I've been able to store a custom cookie but I'm trying to save it for a session the store it in the database when a form is submitted. I use:
func (c Application) Index(id string) revel.Result {
cookie := http.Cookie{Name: "id", Value: id, Domain: "localhost", Path: "/"}
c.SetCookie(&cookie)
return c.Render()
}
but I cannot access it again. How could I retrieve it in a different function?
Thank you!
I was going about it all wrong. Revel sets cookies with the session.
Set:
c.Session[key] = value
Get:
c.Session[key]
Related
I have a page where users can give themselves a "role" like member or admin. They can go to another route to create messages. I am trying to update user's role from "user" to "admin". It updates req.session to admin role in the admin.js file, but when I go to messages/create.js and try to log req.session, it shows that user still has the "user" role. I am saving the changes I make by calling req.session.save(), but it is not working.
admin.js
import { withIronSessionApiRoute } from "iron-session/next";
import nc from "next-connect";
import { session_config } from "../../lib/config";
import Users from "../../models/user";
import { connectToDatabase } from "../../util/mongodb";
const handler = nc()
handler.post(async (req) => {
if (req.body.password === process.env.ADMIN_PASSWORD) {
await connectToDatabase()
await Users.findOneAndUpdate({ name: req.session.user.name }, { role: "admin" })
const updated_user = { name: req.session.user.name, role: "admin" }
req.session.user = updated_user
await req.session.save()
}
})
export default withIronSessionApiRoute(handler, session_config);
messages/create.js
import { withIronSessionApiRoute } from "iron-session/next";
import nc from "next-connect";
import { session_config } from "../../../lib/config";
const handler = nc()
handler.post(async (req) => {
console.log(req.session.user)
console.log(req.body)
})
export default withIronSessionApiRoute(handler, session_config)
Please let me know what the issue is and how I can fix it. Thank you
The first thing I noticed from looking at the code is that you're not sending a response back to the client. Iron session uses cookies to manage stateless authentication and the way it manages is by setting the response header. Because you're not sending a response, it can't update the session.
Looking further into the API documentation, session.save() - "Saves the session and sets the cookie header to be sent once the response is sent."
Not knowing your full implementation or having a working code example from something like codesandbox.io, I suggest the following code to see if this solves your problem.
// please make sure that `res` is a parameter on the `.post()` function
// on your original code. I've already set it as shown below.
handler.post(async (req, res) => {
if (req.body.password === process.env.ADMIN_PASSWORD) {
await connectToDatabase()
await Users.findOneAndUpdate({ name: req.session.user.name }, { role: "admin" })
const updated_user = { name: req.session.user.name, role: "admin" }
req.session.user = updated_user
await req.session.save()
// response below
res.send({ ok: true })
// or if you don't want to send custom data back, comment the line above,
// and then uncomment the line below
// res.status(200).end()
}
})
Attempt 2
I made an iron session demo on Codesandbox using some of the demo code from the iron session repo NextJs example.
The code example shows:
login
log out
setting a user as an admin
fetching user data from server-side
fetching user data from client-side
fetching using SWR
Some side notes to be aware of: if you are doing something like
const sessionData = req.session.user, then trying to mutate the req.session.user, and then sending the data back, it won't work because the session object will be recreated per request and node cannot store req.session as a reference.
If my demo doesn't help you, then you're going to have to share more info and code, and maybe create a Codesandbox to reproduce what is happening to you.
I'm having trouble getting Sapper to synchronize session changes made in my server-side routes without a pageload. My example scenario is that I load my app with no user in the session, my server-side login route sets the user to the session, and I use goto to got to the dashboard.
The problem is that the session argument in the dashboard's preload function isn't populated. If I use window.location.href = '/dashboard', it is, because it's running through Sapper's page_handler. But if I do a client-only redirect, Sapper isn't sending the updated session to the client.
Any way around this? Am I using my tools wrong?
Note: I'm using connect-pg-simple and express-session, setting up sapper like this: sapper.middleware({session: (req, res) => req.session.public}).
I found my answer in the Sapper docs
session contains whatever data was seeded on the server. It is a writable store, meaning you can update it with new data (for example, after the user logs in) and your app will be refreshed.
Reading between the lines, this indicates that your app has to manually synchronize your session data.
The solution here is to manually sync the session data to the client, either with a webhook connection, a response header, or a key in the response data.
