Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cookie reused from server in SSR app #619

Closed
sarkistlt opened this Issue Dec 29, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@sarkistlt
Copy link

sarkistlt commented Dec 29, 2017

Steps to reproduce

I'm using NextJS for front-store app, and I have to use cookie as a storage so it will work on server side as well. I also have one simple hook that will check if customer logged in or not.

const accessToken = ctx && ctx.isServer ? ctx.req.universalCookies.get('feathers-jwt') : client.cookie.get('feathers-jwt');
  return login({ accessToken, strategy: 'jwt' })

When we first open page in a browser it will use cookie from server, then during navigating within the app it will use cookie on client side.
the problem is when I', logging out client.logout(), and will refresh the page, it still uses cookie from server and for some reason JWT is still there

Expected behavior

after logging out remove cookie it shouldn't be JWT in client and server

Actual behavior

after logging out I still have JWT on server side

Module versions (especially the part that's not working):
"@feathersjs/authentication-client": "^1.0.1",
"@feathersjs/feathers": "^3.0.2",
"@feathersjs/rest-client": "^1.3.2",
"@feathersjs/socketio-client": "^1.0.1",

NodeJS version:
8.9.1

@sarkistlt

This comment has been minimized.

Copy link
Author

sarkistlt commented Dec 29, 2017

actually the problem was that even if I'm passing client.authenticate({ accessToken: undefined, strategy: 'jwt' }) it gets authorized for some reason. quick workaround:

const accessToken = ctx && ctx.isServer ? ctx.req.universalCookies.get('feathers-jwt') : client.cookie.get('feathers-jwt');

  return new Promise((resolve, reject) => {
    if (accessToken) {
      login({ accessToken, strategy: 'jwt' })(dispatch)
        .then(resolve)
        .catch(reject);
    } else {
      reject(new Error('not authorized'));
    }
  });

but still it's not a correct behavior, how it can get authorized without passing JWT or having it in a cookie?

@paulrostorp

This comment has been minimized.

Copy link

paulrostorp commented Jan 13, 2018

I am getting a similar problem working with with NUXT and feathers 3.
USER A logs in
USER B logs in (different client)
USER A refreshes page, logged in as user B ?!
Have not been able to get to the bottom of this but it definitely is a problematic behavior...

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Jan 22, 2018

There is now a recipe showing how to use Feathers authentication with Express middleware (including server side rendering) at https://docs.feathersjs.com/guides/auth/recipe.express-middleware.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.