Open benjick opened 3 years ago
Are you looking for something like https://github.com/ory/kratos-selfservice-ui-node ?
Hello. No, I want to use this but I don't really see how I can protect my react apps backend with this.
On Fri, 2 Apr 2021, 21:00 Patrik, @.***> wrote:
Are you looking for something like https://github.com/ory/kratos-selfservice-ui-node ?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ellioseven/kratos-ss-ui-react/issues/7#issuecomment-812667177, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADJGGF2NACUMB6R2ZX6CXLTGYH4RANCNFSM42I7FBTQ .
Just clarifying so I understand.
You're not sure how to verify a user session during a server side process (eg: forwarding a React session to a Express.js API).
In this example, I am using the whoami endpoint to verify a user session client side.
I believe this is also done in the node reference that @zepatrik posted.
This example really only focuses on client side authentication/authorisation, so you'd want to emulate the node reference if you'd like to secure your backend. I'm not sure how to forward the session though, as we don't have access to HTTP only auth cookie. You might have to redirect to service so that it has access to that cookie.
Let me look into this, as it's a pretty good use case.
Yes, the /whoami
endpoint can be used in the browser or backend and is the primary way to solve this. You can also use e.g. https://github.com/ory/oathkeeper or some other reverse proxy to protect backend endpoints.
@ellioseven yes, you are correct. Thank you for answering.
Maybe it's not the best use case or maybe I don't understand this example really.
So basically I should run kratos.whoami
on my backend (e.g. Express) with the cookie to verify that the user is logged in, am I getting this right?
There is some documentation on it too @benjick: https://www.ory.sh/kratos/docs/guides/login-session/#checking-for-login-sessions
To me it sounds like the right approach! (not having worked with express ever)
First of all, thanks for this!
I was wondering if you could add an example on how to use this with a simple express (or other) service. I've been reading the code but I'm not sure how to verify the user session.