stackoom
  简体   繁体   中英

express - How to read HttpOnly cookie in request to API?

 原文  2019-03-12 19:29:52       javascript/ node.js/ express/ cookies

Question

When a user logs in, i send back a HttpOnly cookie in the response.

在此处输入图片说明

However when i try to read the cookies when i make a subsequent call to the API, there is nothing

Here is how i made the cookie:

var signOptions = {
    expiresIn: '30d',
    algorithm: 'RS256'
  }
  var CurrentDate = new Date()
  CurrentDate.setMonth(CurrentDate.getMonth() + 1)
  var cookieOptions = {
    httpOnly: true,
    expires: CurrentDate
  }

  const token = jwt.sign({ _id: user._id },
    fs.readFileSync(path.resolve('routes/keys/private.key'), 'utf8'),
    signOptions)

  res.status(200).cookie('stickyAccessJwt', token, cookieOptions).send('well done')

Route ('/test'):

const express = require('express')
const router = express.Router()
const { CheckAuthorisation } = require('./middleware/checkAuthorisation')

router.get('/', CheckAuthorisation, async (req, res) => {
  res.send(':)')
})

module.exports = router

Middleware (the 401 is reached here):

let checkAuthorisation = (req, res, next) => {
  var userJWT = req.cookies.stickyAccessJwt
  if (!userJWT) {
    res.status(401).send('Invalid or missing authorization token')
  } else {
    // 2. There's a token; see if it is a valid one and retrieve the payload

    var verifyOptions = {
      expiresIn: '30d',
      algorithm: ['RS256']
    }

    const userJWTPayload = jwt.verify(
      userJWT,
      fs.readFileSync(path.resolve('routes/keys/private.key'), 'utf8'),
      verifyOptions)

    if (!userJWTPayload) {
      // Kill the token since it is invalid
      res.clearCookie('stickyAccessJwt')
      res.status(401).send('Kill the token since it is invalid')
    } else {
      // 3. There's a valid token...see if it is one we have in the db as a logged-in user
      User.findOne({ '_id': userJWTPayload._id })
        .then(function (user) {
          if (!user) {
            res.status(401).send('User not currently logged in')
          } else {
            console.log('Valid user:', user.email)
            next()
          }
        })
    }
  }
}

Here is my index.js

const Joi = require('joi')
Joi.objectId = require('joi-objectid')(Joi)
const bodyParser = require('body-parser')
const cors = require('cors')
const cookieParser = require('cookie-parser')
const mongoose = require('mongoose')
const express = require('express')
const app = express()
const register = require('./routes/register')
const login = require('./routes/login')
const test = require('./routes/test')

mongoose.connect('mongodb://localhost/stickywall', { useNewUrlParser: true })
  .then(() => console.log('Now connected to MongoDB!'))
  .catch(err => console.error('Something went wrong', err))
mongoose.set('useCreateIndex', true)

app.use(cors())
app.use(cookieParser())
app.use(express.json())
app.use(bodyParser.json())
app.use(bodyParser.urlencoded({ extended: true }))
app.use('/register', register)
app.use('/login', login)
app.use('/test', test)

const port = process.env.PORT || 4000
app.listen(port, () => console.log(`Listening on port ${port}...`))

I do not understand why req.cookies is empty, is there something i am missing?

2 answers

solution1
 0  2021-07-15 23:20:30

res.cookie([ JWT_TOKEN=Bearer ${token}; secure; httponly; samesite=Strict; , ])

  1. The first thing is to install the cookie-parser library,which is a middleware ,so express somehow can manage cookies:

$ npm install cookie-parser

  1. Then go where you configure your Express application and add the cookie-parser library as a middleware

$const express = require('express');
$const cookieParser = require('cookie-parser');
$app.use(cookieParser());

3.Now our Express application can do all of the cookie parsing stuff for us!

req.cookies.JWT_TOKEN

  1. In the front if you use axios you must always set in the configuration "withCredentials: true,"

const config = { headers: { 'Content-Type': 'application/json', },withCredentials: true,}

axios
  .post(
    'http://localhost:3008/api/auth/login',
    {
      username: target.username.value,
      password: target.password.value,
    },
    config
  )
  .then((data) => JSON.stringify(data, null, 2))
  .then((result) => console.log(result))
  .catch((err) => console.log('[Control Error ] ', err))

}`

!!! HTTP cookies are sent automatically in all requests to the server. THE END

solution2
 -1  2019-03-13 20:05:41

const token = req.body.token ||
    req.query.token ||
    req.headers['x-access-token'] ||
    req.cookies.token;

if (!token) {
   res.sendStatus(401)
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to read a HttpOnly cookie using JavaScript HttpOnly Cookie in new Request How can I read a HttpOnly cookie of my Flutter webview? How to set a cookie in express after successful api request Express.js httpOnly cookie not being set Cookie without httpOnly, how insecure it is? HttpOnly cookie is set only after the second request How to use a JWT token inside an httpOnly cookie to call a restricted api endpoint How to delete cookie with HttpOnly using PHP or JS How can I set an httpOnly cookie in React?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM