search

ellioseven / kratos-ss-ui-react

34 stars 6 forks source link

Backend usage #7

Open benjick opened 3 years ago

benjick commented 3 years ago

First of all, thanks for this!

I was wondering if you could add an example on how to use this with a simple express (or other) service. I've been reading the code but I'm not sure how to verify the user session.

zepatrik commented 3 years ago

Are you looking for something like https://github.com/ory/kratos-selfservice-ui-node ?

benjick commented 3 years ago

Hello. No, I want to use this but I don't really see how I can protect my react apps backend with this.

On Fri, 2 Apr 2021, 21:00 Patrik, @.***> wrote:

Are you looking for something like https://github.com/ory/kratos-selfservice-ui-node ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ellioseven/kratos-ss-ui-react/issues/7#issuecomment-812667177, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADJGGF2NACUMB6R2ZX6CXLTGYH4RANCNFSM42I7FBTQ .

ellioseven commented 3 years ago

Just clarifying so I understand.

You're not sure how to verify a user session during a server side process (eg: forwarding a React session to a Express.js API).

In this example, I am using the whoami endpoint to verify a user session client side.

I believe this is also done in the node reference that @zepatrik posted.

This example really only focuses on client side authentication/authorisation, so you'd want to emulate the node reference if you'd like to secure your backend. I'm not sure how to forward the session though, as we don't have access to HTTP only auth cookie. You might have to redirect to service so that it has access to that cookie.

Let me look into this, as it's a pretty good use case.

zepatrik commented 3 years ago

Yes, the /whoami endpoint can be used in the browser or backend and is the primary way to solve this. You can also use e.g. https://github.com/ory/oathkeeper or some other reverse proxy to protect backend endpoints.

benjick commented 3 years ago

@ellioseven yes, you are correct. Thank you for answering.

Maybe it's not the best use case or maybe I don't understand this example really.

So basically I should run kratos.whoami on my backend (e.g. Express) with the cookie to verify that the user is logged in, am I getting this right?

vinckr commented 3 years ago

There is some documentation on it too @benjick: https://www.ory.sh/kratos/docs/guides/login-session/#checking-for-login-sessions

To me it sounds like the right approach! (not having worked with express ever)