NodeJS Session Authentication

Question

I'm trying to setup a logged in session so that all pages that should be login-restricted simply redirect to the login screen. Unfortunately, app.get seems to be acting weird and not triggering for some cases.

For example, my authentication function:

function authenticate(req,res) {
    var pass = false; 
    if (req.session.loggedIn) pass = true;
    console.log(pass);
    if (pass) {
        next();
    } else {
        res.redirect("/html/login.html");
    }
}

And my server.js:

app.use(express.static(__dirname));
app.use(express.json());
app.use(express.urlencoded());
app.use(express.cookieParser());
app.use(express.session({secret: 'secretkey'})); //not my real key

//gets
app.get("/onePlayer",authenticate);

app.get("/",authenticate);

app.get("/logout",function(req,res) {
    req.session.destroy();
    res.redirect("/");
});

The / gets authenticated, I can see it in my terminal, but /onePlayer does not trigger at all, and I can get to the page without logging in.

Notes: /onePlayer is a directory. The main page is onePlayer/index.html (tried the full path as well, no trigger). I have also made sure that the session is destroyed by logging out and destroying the session.

Why is the function not being called for /onePlayer ? I can't figure it out.

Answer 1

The problem here is that onePlayer is a directory and that in your code, you give priority first to files that exist, and then to your app.get calls.

Change your code to look something like this:

app.use(express.json());
app.use(express.urlencoded());
app.use(express.cookieParser());
app.use(express.session({secret: 'secretkey'})); //not my real key


app.get("/onePlayer",authenticate);
app.use(express.static(__dirname)); // Moved this after the app.get so that it has a lower priority

app.get("/",authenticate);

app.get("/logout",function(req,res) {
    req.session.destroy();
    res.redirect("/");
});