Support for Express 4? #222
Comments
|
I upgraded my application today today and ran into problems with Passport. |
|
Ah, it seems Passport works fine with Express 4. I was having trouble with my session library ( So yes, I am successfully using Passport with Express 4. Just had to update my session module. |
|
great! I'll close this. Thanks @tbeseda |
|
I have problem, i think the serializeUser not called after LocalStrategy. Response always Unauthorized, and the next function not called. I try to print something on the serializeUser and not show anything. Here is my session log. Yap, the passport object is empty. |
|
any progress on this? i am having the same problem with passport-twitter. passport object is empty |
|
I'm finding passport and Express 4 to be devilish together.Even if my authorization are going through req.user is not being set at all. Something is weird. |
|
Agree. I'm using connect-mongostore 0.1.0 for session middleware, and logging in with Passport works fine, but logging out does not clear the passport object from the session store, leaving the user still logged in. In my opinion this issue should not have been closed without more proof the module isn't broken. |
|
I'm not sure its passport, I think there is a problem with express-session and cookies, passport is just a common user of those. |
|
I use: And have the same problem. passport
.serializeUser(function (user, done) {
console.log('1111111111111111111111111111111111100');
done(null, user.id);
});String |
|
Passport gets the blame because it is relatively complex and has dependencies on other middleware. Passport is actually working good but I have found other middleware in the mix is messing up cookies/sessions and therefore affecting Passport as well. I would suggest cutting out other middleware till you find your problem. Some of the other middleware is not ready for Express 4 and its problems are showing through things like Passport. |
|
Wow, all works for me now!! I had: .post('/auth/', function (req, res, next) {
passport.authenticate('local', function (err, user) {
if (err) {
/* something */
}
res.json({ state: req.isAuthenticated() });
})(req, res, next);
})it didn't work. State was false. .post('/auth/', passport.authenticate('local', {
successRedirect: '/',
failureRedirect: '/login',
failureFlash : true
}))And it works! .post('/auth/', function (req, res, next) {
passport.authenticate('local', function (err, user) {
if (err) {
/* something */
}
if (user) {
req.logIn(user, function (err) {
/* something */
});
}
res.json({ state: req.isAuthenticated() });
})(req, res, next);
})return true. |
|
I can confirm that |
|
Holllleeee CRAP! That is exactly the issue! I am using Express 4 (latest) and Express-session (latest) and that is exactly what is happening!!!! I removed the secret and it works... obviously a bug. I am using connect-mongo to store the sessions in a mongo db. So is the issue with express-session or connect-mongo? I looked around and it doesn't seem to be noted in the express-session issue log. |
FYI |
|
Hi everyone, please try version 1.5.0 of |
|
I'm using {
"_id": "vGJkgpLo_ZZIL6tPP0y3VMNI-wQLkaJK",
"session": "{\"cookie\":{\"originalMaxAge\":null,\"expires\":null,\"httpOnly\":true,\"path\":\"\/\"},\"passport\":{}}",
"expires": ISODate("2014-07-04T08:24:24.465Z")
}EDIT: Found the solution, I had my own bug in |
Awesome. Anyone else care to try it out as well :)? |
|
Doug: I will this evening - thanks for the quick turnaround. Question: I am currently using a different secret with cookie-parser and express-session. Should they be the same? Should I not be using signed cookies if I have a session secret? Basically want to confirm this is OK: |
|
@dstroot they had to be the same before, but as of 1.5.0 it should no longer relay on that strange behavior and the secret you give to session will actually be the secret it will use when reading the cookies from the request. |
|
TL;DR express-session prior to 1.5.0 basically used the secret you gave to cookie-parser when reading cookies, and it's own secret when writing cookies, which if you gave them different secrets, it could never read the cookies back. When you removed the secret argument to express-session, it actually internally used the secret to cookie-parser for both reading and writing, which is why it suddenly started working when you did that. express-session 1.5.0+ no longer even requires you to use cookie-parser, as it will parse and set the cookies itself, thus eliminating this confusing inter-dependence. |
|
