When a user logs in, i send back a HttpOnly cookie in the response.
However when i try to read the cookies when i make a subsequent call to the API, there is nothing
Here is how i made the cookie:
var signOptions = {
expiresIn: '30d',
algorithm: 'RS256'
}
var CurrentDate = new Date()
CurrentDate.setMonth(CurrentDate.getMonth() + 1)
var cookieOptions = {
httpOnly: true,
expires: CurrentDate
}
const token = jwt.sign({ _id: user._id },
fs.readFileSync(path.resolve('routes/keys/private.key'), 'utf8'),
signOptions)
res.status(200).cookie('stickyAccessJwt', token, cookieOptions).send('well done')
Route ('/test'):
const express = require('express')
const router = express.Router()
const { CheckAuthorisation } = require('./middleware/checkAuthorisation')
router.get('/', CheckAuthorisation, async (req, res) => {
res.send(':)')
})
module.exports = router
Middleware (the 401 is reached here):
let checkAuthorisation = (req, res, next) => {
var userJWT = req.cookies.stickyAccessJwt
if (!userJWT) {
res.status(401).send('Invalid or missing authorization token')
} else {
// 2. There's a token; see if it is a valid one and retrieve the payload
var verifyOptions = {
expiresIn: '30d',
algorithm: ['RS256']
}
const userJWTPayload = jwt.verify(
userJWT,
fs.readFileSync(path.resolve('routes/keys/private.key'), 'utf8'),
verifyOptions)
if (!userJWTPayload) {
// Kill the token since it is invalid
res.clearCookie('stickyAccessJwt')
res.status(401).send('Kill the token since it is invalid')
} else {
// 3. There's a valid token...see if it is one we have in the db as a logged-in user
User.findOne({ '_id': userJWTPayload._id })
.then(function (user) {
if (!user) {
res.status(401).send('User not currently logged in')
} else {
console.log('Valid user:', user.email)
next()
}
})
}
}
}
Here is my index.js
const Joi = require('joi')
Joi.objectId = require('joi-objectid')(Joi)
const bodyParser = require('body-parser')
const cors = require('cors')
const cookieParser = require('cookie-parser')
const mongoose = require('mongoose')
const express = require('express')
const app = express()
const register = require('./routes/register')
const login = require('./routes/login')
const test = require('./routes/test')
mongoose.connect('mongodb://localhost/stickywall', { useNewUrlParser: true })
.then(() => console.log('Now connected to MongoDB!'))
.catch(err => console.error('Something went wrong', err))
mongoose.set('useCreateIndex', true)
app.use(cors())
app.use(cookieParser())
app.use(express.json())
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: true }))
app.use('/register', register)
app.use('/login', login)
app.use('/test', test)
const port = process.env.PORT || 4000
app.listen(port, () => console.log(`Listening on port ${port}...`))
I do not understand why req.cookies is empty, is there something i am missing?
When a user logs in, i send back a HttpOnly cookie in the response.
However when i try to read the cookies when i make a subsequent call to the API, there is nothing
Here is how i made the cookie:
var signOptions = {
expiresIn: '30d',
algorithm: 'RS256'
}
var CurrentDate = new Date()
CurrentDate.setMonth(CurrentDate.getMonth() + 1)
var cookieOptions = {
httpOnly: true,
expires: CurrentDate
}
const token = jwt.sign({ _id: user._id },
fs.readFileSync(path.resolve('routes/keys/private.key'), 'utf8'),
signOptions)
res.status(200).cookie('stickyAccessJwt', token, cookieOptions).send('well done')
Route ('/test'):
const express = require('express')
const router = express.Router()
const { CheckAuthorisation } = require('./middleware/checkAuthorisation')
router.get('/', CheckAuthorisation, async (req, res) => {
res.send(':)')
})
module.exports = router
Middleware (the 401 is reached here):
let checkAuthorisation = (req, res, next) => {
var userJWT = req.cookies.stickyAccessJwt
if (!userJWT) {
res.status(401).send('Invalid or missing authorization token')
} else {
// 2. There's a token; see if it is a valid one and retrieve the payload
var verifyOptions = {
expiresIn: '30d',
algorithm: ['RS256']
}
const userJWTPayload = jwt.verify(
userJWT,
fs.readFileSync(path.resolve('routes/keys/private.key'), 'utf8'),
verifyOptions)
if (!userJWTPayload) {
// Kill the token since it is invalid
res.clearCookie('stickyAccessJwt')
res.status(401).send('Kill the token since it is invalid')
} else {
// 3. There's a valid token...see if it is one we have in the db as a logged-in user
User.findOne({ '_id': userJWTPayload._id })
.then(function (user) {
if (!user) {
res.status(401).send('User not currently logged in')
} else {
console.log('Valid user:', user.email)
next()
}
})
}
}
}
Here is my index.js
const Joi = require('joi')
Joi.objectId = require('joi-objectid')(Joi)
const bodyParser = require('body-parser')
const cors = require('cors')
const cookieParser = require('cookie-parser')
const mongoose = require('mongoose')
const express = require('express')
const app = express()
const register = require('./routes/register')
const login = require('./routes/login')
const test = require('./routes/test')
mongoose.connect('mongodb://localhost/stickywall', { useNewUrlParser: true })
.then(() => console.log('Now connected to MongoDB!'))
.catch(err => console.error('Something went wrong', err))
mongoose.set('useCreateIndex', true)
app.use(cors())
app.use(cookieParser())
app.use(express.json())
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: true }))
app.use('/register', register)
app.use('/login', login)
app.use('/test', test)
const port = process.env.PORT || 4000
app.listen(port, () => console.log(`Listening on port ${port}...`))
I do not understand why req.cookies is empty, is there something i am missing?
- Why not upload images of code on SO when asking a question? – str Commented Mar 12, 2019 at 19:38
- @James please forgive me – srysry Commented Mar 12, 2019 at 20:15
- @srysry Can u show the piece of code which actually sets the cookie – Anand Undavia Commented Mar 13, 2019 at 9:31
- @AnandUndavia added now :) – srysry Commented Mar 13, 2019 at 20:02
- did you find how to do it? – user12163165 Commented Jul 10, 2021 at 20:14
2 Answers
Reset to default 8 res.cookie([`JWT_TOKEN=Bearer ${token}; secure; httponly;
samesite=Strict;`,])
- The first thing is to install the cookie-parser library, which is a middleware, so Express somehow can manage cookies:
npm install cookie-parser
Then go where you configure your Express application and add the cookie-parser library as a middleware
const express = require('express'); const cookieParser = require('cookie-parser'); app.use(cookieParser());```Now our Express application can do all of the cookie parsing stuff for us!
req.cookies.JWT_TOKENIn the front if you use axios you must always set in the configuration "withCredentials: true,"
const config = {
headers: {
'Content-Type': 'application/json',
},
withCredentials: true
};
axios
.post(
'http://localhost:3008/api/auth/login',
{
username: target.username.value,
password: target.password.value,
},
config
)
.then((data) => JSON.stringify(data, null, 2))
.then((result) => console.log(result))
.catch((err) => console.log('[Control Error ]', err))
}
!!! HTTP cookies are sent automatically in all requests to the server. THE END
const token = req.body.token ||
req.query.token ||
req.headers['x-access-token'] ||
req.cookies.token;
if (!token) {
res.sendStatus(401)
}