search

voxpelli / node-connect-pg-simple

A simple, minimal PostgreSQL session store for Express
https://www.npmjs.com/package/connect-pg-simple
MIT License
234 stars 74 forks source link

Two sessions being saved to store #267

Closed averybuehler closed 1 year ago

averybuehler commented 1 year ago

I'm trying to implement session-based authentication in Nest.js using Passport.js and I've run into an issue. I'm not sure if this is directly related to connect-pg-simple but I've tried debugging and can't seem to identify the issue.

I have this route:

@UsePipes(ValidationPipe)  
  @Post('register')  
  async registerUser(
    @Body() registerUserDto: RegisterUserDto,
    @Req() request: Request,
  ): Promise<Omit<User, 'password'>> {
    console.log('1 -- ', request.sessionID);
    return this.userService.create(registerUserDto).then((user) => {
      console.log('2 -- ', request.sessionID);
      request.logIn(user, () => {
        console.log('3 -- ', request.sessionID);
      });
      const { password, ...userData } = user;
      return userData;
    });
  }

What I see in the console is this:

1 --  NWdZEuZFqg4tWoQKPMHOW6BjNE9Y-3ML
2 --  NWdZEuZFqg4tWoQKPMHOW6BjNE9Y-3ML
2.5 -- serializing user
3 --  OBoHcDJkAIRTCQh0yM1TrRlUc6TKrnsY

This is what gets stored in the database:

I don't understand why request.sessionID is changing, and that's the root of my issue. The session with the id of NWdZEuZFqg4tWoQKPMHOW6BjNE9Y-3ML gets returned to the client and is not logged in. The session with the id of OBoHcDJkAIRTCQh0yM1TrRlUc6TKrnsY, however, is logged in but is never sent to the client (because the first session was). I don't understand why the session id is changing because it's not allowing me to authenticate the user upon registering.

The ideal behavior is for only one session to be created, for that session to be logged in, and for that session to be returned to the client.

Does anyone have any insight into what might be causing this? I've been troubleshooting forever but can't find any solutions.

voxpelli commented 1 year ago

I think its pretty common to get a new session id once you sign in, to I guess eg. make session fixation attacks harder.

You may find better help in the express-session project as this is probably more related to the general workings of session rather than this specific backend.

Do you still have an issue with this @AveryBuehler? I'm going to close this for now, but comment again and I can open it up for further investigation.

Sorry for being so slow to respond, my paid assignments took all of my time and I currently can not afford to turn paid work down.