search

stormpath / express-stormpath

Build simple, secure web applications with Stormpath and Express!
http://docs.stormpath.com/nodejs/express/
Apache License 2.0
325 stars 111 forks source link

Regression in 3.1.6: Error cookieParser("secret") required for signed cookies #542

Closed ppitonak closed 7 years ago

ppitonak commented 7 years ago
  1. upgrade express-stormpath to 3.1.6 (from 3.1.5)
  2. navigate to https://example.com/login

This error is displayed/logged: 

Error: cookieParser("secret") required for signed cookies
   at ServerResponse.res.cookie (/home/ubuntu/workspace/node_modules/express/lib/response.js:785:11)
   at Object.module.exports [as setTempCookie] (/home/ubuntu/workspace/node_modules/express-stormpath/lib/helpers/set-temp-cookie.js:20:7)
   at text/html (/home/ubuntu/workspace/node_modules/express-stormpath/lib/controllers/login.js:94:15)
   at Object.handleAcceptRequest (/home/ubuntu/workspace/node_modules/express-stormpath/lib/helpers/handle-accept-request.js:59:3)
   at module.exports (/home/ubuntu/workspace/node_modules/express-stormpath/lib/controllers/login.js:27:11)
   at Layer.handle [as handle_request] (/home/ubuntu/workspace/node_modules/express/lib/router/layer.js:95:5)
   at next (/home/ubuntu/workspace/node_modules/express/lib/router/route.js:131:13)
   at forceDefaultBodyMiddleware (/home/ubuntu/workspace/node_modules/express-stormpath/lib/helpers/body-parser.js:41:7)
   at Layer.handle [as handle_request] (/home/ubuntu/workspace/node_modules/express/lib/router/layer.js:95:5)
   at next (/home/ubuntu/workspace/node_modules/express/lib/router/route.js:131:13)
   at Route.dispatch (/home/ubuntu/workspace/node_modules/express/lib/router/route.js:112:3)
   at Layer.handle [as handle_request] (/home/ubuntu/workspace/node_modules/express/lib/router/layer.js:95:5)
   at /home/ubuntu/workspace/node_modules/express/lib/router/index.js:277:22
   at Function.process_params (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:330:12)
   at next (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:271:10)
   at /home/ubuntu/workspace/node_modules/express-stormpath/lib/middleware/get-user.js:173:16
   at Application.authenticateApiRequest (/home/ubuntu/workspace/node_modules/stormpath/lib/resource/Application.js:1094:12)
   at module.exports (/home/ubuntu/workspace/node_modules/express-stormpath/lib/middleware/get-user.js:170:17)
   at Layer.handle [as handle_request] (/home/ubuntu/workspace/node_modules/express/lib/router/layer.js:95:5)
   at trim_prefix (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:312:13)
   at /home/ubuntu/workspace/node_modules/express/lib/router/index.js:280:7
   at Function.process_params (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:330:12)
   at next (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:271:10)
   at cookieParser (/home/ubuntu/workspace/node_modules/cookie-parser/index.js:42:14)
   at Layer.handle [as handle_request] (/home/ubuntu/workspace/node_modules/express/lib/router/layer.js:95:5)
   at trim_prefix (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:312:13)
   at /home/ubuntu/workspace/node_modules/express/lib/router/index.js:280:7
   at Function.process_params (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:330:12)
   at next (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:271:10)
   at localsMiddleware (/home/ubuntu/workspace/node_modules/express-stormpath/lib/stormpath.js:132:7)
   at Layer.handle [as handle_request] (/home/ubuntu/workspace/node_modules/express/lib/router/layer.js:95:5)
   at trim_prefix (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:312:13)
   at /home/ubuntu/workspace/node_modules/express/lib/router/index.js:280:7
   at Function.process_params (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:330:12)
   at next (/home/ubuntu/workspace/node_modules/express/lib/router/index.js:271:10)
   at stormpathUserAgentMiddleware (/home/ubuntu/workspace/node_modules/express-stormpath/lib/stormpath.js:97:5)
mdeggies commented 7 years ago

Hey @ppitonak, I tried to repro this but could not. I tested using the express-stormpath sample project. Can you provide any further info (eg what versions of node/npm/ubuntu are you running?) Feel free to link me to your project if it's available so I can take a look, or send it over to support@stormpath.com.

ppitonak commented 7 years ago

Hi,

you can reproduce it using https://github.com/ppitonak/express-stormpath-sample-project/tree/542-cookie-parser

mdeggies commented 7 years ago

@ppitonak- thanks for sending that over. It looks like cookie-parser can only be invoked once (see lines 41-43 here). Since our library invokes & configures it, you can't use your own. :/ @robertjd suggested a fix would be refactoring our code to not rely on the req.cookies state.

ppitonak commented 7 years ago

It works fine if user initializes cookie-parser with password so IMHO it is enough to update docs

VimCommando commented 7 years ago

I'm developing an app using the React Starter Kit (https://github.com/kriasoft/react-starter-kit) and have added Stormpath through express-stormpath. I'm not using the React library because I'm not using react-router in my project.

I just started getting this error from our AWS testing deployment's login page (register still renders fine):

Error: cookieParser("secret") required for signed cookies

  - set-temp-cookie.js:20 Object.module.exports [as setTempCookie]
    [app]/[express-stormpath]/lib/helpers/set-temp-cookie.js:20:7

  - login.js:94 helpers.handleAcceptRequest.text/html
    [app]/[express-stormpath]/lib/controllers/login.js:94:15

  - handle-accept-request.js:59 Object.handleAcceptRequest
    [app]/[express-stormpath]/lib/helpers/handle-accept-request.js:59:3

  - login.js:27 module.exports
    [app]/[express-stormpath]/lib/controllers/login.js:27:11

  - body-parser.js:41 forceDefaultBodyMiddleware
    [app]/[express-stormpath]/lib/helpers/body-parser.js:41:7

  - get-user.js:173
    [app]/[express-stormpath]/lib/middleware/get-user.js:173:16

I tried adding a password to my cookieParser('secret') invocation, and I tried removing cookieParser() all together, neither will clear the error from AWS. What gets me is that my local environment works just fine and it authenticates to the same Stormpath directory.

EDIT: I just double-checked my express-stormpath versions and I was on 3.1.6 on AWS and 3.15 locally.

robertjd commented 7 years ago

Hello @ppitonak and @VimCommando , please see the new 3.1.7 release, it should fix this problem for you. Please re-open this issue if the problem persists. Thanks!