cookie token expires immediately after login
mihaa1 opened this issue · comments
Version: 1.1.70
Describe the bug
Hello,
I am using Authorizer instance deployed on railway.
React + express.
On production, for some reason, right after login, the token is no longer valid, and all subsequent requests fail.
My setup:
- passing the token in the cookie to the backend
- using getSession() to authenticate and get the user
Note: I didn't get getSession() to work as described in the docs - with bearer token. I'm passing the cookie to it as below:
const session = await authorizerRef.getSession({
cookie: `cookie_session=${token}`,
});
Response I'm getting:
[ { message: 'unauthorized', path: [ 'session' ] } ]
Desktop (please complete the following information):
- OS: Mac
- Browser: chrome
@mihaa1 for backend cookie session is not recommended,
We refresh cookie session with session
query for security reasons.
For backend I recommend using access_token
.
Thanks.
Will it make sense to return the token I receive in the server to the client with Set-cookie?
@mihaa1
In my project, i have
- Vue3 (Frontend)
- Backend (Golang API)
- Authorizer (without MFA)
- Frontend -> Authorizer
- My Frontend (Vue3) login direct to Authorizer and get Cookie (httpOnly with 365 days expire time) with json (access_token, ...etc) from response.
- Now I'm save access_token to store (Pinia).
*** access_token will only store in memory when u close browser or tab it will remove. (for security reason)
*** Cookie that get from login (It not remove) now use have to use
const res = await authorizerRef.getSession();
to get new access_token
- Backend -> Authorizer
- My Backend (Golang API) I create middleware with receive access_token from Frontend (Vue3) and send it to Authorizer to Verify token
1.1 Valid token -> do handler
1.2 Invalid -> return 401
@bright-coder thank u.
Which method do u use on the backend to check the token?
Example in Golang SDK
`func (s *jwtAuthorizer) IsAuth() fiber.Handler {
return func(c *fiber.Ctx) error {
authHeader := c.GetReqHeaders()["Authorization"]
tokenSplit := strings.Split(authHeader, " ")
if len(tokenSplit) < 2 || tokenSplit[1] == "" {
return fiber.ErrUnauthorized
}
client, err := s.authorizerAdatper.GetClient(map[string]string{})
if err != nil {
return fiber.ErrUnauthorized
}
res, err := client.ValidateJWTToken(&authorizer.ValidateJWTTokenInput{
TokenType: authorizer.TokenTypeAccessToken,
Token: tokenSplit[1],
})
if err != nil {
return fiber.ErrUnauthorized
}
if !res.IsValid {
return fiber.ErrUnauthorized
}
// res.Claims["allowed_roles"] => ["users", "admin"]
// res.Claims["sub"] => uuid
if !slices.Contains(res.Claims["allowed_roles"].([]interface{}), "admin") {
return fiber.ErrForbidden
}
c.Locals("user_id", res.Claims["sub"])
return c.Next()
}
}
`
but i don't know the different between access_token and id_token.
@bright-coder
access_token
is used for accessing the APIs of authorizer
You can use id_token
to user identity and authorizing your apis
@lakhansamani Thank you. I think we should add this to document. ?
Sure will add it thanks 👍
@lakhansamani Im using the following code to authenticate on the backend:
const user = await authorizerRef.getProfile({
Authorization: `Bearer ${authorization}`,
})
Is this the correct way?
Yes