search

florianheinemann / passwordless

node.js/express module to authenticate users without password
MIT License
1.95k stars 129 forks source link

Incorrect req.flash for logout() #91

Open cookie-ag opened 7 years ago

cookie-ag commented 7 years ago

So here is what i am doing:

routes.js

router.get('/logout',security.logoutToken, LogoutController.EmailandLog, LogoutController.DeleteSessions, LogoutController.Redirect);

security.js

exports.logoutToken = passwordless.logout({
    successFlash: 'Hope to see you soon.'
});

//security.restrictedWithoutToken, FYI

exports.restrictedWithoutToken = passwordless.restricted({
    failureRedirect: '/login',
    failureFlash: 'You are not authenticated to view this page. Try again!'
});

LogoutController.js

exports.EmailandLog = function(req, res, next) {

    if (!req.session.email || req.session.email === undefined) {
        res.redirect('/login');
    } else {
        //Send Email
        // next();
    }
};

exports.DeleteSessions = function(req, res, next) {
    req.session.destroy(function(err) {
        if (err) {
            next(err);
        }
        next();
    });
};

exports.Redirect = function(req, res, next) {
    res.redirect('/login');
}

Issue:

florianheinemann commented 7 years ago

Hey, Are you sure the controller redirects to a page that is not restricted? Cheers

cookie-ag commented 7 years ago 
Router.get ('/login',....);
Router.post('/login',...);

Neither of them have any passwordless.restricted ();. So answer is yes I am sure that controller redirects to a page that is not restricted.

florianheinemann commented 7 years ago

You're also aware that the success-flashes are stored in a different array? https://passwordless.net/deepdive#success-flashes

cookie-ag commented 7 years ago

@florianheinemann I checked and its not related to req.flash. You can see the logs, where the controller triggers /logout, where it should redirect to /login but somehow it redirects to req.url (such as /activity, which is restricted), hence showing the error for restricted module.

  req-started 14-08-2017 01:52:31:334 GET /logout ::ffff:127.0.0.1 +10s
  req-success req.path /logout
  req-success res.statusCode 302
  req-success  +0ms
  req-isended 14-08-2017 01:52:31:335 GET /logout ::ffff:127.0.0.1 +0ms
  req-started 14-08-2017 01:52:31:347 GET /login ::ffff:127.0.0.1 +5ms
  req-success req.path /login
  req-success res.statusCode 200
  req-success  +0ms
  req-isended 14-08-2017 01:52:31:347 GET /login ::ffff:127.0.0.1 +0ms
  req-started 14-08-2017 01:52:31:396 GET /activity/ ::ffff:127.0.0.1 +49ms
  req-success req.path /activity/
  req-success res.statusCode 302
  req-success  +1ms
  req-isended 14-08-2017 01:52:31:397 GET /activity/ ::ffff:127.0.0.1 +0ms
  req-started 14-08-2017 01:52:31:452 GET /login ::ffff:127.0.0.1 +5ms
  req-success req.path /login
  req-success res.statusCode 200
  req-success  +0ms
  req-isended 14-08-2017 01:52:31:452 GET /login ::ffff:127.0.0.1 +0ms

I am trying to find why it happens and it doesn't seem to make sense, any idea?