Trouble using express.session with https - javascript

I have to use authentication and then create a session for this i have a HTTPS static website running on expressjs
Code :
app.js:
//created the https server
var express = require('express');
var https = require('https');
var http = require('http');
var fs = require('fs');
var mongo = require('mongodb');
var monk = require('monk');
var db = monk('localhost:27017/svgtest1');
// This line is from the Node.js HTTPS documentation.
var options = {
key: fs.readFileSync('privatekey.pem'),
cert: fs.readFileSync('certificate.pem')
};
// Create a service (the app object is just a callback).
var app = express();
app.use(express.static(__dirname + '/public'));
app.use(express.cookieParser());
app.use(express.session({cookie: { httpOnly: false , maxAge: 24*60*60*1000}, secret: '1234567890QWERT'}));
app.use(express.urlencoded());
app.use(express.json());
// middle ware to check auth
function checkAuth(req, res, next) {
if (!req.session.user_id) {
res.send('You are not authorized to view this page');
} else {
next();
}
}
app.get('/', function(req, res) {
console.log('First page called');
res.redirect('xyz.html');
res.end();
});
app.post('/login', function(req, res) {
console.log('login called');
var usrfield = req.body.usrfield;
var passfield = req.body.passfield;
// Play with the username and password
if (usrfield == 'xxx' && passfield == 'xxx') {
req.session.user_id = '123';
res.redirect('abc.html');
} else {
res.send('Bad user/pass');
}
console.log(usrfield);
console.log(passfield);
res.end();
});
// Create an HTTPS service.
https.createServer(options, app).listen(8888);
When I visits https://localhost:8888 it continuously loads the page and does not redirect to xyz.html where i have to enter the credentials to authenticate the user ?
When I comment out
app.use(express.session({cookie: { httpOnly: false , maxAge: 24*60*60*1000}, secret: '1234567890QWERT'}));
Then the page loads correctly but when i post the form to /login then it says req.session cannot be written. For this i know because i have comment out the express.session, but the strange thing is that connect.sid cookie is created. Why ?
I am confused regarding question 1 and 2.

I tried your example, and it works for me. Are you sure you're using the https protocol in the browser? By default, a browser will try to connect with HTTP protocol unless you redirect to HTTP. With your set, navigating to this URL will just spin:
http://localhost:8888
However, if you navigate to this URL:
https://localhost:8888
It will work as expected. Most servers that use HTTPS automatically redirect to an HTTPS connection if the user came in over HTTP, but you still have to have two servers: one accepting HTTP request, and the other accepting HTTPS requests. For example, you could do this:
// create an HTTPS service
https.createServer(options, app).listen(443);
// create HTTP service to redirect to HTTPS
http.createServer(express().use(function(req,res){
res.redirect('https://localhost:443' + req.url);
})).listen(8888);
Note that if you use ports below 1024 (such as 443, which is common for HTTPS), you'll probably have to have elevated privileges depending on your server set up. In OSX/Linux, you would just do sudo node app.js. Of course you don't have to run on port 443: you could have your HTTPS server run on 8887 and your HTTP redirect server run on 8888.

Related

How to redirect requests sent to an external resource in express?

I am trying Express redirects on a website running from localhost. Express captures the http calls made and redirects them as required using the express routing feature. It matches the uri pattern of the requests made from the internal host.
var express = require('express')
var app = express()
app.get('/about', function (req, res) {
res.send('about')
})
If I am running from localhost:4200, the above code will route requests that resemble, http://localhost:4200/about.
Now let's say there is a button which on click opens https://google.com. Is there a way in express to catch this request and route it elsewhere?
var express = require('express')
var app = express()
app.get('/about', function (req, res) {
res.status(301).redirect('https://www.google.com') // status 301 or 302 for permanent or temporary redirection
})
or
app.use((req, res, next) => {
if (true) { // make your own condition in the express middleware
return res.status(301).redirect(`https://www.google.com`);
}
return next();
});

How can I make my localhost server available from external requests?

