Multi-user To-Do list instructions not working

[kmARC]

After this step: https://foalts.gitbook.io/docs/tutorials/multi-user-to-do-list/5-auth-controllers-and-hooks the expected behaviour would be to be able to list todos afer authentication, however, the redirection will throw back to /signin again (without any error messages).

[0] 7:58:19 PM - Found 0 errors. Watching for file changes.
[1] restarting child
[1] Starting child process with 'node ./build/index.js'
[1] Listening on port 3000...
[1] GET / 302 8.349 ms - 58
[1] GET /signin 304 9.161 ms - -
[1] GET /style.css 304 1.669 ms - -
[1] POST /auth/login 302 169.778 ms - 46
[1] GET / 302 1.098 ms - 58
[1] GET /signin 304 2.076 ms - -
[1] GET /style.css 304 0.536 ms - -

Started with an empty installation (@foal/cli@~0.7) and the same issue arises.

[kmARC]

    // Add the user to the current session.
    console.dir(ctx.request.session.authentication);
    logIn(ctx, user);
    console.dir(ctx.request.session.authentication);

outputs:

[1]  undefined
[1] { userId: 1 }

However, if I try to query the auth field in ctx with disabled redirection:

  @Get('/')
  // @LoginRequired({ redirect: '/signin', user: fetchUser(User) })
  index(ctx) {
    console.dir(ctx.request.session.authentication);
    return render('./controllers/templates/index.html', {}, __dirname);
  }

it outputs:

[1]  undefined

Looks like after this redirection, the context object doesn't have that authentication object.

Looking at the db this is what I see:

sqlite> select * from sessions;
SZ205NpeGjThJ5kZ8-rG2GFvuwlSwVAG|1550431828716.0|{"cookie":{},"authentication":{"userId":1}}

I'm not sure that cookie field should be empty.

[LoicPoullain]

Hi @kmARC ,

Thank you for reporting this! And for the investigation!

It looks like the session cookie is not set. It may be due to the HTTP redirection because returning a 209 works (cf e2e test https://github.com/FoalTS/foal/blob/master/packages/typeorm/e2e/auth.spec.ts).

I'm taking a look!

[LoicPoullain]

I found where the issue comes from and why it didn't appear in the previous version of tutorial.

When the user logs in at /auth/login, the application sets a cookie on the client so that further requests are authenticated. As no Path is given, the browser automatically sets its path to /auth which causes the problem. The cookie is only sent on requests to /auth/*. So requesting / redirects to /login as no user appears to be authenticated.

To fix this, you can set the cookie Path in the config/:

Version 0.7.x:

// settings.json
{
  "sessionCookiePath": "/"
}

Version 0.8.x:

// default.json
{
  "session": {
    "cookie": {
      "path": "/"
    }
  }
}

Once done, you will have to delete the cookie at the path /auth, otherwise it will be used over the cookie at /. Here's a way to do that in chrome:

I'll open a PR today to a configure the path by default to / so that this issue does not appear in the future.

Let me know if you have any trouble. And thanks for the report!

[kmARC]

Yes, this seems to be working. Thanks!