I am developing a basic MEAN application and I am interested in creating a custom user authentication system. My plan is to store the userId in the session upon login, and then verify the existence of the userId in the session on each page request (such as when accessing the list of all users).
Backend - server.js:
const express = require("express");
const session = require("express-session");
const bodyParser = require("body-parser");
const cors = require("cors");
const app = express();
var MemoryStore = session.MemoryStore;
app.use(
session({
name: "app.sid",
secret: "my_s3cr3t",
resave: true,
store: new MemoryStore(),
saveUninitialized: true
})
);
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(cors());
const dbConfig = require("./config/database.config.js");
const mongoose = require("mongoose");
mongoose.Promise = global.Promise;
mongoose
.connect(dbConfig.url)
.then(() => {
// ...
})
.catch(err => {
// ...
process.exit();
});
require("./app/routes/user.routes.js")(app);
require("./app/routes/task.routes.js")(app);
require("./app/routes/login.routes.js")(app);
app.listen(3333, () => {
console.log("Server is listening on port 3333");
});
Upon clicking the Login button, a function from the frontend controller is triggered:
Frontend - login.controller.js:
vm.login = function() {
userService.getUserByUsername(vm.username).then(user => {
if (user.password === vm.password) {
console.log("Login successful");
loginService.login(user).then(($window.location.href = "/#!main"));
} else {
console.log("Login failed");
}
});
};
Backend - login.controller.js:
exports.login = (req, res) => {
req.session.userId = req.body._id;
req.session.save(function(err) {
console.log(err);
});
console.log(req.session);
res.status(200).send({
message: "Login successful"
});
};
The frontend LoginController logs "Login successful" (assuming correct credentials are entered) and redirects to the "main" page which utilizes main.controller.js:
Meanwhile, the backend login controller outputs:
Session {
cookie:
{ path: '/',
_expires: null,
originalMaxAge: null,
httpOnly: true },
userId: '5b4746cafe30b423181ad359' }
At this point, the session contains the userId. However, upon redirection to main.html and activation of main.controller.js, it executes:
loginService.getSession().then(data => console.log(data));(The goal is to confirm the presence of userId in the session for further actions)
The getSession() function in the frontend LoginService simply performs an $http call:
function getSession() {
return $http.get("http://localhost:3333/session").then(
function(response) {
return response.data;
},
function(error) {
console.log(error.status);
}
);
}
This triggers a method defined in the backend LoginController:
exports.getSession = (req, res) => {
console.log(req.session);
if (req.session.userId) {
res
.status(200)
.send({ message: "Session found with userId " + req.session.userId });
} else {
res.status(404).send({ message: "Session not found" });
}
};
In the frontend, a status code of 404 is displayed while the backend output is:
Session {
cookie:
{ path: '/',
_expires: null,
originalMaxAge: null,
httpOnly: true } }
(userId is absent...)
Additionally, some tutorials suggest using cookie-parser. However, implementing it results in only static text being displayed without any data retrieved from the database. Therefore, I have temporarily excluded it from server.js.
EDIT:
I attempted to integrate MongoStore into my application:
const MongoStore = require("connect-mongo")(session);
...
app.use(
session({
name: "app.sid",
secret: "G4m1F1c4T10n_@ppL1c4t10N",
resave: true,
saveUninitialized: false,
cookie: { maxAge: 600000 },
store: new MongoStore({ url: "mongodb://localhost:27017/myAppDb" })
})
);
However, there was no noticeable change.
How can I ensure that my sessions are functioning correctly?