BadRequestError: checks.state argument is missing, While Production and deployment in digital ocean platform.

Question

BadRequestError: checks.state argument is missing, While Production and deployment in digital ocean platform.

naresh4dev opened this issue 2 years ago · comments

After I deployed my web app over digital ocean. I face the state missing error.

BadRequestError: checks.state argument is missing
at /workspace/node_modules/express-openid-connect/middleware/auth.js:121:19
at processTicksAndRejections (node:internal/process/task_queues:96:5)

This is my config

config = {
    idpLogout: true,
    authRequired: false,
    auth0Logout: true,
    baseURL: process.env.BASE_URL,
    clientID: process.env.CLIENT_ID,
    session :{
        cookie: {
            domain: process.env.SERVER_DOMAIN,
            path : '/',
            sameSite : 'Lax',
            httpOnly : true,
            transient : true,

        },
        rolling: false,
        absoluteDuration: 60 * 60
    },
    issuerBaseURL: process.env.ISSUER_BASE_URL,
    secret: process.env.SECRET,
    routes: {
        login: false,
        postLogoutRedirect: '/api/logout'
    }

}

Update 1 : Setting app.set('true proxy',true); but still the error persists.
Update 2 : Tried to configure httpOnly : true and httpOnly : false alternatively. but it didn't resolve the error.
Update 3 : Debugging in Networks section, I found some warnings related to session cookies.
I have attached my web screenshot.

The ideal goal is to allow login from my front-end react which is proxy connected to express server holding express-openid-connect.

Adam Mcgrath · Answer 1 · Sat Dec 24 2022 01:07:53 GMT+0800 (China Standard Time)

Hi @Naresh1435 - thanks for raising this

I found some warnings related to session cookies.

The Cookie "_auth_verification" does not have a proper "SameSite" is expected - this is for legacy browsers.

I suspect the Cookie "auth_verification" has been rejected because it is already expired. is what is causing your issue.

Not sure why that would be happening, we don't set an expiry on that cookie.

If you could share a har file (with secrets redacted) I can investigate for you.

Adam Mcgrath · Answer 2 · Sat Dec 24 2022 01:09:56 GMT+0800 (China Standard Time)

I suspect the Cookie "auth_verification" has been rejected because it is already expired. is what is causing your issue.

Actually no, this is harmless to - Chrome is telling you it can't delete the cookie

I suspect it's something to do with the SERVER_DOMAIN not matching the domain the cookie is being read from the browser - I'll be able to tell you if I can look at a HAR

Naresh · Answer 3 · Sat Dec 24 2022 05:49:48 GMT+0800 (China Standard Time)

@adamjmcgrath Thanks for dropping back.
Shall I post the Har file over here?

As for the SERVER_DOMAIN name to the server name and the login is happening through front-app with another domain, I tried switching of domains couple of times but didn't work out well.
Looking forward for some alternative options to make the login possible.

Adam Mcgrath · Answer 4 · Tue Jan 03 2023 18:36:10 GMT+0800 (China Standard Time)

Shall I post the Har file over here?

@Naresh1435 Yes please - just be sure to remove any secrets from it, I'm interested in the req/res for /login and /callback

Adam Mcgrath · Answer 5 · Tue Jan 24 2023 18:56:00 GMT+0800 (China Standard Time)

Closing due to inactivity - feel free to share a HAR if you want me to reopen