Use appSession for unauthenticated users

Question

Use appSession for unauthenticated users

webstacker opened this issue a year ago · comments

Describe the problem you'd like to have solved

Our unauthenticated / anonymous users can perform a subset of actions provided to authenticated users. Is it possible to use the appSession cookie for these users too? It would be nice to be able to access the encrypted cookie functionality for their session data.

This is probably related, but is it possible to store things in the appSession cookie prior to authentication? e.g. an unauthenticated user performs some actions and has their appSession cookie updated. They then authenticate and this session data is still available.

Adam Mcgrath · Answer 1 · Fri Mar 17 2023 23:16:22 GMT+0800 (China Standard Time)

Hi @webstacker - yep, this is possible - we keep the existing state on the anonymous session and merge the new details onto it (for things like shopping baskets), something like:

app.use(auth({ authRequired: false }));

app.get('/anonymous', () => {
  req.appSession.foo = "bar";
})

app.get('/logged-in', requiresAuth(), () => {
  log(req.appSession.foo); // 'bar'
  log(req.oidc.user.name); // 'your name'
})

// 1. visit /anonymous
// 2. visit /logged-in
// 3. login and return to /logged-in

S · Answer 2 · Fri Mar 17 2023 23:38:59 GMT+0800 (China Standard Time)

Thanks @adamjmcgrath for the quick reply! That's perfect, exactly what I'm looking to do. I couldn't see anything in the docs that mentioned this. Your unauthenticated / anonymous session example would be a great addition to the examples page.