Use appSession for unauthenticated users
webstacker opened this issue · comments
Describe the problem you'd like to have solved
Our unauthenticated / anonymous users can perform a subset of actions provided to authenticated users. Is it possible to use the appSession cookie for these users too? It would be nice to be able to access the encrypted cookie functionality for their session data.
This is probably related, but is it possible to store things in the appSession cookie prior to authentication? e.g. an unauthenticated user performs some actions and has their appSession cookie updated. They then authenticate and this session data is still available.
Hi @webstacker - yep, this is possible - we keep the existing state on the anonymous session and merge the new details onto it (for things like shopping baskets), something like:
app.use(auth({ authRequired: false }));
app.get('/anonymous', () => {
req.appSession.foo = "bar";
})
app.get('/logged-in', requiresAuth(), () => {
log(req.appSession.foo); // 'bar'
log(req.oidc.user.name); // 'your name'
})
// 1. visit /anonymous
// 2. visit /logged-in
// 3. login and return to /logged-in
Thanks @adamjmcgrath for the quick reply! That's perfect, exactly what I'm looking to do. I couldn't see anything in the docs that mentioned this. Your unauthenticated / anonymous session example would be a great addition to the examples page.