I've got a decorator I use to create a server route handler, in which I add the session data to the response. Here's a simplified version:
const createHandler = getData => (req, res) => {
res.status(200).json({data: getData(req.body), session: req.session.public})
}
Obviously there's more to it than that, e.g. error handling, but you get the idea. On the client, I wrap fetch in a helper function that I always use anyway to get my json, set the correct headers, etc. In it, I look at the response, and if there's a session property, I set that to the session store so that it's available in my preloads.
import {stores} from "#sapper/app"
const myFetch = (...args) => fetch(...args).then(r => r.json()).then(body => {
if (body.session) stores().session.set(body.session)
return body.data
})
To put it simply, after your session status changes from the front end (user just logged in, or you just invalidated his login), you should update the session store on the front end.
<script>
import { goto, stores } from '#sapper/app';
const { session } = stores();
const loginBtnHandler = () => {
const req = await fetch('/api/login', {
method: 'POST',
credentials: 'same-origin', // (im using cookies in this example)
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({ ........ })
});
if (req.ok) {
// here is where you refresh the session on the client right after you log in
$session.loggedIn = true; // or your token or whatever
// next page will properly read the session
goto('/');
return;
}
...
}
</script>
I have set up a Go rest api. And on login I do this:
session, _ := store.New(r, sessionId)
session.Options.MaxAge = 12 * 3600
err := session.Save(r, w)
//treat error
and for checking the session i have smth like this:
session, err := store.Get(r, sessionId)
//treat error
if session.IsNew {
http.Error(w, "Unauthorized session.", http.StatusUnauthorized)
return
}
If I do the requests from postman it works fine, but when I do them from my client I get 401. Has any of you experienced something like this? The store is a CookieStore.
I already checked the id's, I replaced sessionId variable with a static string. Gorilla session uses gorilla context to register a new request and when I do the request from postman context.data[r] is not null, but from the client it is always null -> always a new session.
https://github.com/gorilla/context/blob/master/context.go - line 33
it is called in
https://github.com/gorilla/sessions/blob/master/sessions.go - line 122
wich is used in the CookieStore.Get function in
https://github.com/gorilla/sessions/blob/master/store.go - line 77
EDIT 1:
For the client I use polymer and I tried xmlhttp too.
Polymer:
<iron-ajax
id="ajaxRequest"
auto
url="{{requestUrl}}"
headers="{{requestHeaders}}"
handle-as="json"
on-response="onResponse"
on-error="onError"
content-type="application/json"
>
</iron-ajax>
and the handlers
onResponse: function(response){
console.log(response.detail.response);
this.items = response.detail.response
},
onError: function(error){
console.log(error.detail)
},
ready: function(){
this.requestUrl = "http://localhost:8080/api/fingerprint/company/" + getCookie("companyId");
this.requestHeaders = {"Set-cookie": getCookie("api_token")}
}
and the cookie successfully reaches the backend.
And xmlhttp:
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == XMLHttpRequest.DONE ) {
if(xmlhttp.status == 200){
//do stuff
}else if(xmlhttp.status == 401){
page.redirect("/unauthorized")
}else{
page.redirect("/error")
}
}
}
xmlhttp.open("GET","http://localhost:8080/api/fingerprint/company/" + getCookie("companyId"),true);
xmlhttp.setRequestHeader("Set-cookie", getCookie("api_token"));
xmlhttp.send();
EDIT 2:
So I tried debugging with fiddler(thanks for the suggestion) and i found out that the request from postman has an bold entry Cookies / Login and the request from the client does not. Any idea how to get/set that value? It is somehow automatically set in Postman. In the authentication request I get a set-cookie header that has all the data that I need but I can't get it on the client. I get Refused to get unsafe header set-cookie.
The problem is that in the client the requests need to have withCredentials = true and after that the browser deals with everything. It gets the cookie from the set-cookie header and it sends the cookies via the cookie header. So, after all, it was not a gorilla sessions problem.
If anyone else is having the same problem I was having and you want to whitelist all domains/wildcards (or have a list of domains in an array you can scan through), you can do something like this.
domain_raw := r.Host
domain_host_parts := strings.Split(domain_raw, ".")
domain := domain_host_parts[1] + "." + domain_host_parts[2]
domains := getDomains() // stores a slice of all your allowable domains
has_domain := false
for _, d := range domains {
if d == domain {
has_domain = true
break
}
}
if has_domain == false {
return
} else {
w.Header().Add("Access-Control-Allow-Origin", "https://"+domain_raw)
w.Header().Add("Access-Control-Allow-Credentials", "true")
}
I love go
The Stormpath documentation
says nothing about modifying user attributes in the PostRegistrationHandler, and I need to be able to do this.