This is awesome - 1.5 works great for me without needing cookie-parser anymore! Whoohoo one less dependency. ;) Doug - you rock! |
|
I had this problem. The fix was to add the express-session secret into the cookie parser. problem solved. So the code should be something like the below: app.use(cookieParser('foo')); notice the cookie parser contains the session secret. |
|
If you are using express-session >v1.5 you no longer need cookie parser at all |
|
i get the same problem when i using express-session 1.6.1 and connect-mongo 0.4.1. it create new session in store for every request. it works fine with cookie-session. but cookie-session not support store. |
|
Someone should probably update http://passportjs.org/guide/configure/ ... |
|
@elendirx I think I might have a bug in deserializeUser. Could you show me yours, please? |
|
Thx dougwilson now it works without cookieParser. Don't forget to type in username and password in the browser even if you haven't setup a password check. |
|
Just to add my 2¢. The same apparent issue is also triggered by specific browser security settings. For example, if you or your users have selected the 'Allow from current website only' option for cookies in Safari (OS X or iOS 8) new sessions will be created for each of the requests required to complete the authentication. This is not an issue when using the LocalStrategy, but will cause anon -> auth -> anon when using an OAuth2 provider. This echo what people above have said they've seen (initial authenticated session before a redirect). |
|
Anyone find a solution yet? I appear to be having the same problem that deserialization never gets called...req.user is not defined and regardless of what I do with sessions it comes up empty. Although I can see what appears to be previous session store data, just not current...because its awesome like that. I am probably taking a different approach than most as this is really part of a .net mvc app and I really do not even need session support. It is fairly frustrating to hand passport a user object and not be able to get it back...its like...I gave you this object, I just want it back |
|
Doubt this will help anyone that has the requirement of sessions, but I did manage to get some code working to at least persist and send my user in a response. This code is what I am using for my FacebookStrategy callback By handling the req, res manually and then calling passport.authenticate inside of my middleware...I am able to handle the request outside of the library. I wanted to post this here in case anyone had a similar issue with express 4 using passport as a 'potential' workaround. |
|
I'm still having this problem with express v4.10.6 and express-session v1.9.3... Update: False alarm, I was writing tests and realized I wasn't persisting the session... I resolved the problem with the |
|
I initially had trouble with Express 4 working with Passport, and it was due to a bonehead dumb mistake. Want to post here in case anyone else experiences a similar issue. Your session setup must be before passport.initialize() and passport.session() e.g.: app.use(session({
secret: 'brucespringsteinmegaboss',
resave: false,
saveUninitialized: true
}));
app.use(passport.initialize());
app.use(passport.session());Lost a few hours to this one, hopefully this helps someone else ;) |
|
@zachcowell thanks for that. I wasn't using passport.session() in express 3 and I'm not sure why, but that line was the missing piece. |
|
I'm not sure if anybody is still having issues with this but I'm having problems. req.session.passport and req.user are always empty and neither serializeUser nor deseiralizeUser aren't being called. I'm using the latest express 4.11.2, express-session 1.10.2, body-parser 1.11.0, passport 0.2.1 and passport-local 1.0.0 with mysql as a backend. Authentication strategies: How I use a strategy in an express route: Everything works fine except the serializeUser and deserializeUser that aren't being called. I can even manually set a value in a session inside a strategy but I don't want to do that. I want passport to handle sessions. |
|
@nemanjavuk it's likely you either are missing middleware or have it in the wrong order.. Here's mine: Compare with yours? |
|
@framerate As far as I can see the only difference is that you use bodyParser after the express and passport sessions but I do it before. I tried with your approach but it doesn't work either way. |
|
@nemanjavuk Did you ever find a solution? I'm having precisely the same problem. Neither |
|
