stackoom
  简体   繁体   中英

Even after entering wrong credentials Passport.js login function is not creating any err and making the user authenticated

 原文  2020-06-07 23:07:14       javascript/ node.js/ passport.js

Question

Hi I am using nodeJs Passport npm package

I am trying to use login functionality, the code I am using is this:

let User = new mongoose.model("user", userSchema);

// use static authenticate method of model in LocalStrategy
passport.use(User.createStrategy());

// use static serialize and deserialize of model for passport session support
passport.serializeUser(User.serializeUser());
passport.deserializeUser(User.deserializeUser());

app.post("/login", function(req, res){
   const user =  new User({
       username: req.body.username,
       password: req.body.password
   });

   req.login(user, function(err){
       if(err){
           console.log(err);
           res.redirect("/login");
       }else{
           // all cookies are saved, sessions working now
           passport.authenticate("local")(req, res, function(){
            res.redirect("/secrets");
        });
       }
   });
});

But when I enters wrong password, it says UnAuthorized but it is also going to authenticate function and making the user authenticated.

May I know what is the issue in my code?

1 answers

solution1
 1  2021-01-03 07:05:32

I had the same issue. (Fix me if I'm wrong, but it seems very like a code from Angela Yu's course:) )

I noticed that in Passport.js docs its always using the passport.authenticate method but not the req.login() . Docs says that

Passport exposes a login() function on req (also aliased as logIn() ) that can be used to establish a login session.

And that the login() function is used inside the passport.authenticate to create session.

So I think whats going on is the code:

  1. You enter wrong password on login page
  2. req.login() creates a session cookies as if that was true user, ie it logs you in (since err object in login()'s callback is not for authentication errors, but for some other purposes)
  3. then, since err object in login() callback is not for authentication errors and stays undefined , passport.authenticate(...) is called and it gives you 401 error "Unauthorized" because the password was wrong..

But the cookie for you is already has been created by the login() . So you can access all the secret stuff after that.

so the code that works for me was just:

app.post("/login", passport.authenticate("local"), (req, res) => {
    res.redirect("/secrets");
});

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Passport.js User Login & Authentication Passport.js signup appears to work but user credentials not inserted into database How to flash a user's username after a successful login using Passport.js? Why isAuthenticated return false in passport.js local strategy after successful login the user Passport.js is not passing user to request in req.login() Error: req#login requires a callback function Passport.js Why Passport.JS returns empty user object after redirect? Passport.js, Sessions, & React | Accessing req.user from any route other than the /login route is undefined "TypeError: User.serializeUser is not a function" with passport.js when exactly missing credentials error created in passport.js login cycle
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM