keystone 5 App Admin UI signin action doesn't work as expected after building and serving the build

keystonejs / keystone

The superpowered headless CMS for Node.js — built with GraphQL and React

https://keystonejs.com

MIT License

9.18k stars 1.15k forks source link

keystone 5 App Admin UI signin action doesn't work as expected after building and serving the build #2410

Closed elhakeem closed 4 years ago

elhakeem commented 4 years ago

When I used App Admin UI in development mode the signin page and redirection after signing in worked correctly.

but after building the app I started it locally to ensure that everything works fine before the deployment, then I found that the admin UI signin page doesn't work correctly, I used the same user authentication I used in development, the same database. it called the api correctly and received 200 status for the login authentication call. and also it triggered the reload. but I redirected to the signin page again.

create a keystone app with user authentication.
try running and logging into the admin ui in dev mode.
now build the application then start it locally.
try logging into the admin ui from signin page.

Expected behaviour

After signing in call completes successfully the app should redirect me to the main page.

Actual behaviour

After signing in call completes successfully the app reloads and redirect me to the signin page again.

System information

OS: macOS
Browser: Chrome

elhakeem commented 4 years ago

I started debugging and found something that may effect the issue.

app-admin-ui/index.js

isAccessAllowed(req) {
    if (!this.authStrategy) {
      return true;
    }
    return (
      req.user &&
      this._isAccessAllowed({ authentication: { item: req.user, listKey: req.authedListKey } }) &&
      req.session.audiences &&
      req.session.audiences.includes('admin')
    );
  }

isAccessAllowed function depends on req.session key, but when I checked the req object I found that the key is called req.Session.session in some requests. so I tried fixing it this way:

const sessionKey = req.session || (req.Session && req.Session.session);

return (
  req.user &&
  this._isAccessAllowed({ authentication: { item: req.user, listKey: req.authedListKey } }) &&
  sessionKey.audiences &&
  sessionKey.audiences.includes('admin')
);

but this solution doesn't fix anything in the issue.

MichaelZaporozhets commented 4 years ago

This can be resolved by setting the sessionStore option to a compatible session store (e.g connect-mongo). https://www.keystonejs.com/keystonejs/keystone/#sessionstore

const expressSession = require('express-session');
const MongoStore = require('connect-mongo')(expressSession);

const keystone = new Keystone({
  /* ...config */
  sessionStore: new MongoStore({ url: 'mongodb://localhost/my-app' }),
});

This should really be surfaced as a prerequisite to publishing keystone sites. They've got "This should be configured before deploying your app." written next to the section, but it's very easy to miss. I might submit a PR to the docs regarding this tidbit.

Funnily enough, this was an issue with sites in v4 as well- I remember scratching my head for days before someone helped me out.

Heolink commented 4 years ago

If you don't use HTTPS disabled secureCookies : https://www.keystonejs.com/keystonejs/keystone/#securecookies

elhakeem commented 4 years ago

@MichaelZaporozhets Thank you for your reply. I solved it like @Heolink mentioned. It was just setting secureCookies: false Thank you guys.