@darth-cheney As a matter of fact I have. I was missing to call req.login() in my custom callback which in fact calls serializeUser: app.post('/login', function (req, res, next) {
passport.authenticate('local-login', function (err, user, info) {
if (err) {
mysend(res, 500, 'Ups. Something broke!');
} else if (info) {
mysend(res, 401, 'unauthorized');
} else {
req.login(user, function(err) {
if (err) {
mysend(res, 500, 'Ups.');
} else {
mysend(res, 200, JSON.stringify(user));
}
}
}
})(req, res, next);
});Hope it helps |
|
Noting that I too had many of these problems; my issue was that I was using MemoryStore. I switched to connect-redis RedisStore /w redis-url and they all went away. :) In many of the examples above it seems like people are using MemoryStore as well (no |
|
I had the same issue with my serializeUser and deserializeUser functions never being called. My educated guess is that passport.authenticate('local') was causing the glitch in my middleware, because everything worked after I replaced that with a custom function as follows: Instead of: I used: }; |
|
@Shershnev-AV thank you SOOOOO much for your answer, that is correct. I had the common problem that my serializeUser and deserializeUser callbacks were not being fired. It was because I was using the less common scenario that Shershnev-AV described |
|
@larissaleite and @nemanjavuk ------> @Shershnev-AV 's answer above might solve your problem as I had the same problem as you |
@ORESoftware Hopefully you find it good enough for the price I charge for the software. You are welcome to contribute the effort by writing new or expanding existing documentation. |
|
@ORESoftware @jaredhanson Jared, thank you for your fantastic efforts with Passport and thank you for continuously going through the issue list and never abandon this module. |
|
Here, here. Passport is epic.
|
|
I generated my project with the Yeoman fullstack generator and didn't know how to apply @Shershnev-AV 's fix. However, @Awk34 has a nice solution here: https://github.com/Awk34/aksite. |
|
In my case, app.use(bodyParser.urlencoded({
extended: true
}));
app.use(bodyParser.json({
extended: true
}));
app.use(session({
store: new SequelizeStore({
db: sequelize
}),
secret: SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
maxAge: 30 * 24 * 60 * 60 * 1000,
}
}));
app.use(passport.initialize());
app.use(passport.session());
passport.use(User.createStrategy()); // sequelize-passport-local
passport.serializeUser(User.serializeUser()); // sequelize-passport-local
passport.deserializeUser(User.deserializeUser()); // sequelize-passport-local
passport.deserializeUser(function(id, done) {
console.log("DESERIALIZE");
console.log(id);
});
app.post('/login', (req, res, next) => {
passport.authenticate('local', (err, user, info) => {
if (err) {
return next(err);
}
if (! user) {
return res.json({ error: info.message }); // Don't want 401 here
}
req.logIn(user, function(err){
if(err){
return next(err);
}
let {id, name, email, picture } = user;
res.json({id, name, email, picture });
return next();
});
})(req, res, next);
});
|
|
@khrykin Did you ever find out what the cause of your issue was? I am encountering the same issue (working on safari but not chrome), and have tried the above solutions as well, to no avail :( I do not think |
|
@choonkending Yes, I did, my apologies for not posting it here. I used fetch to make login request and without setting |
|
@khrykin Legend! This kept me up several nights. Thanks mate. |
|
@nemanjavuk You are a legend! I have been going round in circles for almost a week now! Thanks for the tip about calling req.login, though I am not sure why I had to do it and why passport-local-mongoose wasn't doing it by itself. I'll continue with that research (its probably a pbkac error ;-)...), but for now, my sessions have the user associated woo hoo!!! Thank you! |
|
I had the same problem as mentioned, deserializeUser is never called. But I found that findById is a Promise and will never be resolved... So if you have the same problem as me using findById, use the following code instead: |
|
@khrykin I just spent a good 5 hours trying to figure this out. Thank you! |
|
passport.deserializeUser((id, done) => { @BenTsai85 u can set it and try |
|
@zachcowell thank you for sharing this, I was getting issues with Passport returning Bad Request with no helpful errors logs, your post shed light into the cookie: { secure: true } setting that I had, which was causing the issue |
and others
Has anybody had any success using passport with Express 4?
The text was updated successfully, but these errors were encountered: