS that will handle some features, BUT, I wish to use the capability of NextJS of making a request to its own API and only then send the request further to my Express API, further adding an extra layer of security.
My current setup is that I am making an axios POST request from my proxy api to my express api, I receive all my account details and everything, I received my session cookie, but how do I manage to set it? So far I tried sending it to the front separately and set it there, but that does not seem to work.
To be mentioned:
I do have "withCredentials: true" for axios in order to persist the session and make further requests using the cookies token.
I am developing a website with nuxtjs framework and using oauth2 authentication flow.
so as you know I have to save refreshToken in localstorage for some security things and it's not safe to save it in cookie.
after one hour the accessToken expires and I should request to server for new accessToken by refreshtoken.
so when the request is from client side, every things looks fine and works perfectly.but the problem is when user reload the page, the request is sent by nuxt server side (nodejs) and there is no way to access localstorage for getting refeshtoken.
so what should I do?
what is the best way for use oauth2 in nuxtjs?