search

colinskow / superlogin

Powerful authentication for APIs and single page apps using the CouchDB ecosystem which supports a variety of providers.
MIT License
371 stars 117 forks source link

Calling /auth/session with authorization header is returning unauthorized #194

Open webnoob opened 6 years ago

webnoob commented 6 years ago

Using Postman, I'm POSTing to http://localhost:4000/auth/login?username=test@test.com&password=test which returns a valid password and token

{
    "issued": 1513064134060,
    "expires": 1513150534060,
    "provider": "local",
    "ip": "::1",
    "token": "therientortackledgedeati",
    "password": "a76e3a98845b67f533f25070502a12cca1c97163",
    "user_id": "test@test.com",
    "roles": [
        "user"
    ],
    "userDBs": {
        "msp": "https://therientortackledgedeati:a76e3a98845b67f533f25070502a12cca1c97163@test.cloudant.com/msp$test(40)test(2e)com"
    },
    "profile": {
        "companyName": "test",
        "firstName": "test",
        "lastName": "test"
    }
}

I then make a GET request to http://localhost:4000/auth/session setting the Authorization Bearer Token to therientortackledgedeati:a76e3a98845b67f533f25070502a12cca1c97163 but I get the response unauthorized.

What am I doing wrong? From what I can see my example is inline with the demo example in the docs.

My server file is like so:

var express = require('express');
var http = require('http');
var bodyParser = require('body-parser');
var logger = require('morgan');
var cors = require('cors');
var path = require('path');
var SuperLogin = require('superlogin');
const superloginConfig = require('./superloginClient');
var superlogin = new SuperLogin(superloginConfig);
const routes = require('./routes');

var app = express();
app.set('port', process.env.PORT || 4000);
app.use(logger('dev'));
app.use(bodyParser.json({limit: '50mb'}));
app.use(bodyParser.urlencoded({limit: '50mb', extended: true}));
app.use(cors());

app.use('/auth', superlogin.router);
app.use('/api', routes)

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header('Access-Control-Allow-Methods', 'DELETE, PUT');
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  next();
});

app.listen(app.get('port'));
console.log("App listening on " + app.get('port'));

and my config

module.exports = {
  dbServer: {
    protocol: 'https://',
    host: 'test.cloudant.com',
    user: 'test',
    password: 'test',
    cloudant: true,
    userDB: 'sl-users'
  },
  mailer: {
    fromEmail: '',
    options: {
      host: '',
      port: '25',
      auth: {
        user: '',
        pass: ''
      }
    }
  },
  userDBs: {
    defaultDBs: {
      private: ['msp']
    },
    model: {
      _default: {
        permissions: ['_reader', '_replicator', '_writer']
      }
    }
  }
}
webnoob commented 6 years ago

Ok, I've found out what was causing this but still not sure why.

I actually had this in another area of code in my node server app:

const superloginConfig = require('../superloginClient');
var SuperLogin = require('superlogin');
var superlogin = new SuperLogin(superloginConfig);

It wasn't being used but it seems that including it again it was causing the unauthorized message.

What would cause this to happen?