server-side login (replacing parse-express-cookie-session)

[mchun]

My app was relying on 'parse-express-cookie-session' offered by Parse to do server-side login, i.e.:

  app.post('/login', function(req, res) {
    Parse.User.logIn(req.body.username, req.body.password).then(function(user) {
      res.redirect('/');
    }, function(error) {
      res.render('login', { flash: error.message });
    });
  });

  app.post('/logout', function(req, res) {
    Parse.User.logOut();
    res.redirect('/');
  });

I used Parse.User.Current() to check if the user is logged in on server-side.

Now, I replaced the 'parse-express-cookie-session' by 'express-session'. And do the login/logout in this way:

  app.post('/login', function(req, res) {
    Parse.User.logIn(req.body.username, req.body.password).then(function(user) {
      req.session.user=user;
      res.redirect('/');
    }, function(error) {
      res.render('login', { flash: error.message });
    });
  });

  app.post('/logout', function(req, res) {
    req.session.user = null;
    res.redirect('/');
  });

I then see if the user is logged in by checking req.session.user = null . But I cannot access it inside cloudcode.
Perhaps this is not a right way to do(?) as it is recommended to use req.user, but I have no idea how to make it work, req.user is always null. Any help from you guys?
It would be great to even have a small sample app offered by Parse showing simple server-side login like Anyimg as there should be similar cases around like me.

[mchun]

or server-side login is no longer possible?

[simonbengtsson]

What I did was to manually add the features of the parse-express-cookie-session. Below is one way of doing it. However I would change some things such as using Parse.Cloud.httpRequest instead of Parse._request and using secure cookies before going into production. An even better way would be to use jwt so that you don't have to send a login request on each page load. Would love to see an implementation of that.

// Login adds the sessionToken in a cookie
app.post('/login', function(req, res) {
    Parse.User.logIn(req.body.username, req.body.password).then(function(user) {
        var val = JSON.stringify({sessionToken: user.getSessionToken()});
        var opts = {path: '/', httpOnly: true};
        res.cookie('parse.session', val, opts);
        res.redirect('/');
    }).then(null, function(error) {
        res.clearCookie('parse.session');
        res.render('pages/login', { flash: error.message });
    });
});

 // Middleware adding current user to `req.user` or redirecting to login if not logged in
app.use(function (req, res, next) {
    var cookie = null;
    new Parse.Promise.as().then(function() {
        cookie = JSON.parse(req.cookies['parse.session']);
        return Parse._request('GET', 'users/me', {}, {sessionToken: cookie.sessionToken});
    }).then(function (userData) {
        userData.sessionToken = cookie.sessionToken;
        req.user = Parse.Object.fromJSON(userData);
        next();
    }).then(null, function () {
        res.clearCookie('parse.session');
        return res.redirect('/login');
    });
});

[mchun]

I see how you reconstruct the res.user, but in that case, the request.user still seems to be null in cloudcode afterSave trigger function.

Parse.Cloud.afterSave("Comment", function(request) {
   ...
};

I can get the userid by using request.object.get('createdBy').id inside the trigger function, but I guess its better to stick with request.user as these functions are shared across different clients. Any suggestions from Parse team?

[simonbengtsson]

That is a separate issue as parse server is supposed to set the user in that case. Try updating to 2.1.1 as some related fixes was applied in #373. Also make sure you are not making the request with the master key and that you are using a valid session token. You won't get any warnings/errors if the session token is invalid.

[mchun]

I tried your code and created a post request using $.post with request cookie : parse.session=%7B%22sessionToken%22%3A%22r%3A9f8ff4a551392d021759e81c58a3a8f8%22%7D

But the request.user is still undefined in aftersave trigger function. *I'm already using 2.1.1 parse-server

{ triggerName: 'afterSave',
  object: ParseObjectSubclass { className: 'Comment', _objCount: 152, id: 'sSGLWMDJRe' },
  master: false }

[simonbengtsson]

The code I posted above is a way to replace the parse-express-cookie-session middleware and will only work with your server side code, i.e. your expressjs routes.

For your cloud code (cloud functions, afterSave, beforeSave etc) you need to make the request with the header X-Parse-Session-Token to get the req.user object. When you said $.post I assume you are using jQuery? Is it a reason you are not using the parse js sdk? Anyway, the request using jQuery and the rest api would look something like this:

$.post({
    url: 'http://localhost:1337/parse/classes/Comment',
    data: JSON.stringify({text: "New comment"}),
    headers: {
        'X-Parse-Application-Id': 'appId',
        'X-Parse-Session-Token': 'r:2bc226c69d8f23b6c4ed906d79a129d3',
        'Content-Type': 'application/json'
    }
});

and with the parse js sdk:

var comment = new Parse.Object('Comment');
comment.set('text', 'New comment');
comment.save(null, {sessionToken: "r:2bc226c69d8f23b6c4ed906d79a129d3");

[mchun]

Hi Simon, thanks very much for your help. Yes, I am using jQuery on client side to minimize the dependency upon Parse JS SDK, but I am not using the rest api directly, i.e.

app.post('/c', requireUser, function(req, res){
var comment = new Comment();
comment.set("comment",req.body.comment);
var post = new Post();
post.id = req.body.postID;
comment.set("post",post);
comment.set("createdBy",req.user);
comment.save(null,{sessionToken:req.user.get('sessionToken')}).then(function(comment){
res.json({comment:comment, parseUser: req.user});
}, function(error){
console.log(error);
res.json({error:error})
});
});

I have just added null,{sessionToken:req.user.get('sessionToken')} inside comment.save as above. It is now able to detect req.user inside trigger functions! Thanks to your answer!

[simonbengtsson]

Glad to hear you solved it. What do you think of changing the title of this issue to Server-side login (replacing parse-express-cookie-session)? You should probably also close the issue.

[drew-gross]

Thanks for helping @simonbengtsson!

[mchun]

But what's the problem of using Parse._request instead of Parse.Cloud.httpRequest in production? I am facing difficulties to convert Parse._request to Parse.Cloud.httpRequest...

[simonbengtsson]

Parse._request is not documented and might potensially be removed in a futute update to the sdk. Post here if you manage to do it, otherwise I will translate it at some point and update the answer.

[mchun]

Seems Parse.Cloud.httpRequest can only be executed inside cloudcode?
Otherwise, it always returns
[TypeError: Cannot read property 'statusCode' of undefined]
I also tried Parse.User.become(sessionToken) but with no success.

[simonbengtsson]

Parse.Cloud.httpRequest should be available everywhere. What code are you using? Parse.User.become() is disabled for nodejs environments.