I'm running a simple nodejs server on my localhost on port :3434
const cors = require('cors');
const app = require('express')();
const bodyParser = require('body-parser')
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: true }));
app.use(cors());
app.get('/ping/:anystring', (req, res) => {
console.log(req.params['anystring']);
res.send({
anystring: req.params['anystring']
})
});
app.listen(3434);
and I'd like to perform some ajax call from a website of mine.
I tried to configure the router port forwarding like so:
- name service: mylocalserver
- porta ragnge: 3434
- local ip: 192.168.1.19
- local port: 3434
- protocol: BOTH
but when I do
fetch(publicIP:3434/ping/hello).then(res => {
console.log(res);
})
I get error 404
Might anyone help me telling what I'm doing wrong?
You can't access your localhost server outside of your LAN unless you create a tunnel. I use ngrok.
There is an npm package for ngrok, but I couldn't get that one working, so I just manually start the server from terminal whenever I need to test an API.
Also you'll need http.
add this to your app.js:
const http = require('http');
const newPort = //your port here (needs to be a different port than the port your app is currently using)
const server = http.createServer(function(req, res) {
console.log(req); //code to handle requests to newPort
res.end('Hello World);
});
app.listen(newPort, function() {
console.log(`ngrok listening on ${newPort}`);
});
Now in terminal, after installing ngrok, use this ngrok http newPort where newPort = your port
You can view requests sent to your server by going to localhost:4040 (this might change depending on your system)
To send a request to your localhost, do this:
- name service: mylocalserver //not sure
- porta ragnge: ???
- local ip: //ngrok gives you a url in terminal when you start the server (I'm not sure if you can reference an IP)
- local port: newPort
- protocol: http //(ngrok gives you a different url for http and https)
You can use local tunnel
It maps your port on the localhost to a web url whithout the need to change your code

How to set React app and API on same port?

I've got a React app that via an API pulls data from a separate database.
When I run it locally, the app is one port and the API is on another port.
Since when I make AJAX calls in the app to the API, I need to include the URL where the API can connect.
It works if I hardcode the separate port (e.g., the app is on http://localhost:3000 and the API on http://localhost:3100, making the AJAX url call to the API http://localhost:3100/api/trusts).
However, since the app and API are on different ports, I can't make the AJAX url a relative path because it erroneously sends the AJAX call to http://localhost:3000/api/trusts and not http://localhost:3100/api/trusts.
How do I get them to run on the same port?
Thanks!
Here's my server.js:
var express = require('express');
var bodyParser = require('body-parser');
var mongoose = require('mongoose');
var path = require('path');
var app = express();
var router = express.Router();
var mongoose = require('mongoose');
var Schema = mongoose.Schema;
//set our port to either a predetermined port number if you have set it up, or 3001
var port = process.env.PORT || 5656;
//db config
var mongoDB = 'mongodb://XXX:XXX!#XXX.mlab.com:XXX/XXX';
mongoose.connect(mongoDB);
var db = mongoose.connection;
db.on('error', console.error.bind(console, 'MongoDB connection error:'));
//body parsing
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
// allow cross-browser
app.use(function(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*');
next();
});
// handling static assets
app.use(express.static(path.join(__dirname, 'build')));
// api handling
var TrustsSchema = new Schema({
id: String,
name: String
});
var Trust = mongoose.model('Trust', TrustsSchema);
const trustRouter = express.Router();
trustRouter
.get('/', (req,res) => {
Trust.find(function(err, trusts) {
if (err) {
res.send(err);
}
res.json(trusts)
});
});
app.use('/api/trusts', trustRouter);
//now we can set the route path & initialize the API
router.get('/', function(req, res) {
res.json({ message: 'API Initialized!'});
});
app.get('/*', function (req, res) {
res.sendFile(path.join(__dirname, 'build', 'index.html'));
});
app.listen(port, function() {
console.log(`api running on port ${port}`);
});
Below is the AJAX call I'm trying to make that doesn't work because the relative path is appended to the app's port (i.e., http://localhost:3000/) and not the API's port (i.e., http://localhost:3100/):
axios.get("/api/trusts")
.then(res => {
this.setState({trusts: res.data});
})
.catch(console.error);
To tell the development server to proxy any unknown requests to your API server in development, add a proxy field to your package.json, for example:
"proxy": "http://localhost:4000",
This way, when you fetch('/api/todos') in development, the development server will recognize that it’s not a static asset, and will proxy your request to http://localhost:4000/api/todos as a fallback. The development server will only attempt to send requests without text/html in its Accept header to the proxy.
"Keep in mind that proxy only has effect in development (with npm start), and it is up to you to ensure that URLs like /api/todos point to the right thing in production."
Note: this feature is available with react-scripts#0.2.3 and higher.
More details here: https://github.com/facebook/create-react-app/blob/master/packages/react-scripts/template/README.md#proxying-api-requests-in-development