After creating a user, I want to give it a random string as a property. This random string will be a key into my separate Mongo Database. In my app.js, I have:
app.use(stormpath.init(app, {
postRegistrationHandler: function(account, res, next) {
// theoretically, this will give a user object a new property, 'mongo_id'
// which will be used to retrieve user info out of MONGOOOO
account.customData["mongo_id"] = "54aabc1c79f3e058eedcd2a7"; // <- this is the thing I'm trying to add
console.log("RESPNSE:\n"+res);
account.save(); // I know I'm using 'account', instead of user, but the documentation uses account. I don't know how to do this any other way
next();
console.log('User:\n', account, '\njust registered!');
},
apiKeyId: '~/.stormpath.apiKey.properties',
//apiKeySecret: 'xxx',
application: ~removed~,
secretKey: ~removed~,
redirectUrl: '/dashboard',
enableAutoLogin: true
}));
I don't know how to my console.log line DOES print out customData with the mongo_id attribute. When I try to access it later with req.user.customData['mongo_id'], it isn't there. Account and req.user must be different. How can I save the user?
I'm the author of the library mentioned above, so I think this will help a bit.
I've modified your code to work properly =)
app.use(stormpath.init(app, {
postRegistrationHandler: function(account, res, next) {
// The postRegistrationHandler is a special function that returns the account
// object AS-IS. This means that you need to first make the account.customData stuff
// available using account.getCustomData as described here:
// http://docs.stormpath.com/nodejs/api/account#getCustomData
account.getCustomData(function(err, data) {
if (err) {
return next(err);
} else {
data.mongo_id = '54aabc1c79f3e058eedcd2a7';
data.save();
next();
}
});
},
apiKeyId: 'xxx',
apiKeySecret: 'xxx',
application: ~removed~,
secretKey: ~removed~,
redirectUrl: '/dashboard',
enableAutoLogin: true,
expandCustomData: true, // this option makes req.user.customData available by default
// everywhere EXCEPT the postRegistrationHandler
}));
Hope that helps!
The solution provided by rdegges is not entirely correct.
The call to next() must be invoked only after the customData finished saving, not right away, so it has to be the callback in data.save().
Also, apparently the postRegistrationHandler parameters have changed since to account, req, res, next.
Here is a currently working solution:
postRegistrationHandler: function(account, req, res, next) {
account.getCustomData(function(err, data) {
if (err)
return next(err);
data.mongo_id = '54aabc1c79f3e058eedcd2a7';
data.save(next);
});
},
I am trying to implement a session store for an express.js node app
My question are :
How do you delete cookie that have a browser session lifetime (marked with expires = false according to connect doc)
Should I store session data as a json string or directly as an object
this is the coffee script I came up with so far, using mongoose as I this is the orm I chose for the app
express = require 'express'
mongoose = require "mongoose"
util = require "util"
# define session schema
SessionSchema = new mongoose.Schema
sid : { type: String, required: true, unique: true }
data : { type: String, default: '{}' }
expires : { type: Date, index: true }
module.exports =
class SessionStore extends express.session.Store
constructor: (options) ->
console.log "creating new session store"
options ?= {}
# refresh interval
options.interval ?= 60000
options.url ?= "mongodb://localhost/session"
# create dedicated session connection
connection = mongoose.createConnection options.url
# create session model
#Session = connection.model 'Session', SessionSchema
# remove expired session every cycles
removeExpires = => #Session.remove expires: { '$lte': new Date() }
setInterval removeExpires, options.interval
get: (sid, fn) ->
#Session.findOne sid: sid, (err, session) ->
if session?
try
fn null, JSON.parse session.data
catch err
fn err
else
fn err, session
set: (sid, data, fn) ->
doc =
sid: sid
data: JSON.stringify data
expires: data.cookie.expires
try
#Session.update sid: sid, doc, upsert: true, fn
catch err
fn err
destroy: (sid, fn) ->
#Session.remove { sid: sid }, fn
all: (fn) ->
#Session.find { expires: { '$gte': new Date() } }, [ 'sid' ], (err, sessions) ->
if sessions?
fn null, (session.sid for session in sessions)
else
fn err
clear: (fn) -> #Session.drop fn
length: (fn) -> #Session.count {}, fn
I'm pretty new to node so take this with a grain of salt.
While not directly session oriented the remember me tutorial on dailyjs will help a bit I think. Specifically the last bit of code where he verifies login tokens.
Also, I believe it's better to parse the JSON and store as an object. Should be easier to get access to the different cookie bits that way if you take care of the parse up front.