Error: Failed to find request token in session

[Dyceman]

Error: Failed to find request token in session at SessionStore.get (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\passport-oauth1\lib\requesttoken\session.js:13:44) at Strategy.OAuthStrategy.authenticate (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\passport-oauth1\lib\strategy.js:214:33) at Strategy.authenticate (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\passport-twitter\lib\strategy.js:87:40) at attempt (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\passport\lib\middleware\authenticate.js:361:16) at authenticate (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\passport\lib\middleware\authenticate.js:362:7) at Layer.handle [as handle_request] (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\layer.js:95:5) at next (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\route.js:137:13) at Route.dispatch (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\route.js:112:3) at Layer.handle [as handle_request] (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\layer.js:95:5) at C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:281:22 at Function.process_params (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:335:12) at next (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:275:10) at Function.handle (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:174:3) at router (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:47:12) at Layer.handle [as handle_request] (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\layer.js:95:5) at trim_prefix (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:317:13) at C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:284:7 at Function.process_params (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:335:12) at next (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:275:10) at initialize (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\passport\lib\middleware\initialize.js:53:5) at Layer.handle [as handle_request] (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\layer.js:95:5) at trim_prefix (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:317:13) at C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:284:7 at Function.process_params (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:335:12) at next (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express\lib\router\index.js:275:10) at C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\express-session\index.js:489:7 at Command.callback (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\connect-redis\lib\connect-redis.js:167:14) at normal_reply (C:\Users\danie\WebstormProjects\socialrewards\socialrewards\node_modules\redis\index.js:726:21)

How to reproduce

1. Sign into twitter with your username/email and password
2. Login successfull
3. Moves to return url
4. ERROR!!!!

What am I using.
express-session
app.use(session({ store: new RedisStore(redis_options), secret: process.env.EXPRESS_SESSION_SECRET, resave: true, saveUninitialized: true, cookie: { secure: true } }));
In a development environment

Things I have already tried

1. Changing
   app.use(session({ store: new RedisStore(redis_options), secret: process.env.EXPRESS_SESSION_SECRET, resave: true, saveUninitialized: true, cookie: { secure: true } }));
   to
   app.use(session({ store: new RedisStore(redis_options), secret: process.env.EXPRESS_SESSION_SECRET, resave: true, saveUninitialized: true, cookie: { secure: 'auto' } }));
   and then to
   app.use(session({ store: new RedisStore(redis_options), secret: process.env.EXPRESS_SESSION_SECRET, resave: true, saveUninitialized: true }));

2. I regenerated both Auth tokens and API information in my twitter app.

3. Ran the app on https and http

Has anyone solved this problem before?

[Martii]

@Dyceman

What is your sameSite default set to for your site? We had to demote this in order for most strategies to verify as a work-around. Perhaps your issue? (NOTE: This is browser dependent so you'll get different results in different browsers depending on when/if it was implemented)

[Dyceman]

@Martii What do you mean by sameSite ?

[Martii]

@Dyceman

sameSite at MDN.

We use this auth strategy with the secure attribute and lax value for sameSite to start otherwise most, if not all, of the strategies including Twitter will throw lots of errors. Later we elevate it to strict as a work-around. It's not pretty but does the job most of the the time unless intercepted (that persons loss for preventing it). If your sites security settings default to strict it might cause what you are looking at but not sure without being there to test it directly... plus don't know what browser you are testing in which may affect the results depending on the extensions/addons/default settings and implementation for cookie handling is.

[Martii]

Btw...

In a development environment

Is your localhost https? Most aren't and use http with no certificates... but depends on your network setup.

[Dyceman]

I am using ngrok. I haven't had this issue 3 days ago.

[Martii]

Unfamiliar with that particular tunneling reverse proxy... perhaps they updated something in their backend or your frontend? Have you tried direct to your development environment on the same LAN? You are welcome to give OUJS as shot to see if you can sign up/sign in with your twitter account... we haven't gotten any issues yet and the code point reference above I gave you is how we handle all the strategies with the secure being true for secured environments and not using it for unsecured environments. There's a note on MDN stating certain browsers used to allow it even if it wasn't https but that's not the case any more (for a while now).

[Martii]

Looks like #8 is similar to your issue... may want to go see what solutions were provided. Anything with proxy may lead to a solution too.

[Dyceman]

I've tried setting the cookie to LAX, strict and the other options and still no luck. I am going to check to see if I have the same issue with passport Twitter libraries.

[Dyceman]

Oh forgot I am testing this in Firefox.

[pr1ntr]

I am getting this error when trying to do this with next.js
I ran the twitter-express npm example and it worked fine. For some reason when i implement this:

const { parse } = require('url')
const next = require('next')
const passport = require('passport')
const Strategy = require('passport-twitter').Strategy

const dev = process.env.NODE_ENV !== 'production'
const nextApp = next({ dev })
const handle = nextApp.getRequestHandler()

passport.use(new Strategy({
  consumerKey: '**************************',
  consumerSecret: '********************************',
  callbackURL: '/oauth/callback',
  proxy: false,
},
function(token, tokenSecret, profile, cb) {
  // In this example, the user's Twitter profile is supplied as the user
  // record.  In a production-quality application, the Twitter profile should
  // be associated with a user record in the application's database, which
  // allows for account linking and authentication with other identity
  // providers.
  return cb(null, profile)
}))

passport.serializeUser(function(user, cb) {
  cb(null, user)
})

passport.deserializeUser(function(obj, cb) {
  cb(null, obj)
})





const start = async () => {
  try {
    await nextApp.prepare()
    const expressApp = express()
    expressApp.use(require('cookie-parser')())
    expressApp.use(require('body-parser').urlencoded({ extended: true }))
    expressApp.use(require('express-session')({ secret: 'keyboard cat', resave: true, saveUninitialized: true, cookie: {
      secure: 'auto',
    } }))
    expressApp.use(passport.initialize())
    expressApp.use(passport.session())
  
    expressApp.get('/login/twitter',
      passport.authenticate('twitter'))
  
    expressApp.get('/oauth/callback',
      passport.authenticate('twitter', { failureRedirect: '/login' }),
      function(req, res) {
        res.redirect('/')
      })
  
    expressApp.use(handle)
  
    console.log('listen')
    expressApp.listen(8080)
  } catch (error) {
    console.error('well something went wrong', error)
  }
 
}


start()

[joeykay9]

Hope you are returning profile in cb:

return cb(null, profile)

And nothing else

[pr1ntr]

Yeah, this is partly an issue with next.js. in Dev mode it throws the session away most of the time. No idea why.