Express.js redirect to HTTPS and send index.html

I have a simple Express.js instance that's serving up static assets for a single page Angular app. I set up some middleware on the Express config so that index.html is returned for all routes and Angular can load from there.
More recently, I set up SSL on Heroku and I want to make sure that all traffic that comes in from HTTP is redirected to HTTPS. I tried to combine the suggested solution from this post with what I have now, but end up in an endless redirect loop.
In short, I need all traffic to be redirected from HTTP to HTTPS and the index.html file to be sent for all requests. What am I doing wrong here?
var gzippo = require('gzippo');
var express = require('express');
var morgan = require('morgan');
var app = express();
// set environment variables
var env = app.get('env') || 'development';
app.use(morgan('dev'));
// serve static assets
app.use(gzippo.staticGzip("" + __dirname + "/dist"));
app.use("/js", express.static(__dirname + "/dist/scripts"));
app.use("/fonts", express.static(__dirname + "/fonts"));
app.use("/img", express.static(__dirname + "/dist/assets/images"));
app.use("/css", express.static(__dirname + "/dist/styles"));
// Redirect all HTTP traffic to HTTPS
function ensureSecure(req, res, next){
if(req.secure){
// OK, continue
return next();
};
res.redirect('https://'+req.hostname+req.url); // handle port numbers if you need non defaults
};
// Always send index.html
function sendIndex(req, res, next) {
res.sendfile('index.html', { root: __dirname + "/dist/"});
}
// Handle environments
if (env == 'production') {
app.all('*', ensureSecure);
}
app.all('/*', sendIndex);
// Start server
app.listen(process.env.PORT || 5000);
Heroku terminates SSL connections at the load balancer level, so req.secure will never be true, because your connection to heroku's load balancer is not using SSL, thus creating an infinite redirect loop.
You have to check the X-Forwarded-Proto header instead:
if(req.headers["x-forwarded-proto"] === "https"){
// OK, continue
return next();
};
res.redirect('https://'+req.hostname+req.url);
Edit: you can also set app.enable("trust proxy") to have express check the headers automatically. See http://expressjs.com/guide/behind-proxies.html

Cannot access req.session variables in Express/NodeJS

I've seen many variations of this question, but none seemed to solve my issue. I'm trying to set up a Node.js server using Express. Here is my server configuration:
var express = require('express'),
RedisStore = require('connect-redis')(express);
var app = express();
app.use(express.urlencoded());
app.use(express.json());
app.use(express.cookieParser());
app.use(express.session({
store: new RedisStore(),
secret: APP_SECRET
}));
// Initialize redis connection
var client = redis.createClient();
client.on('connect', function() {
console.log('Connected to Redis server')
})
client.on('error', function (err) {
console.log('Error ' + err);
});
// Enable cross-origin resource sharing
app.all('*', function(req, res, next) {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Headers', 'X-Requested-With');
next();
});
var api = require('./controllers/api.js');
app.post('/login', api.login);
app.get('/auth', api.auth);
app.listen(3000);
And here are some simple routes:
exports.login = function(req, res) {
var user = new User(req.username, req.password);
req.session.user = user;
console.log(req.session.user); //works
res.json({user:user});
}
exports.auth = function(req, res) {
console.log(req.session.user); //doesn't work
res.json(req.session.user);
}
So in my login route, I can print the session variable as expected. But if I visit the auth route after visiting the login route, the session variable is undefined. How can I get Express sessions to work?
In a typical web application, the credentials used to authenticate a user will only be transmitted during the login request. If authentication succeeds, a session will be established and maintained via a cookie set in the user's browser.
Each subsequent request will not contain credentials or all user data, but rather the unique cookie that identifies the session. In order to support login sessions, You have to serialize and deserialize user instances to and from the session in every request.
In your case, you have assigned req.session.user = user; only in /login request. It will not be available for further requests(/auth).
You have to get user information in /auth request too by session id. (Or) Better you can use passport for authentication.
I think maybe your redis client is not connecting well, try something like this and be sure to start the redis service
sudo service redis-server start
or the way you are calling The RedisStore variable look at the example
example:
var express = require('express');
var app = express();
var cookieParser = require('cookie-parser');
var session = require('express-session');
var RedisStore = require('connect-redis')(session);
app.set('port',process.env.PORT || 3000);
app.use(cookieParser());
app.use(session({
resave: true,
saveUninitialized: true,
store: new RedisStore({
host: 'localhost',
port: 6379
}),
secret: 'some string/hash secret'
}));
var counter=0;
app.get('/', function(request, response){
//adding some value to request.session
counter = counter+1;
request.session.color = {'anyValue': counter};
//
console.log('Session ID: ', request.sessionID);
console.log('Session: ', request.session);
response.send('some text counter: '+request.session.color['anyValue']);
});
app.listen(app.get('port'));
The currently accepted answer didn't realize that express.session already handles cookie based sessions with the req.session object. I tried a trimmed down version of yours not using redis and it worked. Looking at the connect-redis docs it looks like you need to pass a session to connect-redis. You are currently passing it express. I believe changing that will fix your problem.
P.S. I would update your node/express versions as current versions of express no longer have the built in middleware along with other improvements.
Newer versions of express:
var session = require('express-session');
var cookieParser = require('cookie-parser');
var json = require('express-json');
var bodyParser = require('body-parser')
Rather than:
express.session
express.cookieParser
express.json
express.bodyParser

Categories