When adminAuth is configured for oauth access, opening the flexdash page results in a fatal error:
TypeError: req.session.touch is not a function
I have tracked down the root cause and will be raising a PR shortly with a proposed fix/workaround in Flexdash.
In summary, with adminAuth setup, Node-RED sets req.session to an instance of express-session. This includes a hook once the request is completed to trigger a refresh of the cookie (by calling req.session.touch()).
This sets req.session to a new session object with every request that hits the flexdash express app. In doing so it overwrites the existing req.session value with a different session implementation that doesn't include touch. So when express-session runs its code to refresh the cookie, req.session is no longer the one it expected and you get the reported error.
There are a number of long-open issues around supporting multiple session objects in express to help support this type of application co-existence - unfortunately they have not got anywhere with proposed PRs unmerged.
Having explored various options in both Node-RED and flexdash, I think the only practical solution is to add some conditional logic around where flexdash sets up req.session to only do so if no such object already exists. I have verified that works locally for the simple case of accessing the dashboard, but not done an exhaustive test of flexdash's cookie handling to ensure it all hangs together as expected.
When
adminAuthis configured for oauth access, opening the flexdash page results in a fatal error:I have tracked down the root cause and will be raising a PR shortly with a proposed fix/workaround in Flexdash.
In summary, with adminAuth setup, Node-RED sets
req.sessionto an instance ofexpress-session. This includes a hook once the request is completed to trigger a refresh of the cookie (by callingreq.session.touch()).Flexdash uses
cookie-session(https://github.com/flexdash/node-red-flexdash/blob/main/flexdash-dashboard.js#L278)This sets
req.sessionto a new session object with every request that hits the flexdash express app. In doing so it overwrites the existingreq.sessionvalue with a different session implementation that doesn't includetouch. So whenexpress-sessionruns its code to refresh the cookie,req.sessionis no longer the one it expected and you get the reported error.There are a number of long-open issues around supporting multiple session objects in express to help support this type of application co-existence - unfortunately they have not got anywhere with proposed PRs unmerged.
Having explored various options in both Node-RED and flexdash, I think the only practical solution is to add some conditional logic around where flexdash sets up
req.sessionto only do so if no such object already exists. I have verified that works locally for the simple case of accessing the dashboard, but not done an exhaustive test of flexdash's cookie handling to ensure it all hangs together as expected.Originally reported here: https://github.com/flowforge/flowforge/issues/1778