express-sessions | ExpressJS MongoDB/Redis Session Storage | Runtime Evironment library

I'm moving away from using firestore auth to understand how to make my own authentication system.

My goal:

1. Create a react web app that lets user sign up and sign in .
2. Authenticated users can operate on restAPI, which is NodeJS hooked up to Postgres.

I've watched a lot of tutorials. Most of them talk about express-sessions as as solution. However, when i tried it - these session cookie are only provided when my browser is on the express uri.

The issue is... On the front-end, when I send CRUD operation via fetch to my express api, my react-app do not get that cookie.

is what I'm doing the conventional way to handle authentication with backend server? How can i fix this?

EXPRESS:

EDIT - I no longer think it is a development environment issue as the same thing persists in production.

First off, appreciate anytime spent on this - I know that this is a commonly asked question, but I've perused so many questions and tried applying so many of the solutions to no avail.

To summarize, I currently have a React Front-end that is sending request with the Fetch API to my Express server. I want to use express-sessions to save my logged in user information for the session to use and authenticate as the user uses the application.

I'm having this weird issue where every time a new request is sent, the cookie in my browser in the application tab gets set to something completely new. I might be understanding this wrong, but I thought that that was supposed to remain consistent throughout the session, but it doesn't seem to be the case. This is making it so that every time I call a new request, req.session is completely reset with nothing.

Here is some code from my application:

Express- server.js [my setup for express-session and cors]

I am using express-sessions and Redis(Memorystore) 5.0 to save sessions and it appears Redis is clearing out all the keys(randomly and not at intervals) way before the TTL on a key runs out. Leaving only a couple of backup entries

This entry should be valid for another week judging from the TTL.

I have never configured a Redis instance before and it is likely I misconfigured this one, some insight would be appreciated.

Also, this is what I get when I run monitor

I am using express-sessions, cookies, and React, to build a login system. Currently, once the user is logged in, they are allowed to make requests to certain routes, but if they're not, they're not allowed to.

However, my question is where I should store the user's username. Would storing it in localstorage cause security issues? Or is that a safe way to store something like a username?

The reason I'm not storing it in a cookie is because the cookie is httpOnly. Is this a good idea? All I'm storing in the cookie will be the user's username, so I'm not sure if I'm overdoing security, and I can just access the user's username from my frontend by having the cookie not being httpOnly.

Thanks!

I have a React client setup at localhost:3000 and a node.js server at localhost:5000

I'm trying a simple auth flow in which the client tries to authenticate with the server using Passport.js Google OAuth2.0 and staying authenticated using express-sessions with a MongoDB store.

I believe the reason I'm finding req.user is undefined is because of my lack of understanding of how the auth flow is supposed to work versus any issues with the actual code.

I'm initiating the auth flow through the following code in the react client:

The Setup

I have setup a frontend environment using create-react-app. In this environment I use Axios to make a POST request to my Node JS Express Backend Server /login endpoint. I setup sessions middleware using express-sessions and storing the sessions in Redis. I have all this running in localhost currently.

Environment

• React App - http://localhost:3005/kp (Note: the service runs on http://localhost:3005 however, all the routes have /kp in them)

• Express Backend - http://localhost:5001

• Redis - http://localhost:6379

What Works

When the frontend sends the request to the backend the Express server does it's thing and authenticates the user; it stores the username in the req.session.username (this is just as a test), Redis console shows that the key value store was successful, the frontend network tab shows a 200 status with a Set-Cookie response header and a tab that shows the cookie (screenshots below).

The Problem

Everything seems to be working fine but the cookie is not set in the Browser. I have refreshed the page, tried again many times and yet it will not set the cookie in any browser (Google Chrome & Safari). I am getting frustrated because it seems as though Chrome acknowledges that the Set-Cookie is present but ignores it for some reason.

What I've Tried

Axios

1. I have tried setting withCredentials: true - Does not work
2. Verified the cookie with Set-Cookie is being sent back to the frontend after the POST request

Backend

1. I have checked my CORS policies to but they seem fine; however, I am not great with CORS so there could be misconfiguration there
2. Tried setting credentials to true in CORS policy
3. Verified the session with variables are being set with Redis.

Code

React Frontend Axios POST Request

I'm working with a back-end made with Node.js and front-end made with Angular. I use express-sessions for login, at first, it returns the correct req.session.usuario. But in the next POST request for checking if the user is logged in it returns undefined.

Here is the app.js of node

When user logs into the application, I am using express-sessions to verify them, I attach a user_id to the sessions object , this I will use when I am creating a post, to refrence the user who created that post, eventually I want to have all those post a user created , inside a collection, such that I can easily show it on users dashboard.

You can recreate the bug by my github: https://github.com/fullstackaccount/auth_cookies-Session, use the postman information to : create user,login, then try to submit post. postman Docs: https://documenter.getpostman.com/view/8427997/SWEB1amP?version=latest

I am attempting to use this solution to create this refrence to posts: https://teamtreehouse.com/community/how-to-assign-a-user-a-post-with-mongoose-and-express

THANK YOU FOR YOUR TIME!

This is the login:

getUser() doesnt exist in MongoDB Node.js Native Driver .

See this : https://mongodb.github.io/node-mongodb-native/api-generated/

or

db.getUser in node.js mongodb

I'm using mongoDb shell v4.0.10 . And this is a part of my package.json :