Auth0 is logging a successful login, but in my app, req.user is still undefined. When auth0 redirects to my callback link, which is a secured page, that page does not register that the user is logged in, so it redirects back to the login page. This repeats until I get this error message.
As I mentioned, auth0 has a successful log:
{
"date": "2019-05-26T17:43:06.729Z",
"type": "s",
"connection_id": "",
"client_id": <my-project-id>,
"client_name": <my-project>,
"ip": <ip>,
"user_agent": "Chrome 74.0.3729 / Windows 10.0.0",
"details": {
"prompts": [],
"completedAt": 1558892586728,
"elapsedTime": null,
"session_id": "XCfou1cXNYFqULps8KHGEWZa7wTyeISu"
},
"hostname": <my-auth0-url>,
"user_id": "auth0|<user-id>",
"user_name": <username>,
"log_id": "90020190526174306729524310616829972800980158286508589138",
"isMobile": false
}
The user is redirected to my callback URL (/dashboard):
router.get('/dashboard', secured(), function (req, res, next) {
const { _raw, _json, ...userProfile } = req.user;
res.render('dashboard');
}
This runs my secured middleware:
module.exports = function () {
return function secured (req, res, next) {
if (req.user) { console.log('successfully authenticated'); return next();}
console.log('failed authentication');
req.session.returnTo = req.originalUrl;
res.redirect('/login');
};
};
Yielding the following logs:
GET /login 302 5.512 ms - 0
failed authentication
GET /dashboard?code=UDY7WYrXdtAWspnN&state=gGFkqbi9BlxDizGwO6hS9aaj 302 11.138 ms - 56
GET /login 302 1.675 ms - 0
failed authentication
GET /dashboard?code=mcGKEI4SmmyMfUJW&state=U8jOr7GsoXtQNyxVyKwbfA6e 302 6.735 ms - 56
GET /login 302 1.398 ms - 0
failed authentication
GET /dashboard?code=9Evpigv7JMFqxrfM&state=YkQLHvCuTLn8RZNN8bfAAMdU 302 5.207 ms - 56
etc.
Here is my express setup:
var express = require('express');
var createError = require('http-errors');
var path = require('path');
var logger = require('morgan');
var dotenv = require('dotenv');
var session = require("cookie-session");
var sess = {
secret: <secret>,
}
var passport = require('passport');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var Auth0Strategy = require('passport-auth0');
dotenv.config();
var strategy = new Auth0Strategy(
{
domain: process.env.AUTH0_DOMAIN,
clientID: process.env.AUTH0_CLIENT_ID,
clientSecret: process.env.AUTH0_CLIENT_SECRET,
callbackURL:
process.env.AUTH0_CALLBACK_URL || 'http://localhost:8080/dashboard'
},
function (accessToken, refreshToken, extraParams, profile, done) {
// accessToken is the token to call Auth0 API (not needed in the most cases)
// extraParams.id_token has the JSON Web Token
// profile has all the information from the user
return done(null, profile);
}
);
passport.use(strategy);
passport.serializeUser(function (user, done) {
done(null, user);
});
passport.deserializeUser(function (user, done) {
done(null, user);
});
var app = module.exports = express();
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser(<secret (same as express-session secret)>));
if (app.get('env') === 'production') {
sess.cookie.secure = true; // serve secure cookies, requires https
}
app.use(session(sess));
app.use(passport.initialize());
app.use(passport.session());
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');
app.use(express.static(path.join(__dirname, 'public')));
app.use(express.json());
var userInViews = require('./node_modules/userInViews');
var authRouter = require('./routes/auth');
var indexRouter = require('./routes/public');
var usersRouter = require('./routes/users');
app.use(userInViews());
app.use('/', authRouter);
app.use('/', indexRouter);
app.use('/', usersRouter);
I’ve also attached the HAR file recorded from this authentication (with the sensitive info removed).
testobfuscated.har (468.3 KB)