express-openid-connect | js middleware to protect OpenID Connect web applications | Authentication library

If you don't have a Procfile, Heroku will run your start script as a web process.

Your start script runs your build script, and your build script compiles your app using tsc:

I ended up sorting this out by using Puppeteer to handle my login, stopping at the point of redirection to the callback URL and returning the cookies and callback URL to Cypress, as detailed in this article:

https://sandrino.dev/blog/writing-cypress-e2e-tests-with-auth0

Things have changed a bit since then, and with the introduction of Cypress's experimentalSessionSupport it's a bit simpler. I ended up whittling the solution down to having the following in my Cypress setup:

According to https://docs.angularjs.org/api/ng/service/$http

params – {Object.} – Map of strings or objects which will be serialized with the paramSerializer and appended as GET parameters.

That means your url now becomes:

The problem is because you called your middleware function requiresAuth with empty arguments witch means your middleware will not call next() to pass control to the next function that render your ejs template, try to call your middleware without ()

You need to specify what scopes (like "openid email profile...") you want to have access to and in your code I don't see that. If you don't ask for any access, then you won't get any access tokens.

See the code example here

In JWT based services it’s common practice to make the access token lifetime a short one, e.g. 10-15 minutes. That way user can still access the api inside a short window but soon the token needs to be refreshed. And when token refresh takes place the authentication service gets called and can reject granting a new token.

So you can make sure your access token lifetime is short enough and that should be enough to satisfy the security requirements.

It’s of course technically possible that you implement stateful session to check user info on each request but you should not call Auth0 api in this case cause you are going to hit their rate limiter and it slows down your api requests. Some sort of sync to your server side fast read database/cache would be needed.

I'd suggest you just take the code from inside of app.patch() and make it into a reusable function. Then it can be called from either the app.patch() route directly or from your other route that wants to do the same funtionality. Just decide what interface for that function will work for both, make it a separate function and then you can call it from both places.

For some reason (which I don't really understand, but seems to happen to lots of people), people forget that the code inside of routes can also be put into functions and shared just like any other Javascript code. I guess people seems to think of a route as a fixed unit by itself and forget that it can still be broken down into components and those components shared with other code.

Warning. On another point. This comment of yours sounds very wrong:

and then using app.set() to be able to use the req.body in another route

req.body belongs to one particular user. app.set() is global to your server (all user's requests access it). So, you're trying to store temporary state for one single user in essentially a global. That means that multiple user's request that happen to be in the process of doing something similar will trounce/overwrite each other's data. Or worse, one user's data will accidentally become some other user's data. You cannot program a multi-user server this way at all.

The usual way around this is to either 1) redesign the process so you don't have to save state on the server (stateless operations are generally better, if possible) or 2) Use a user-specific session (like with express-session) and save the temporary state in the user's session. Then, it is saved separately for each user and one user's state won't overwrite anothers.

If this usage of app.set() was to solve the original problem of executing a .patch() route, then the problem is solved by just calling a shared function and passing the req.body data directly to that shared function. Then, you don't have to stuff it away somewhere so a later route can use it. You just execute the functionality you want and pass it the desired data.