feat(auth): enhance session management and debugging capabilities
- Improved session regeneration process to enhance security against session fixation attacks. - Added detailed logging for session regeneration errors and fallback mechanisms. - Introduced a new debug endpoint to provide insights into session data, cookies, and authentication status for easier troubleshooting. - Updated response structure to include session ID and cookie name for mobile app integration, ensuring proper session handling.
This commit is contained in:
Chamika J
@@ -249,16 +249,20 @@ export default class AuthController extends WorklenzControllerBase {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// Regenerate session to prevent session fixation
|
// Regenerate session for security (prevent session fixation attacks)
|
||||||
|
// Store the old session ID for debugging
|
||||||
const oldSessionId = req.sessionID;
|
const oldSessionId = req.sessionID;
|
||||||
|
|
||||||
req.session.regenerate((regenErr) => {
|
req.session.regenerate((regenErr) => {
|
||||||
if (regenErr) {
|
if (regenErr) {
|
||||||
console.log("Session regeneration error:", regenErr);
|
console.log("Session regeneration error:", regenErr);
|
||||||
|
// Fall back to using existing session if regeneration fails
|
||||||
|
console.log("Falling back to existing session");
|
||||||
|
} else {
|
||||||
|
console.log("Session regenerated from:", oldSessionId, "to:", req.sessionID);
|
||||||
}
|
}
|
||||||
|
|
||||||
console.log("Session regenerated from:", oldSessionId, "to:", req.sessionID);
|
// Re-establish the user in the session (new or existing)
|
||||||
|
|
||||||
// Re-establish the user in the new session
|
|
||||||
(req.session as any).passport = { user: { id: user.id } };
|
(req.session as any).passport = { user: { id: user.id } };
|
||||||
|
|
||||||
console.log("=== LOGIN SUCCESSFUL ===");
|
console.log("=== LOGIN SUCCESSFUL ===");
|
||||||
@@ -284,29 +288,30 @@ export default class AuthController extends WorklenzControllerBase {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
// Force the session cookie to be sent
|
// Get session cookie details
|
||||||
const sessionName = process.env.SESSION_NAME || 'connect.sid';
|
const sessionName = process.env.SESSION_NAME || 'connect.sid';
|
||||||
const sessionCookie = req.sessionID;
|
|
||||||
|
|
||||||
console.log("Session saved successfully");
|
console.log("Session saved successfully");
|
||||||
console.log("Session name:", sessionName);
|
console.log("Session name:", sessionName);
|
||||||
console.log("Session ID to be sent:", sessionCookie);
|
console.log("Session ID to be sent:", req.sessionID);
|
||||||
|
|
||||||
// The session middleware should automatically set the cookie
|
// Check if Set-Cookie header is being sent
|
||||||
// But let's check if it's being set
|
|
||||||
console.log("Response headers after save:", res.getHeaders());
|
console.log("Response headers after save:", res.getHeaders());
|
||||||
console.log("Set-Cookie header:", res.getHeader('set-cookie'));
|
console.log("Set-Cookie header:", res.getHeader('set-cookie'));
|
||||||
|
|
||||||
|
// Return response with explicit instruction for mobile app
|
||||||
return res.status(200).send({
|
return res.status(200).send({
|
||||||
done: true,
|
done: true,
|
||||||
message: "Login successful",
|
message: "Login successful",
|
||||||
user,
|
user,
|
||||||
authenticated: true,
|
authenticated: true,
|
||||||
sessionId: req.sessionID, // Include for debugging
|
sessionId: req.sessionID, // Mobile app should use this session ID
|
||||||
sessionCookie: sessionName // Include cookie name for debugging
|
sessionCookie: sessionName, // Cookie name for mobile app
|
||||||
|
// Important: Mobile app must update its session cookie!
|
||||||
|
updateSessionRequired: oldSessionId !== req.sessionID
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
}); // Close regenerate callback
|
});
|
||||||
}); // Close login callback
|
}); // Close login callback
|
||||||
})(req, res, next);
|
})(req, res, next);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -22,6 +22,21 @@ authRouter.post("/login", passport.authenticate("local-login", options("login"))
|
|||||||
authRouter.post("/signup", signUpValidator, passwordValidator, passport.authenticate("local-signup", options("signup")));
|
authRouter.post("/signup", signUpValidator, passwordValidator, passport.authenticate("local-signup", options("signup")));
|
||||||
authRouter.post("/signup/check", signUpValidator, passwordValidator, safeControllerFunction(AuthController.status_check));
|
authRouter.post("/signup/check", signUpValidator, passwordValidator, safeControllerFunction(AuthController.status_check));
|
||||||
authRouter.get("/verify", AuthController.verify);
|
authRouter.get("/verify", AuthController.verify);
|
||||||
|
authRouter.get("/debug", (req, res) => {
|
||||||
|
console.log("=== DEBUG ENDPOINT ===");
|
||||||
|
console.log("Session ID:", req.sessionID);
|
||||||
|
console.log("All cookies:", req.cookies);
|
||||||
|
console.log("Cookie header:", req.headers.cookie);
|
||||||
|
console.log("Session data:", req.session);
|
||||||
|
console.log("Is authenticated:", req.isAuthenticated());
|
||||||
|
res.json({
|
||||||
|
sessionId: req.sessionID,
|
||||||
|
cookies: req.cookies,
|
||||||
|
cookieHeader: req.headers.cookie,
|
||||||
|
authenticated: req.isAuthenticated(),
|
||||||
|
session: req.session
|
||||||
|
});
|
||||||
|
});
|
||||||
authRouter.get("/check-password", safeControllerFunction(AuthController.checkPasswordStrength));
|
authRouter.get("/check-password", safeControllerFunction(AuthController.checkPasswordStrength));
|
||||||
|
|
||||||
authRouter.post("/reset-password", resetEmailValidator, safeControllerFunction(AuthController.reset_password));
|
authRouter.post("/reset-password", resetEmailValidator, safeControllerFunction(AuthController.reset_password));
|
||||||
|
|||||||
Reference in New Issue
Block a user