Express-StormPath Authentication

Question

I am trying to authentication for a node.js express web application with StormPath access token. Initial page launch (index) works fine however subsequent access (about) is not working as expected using cookie sessions. Following here is the code snippet.

app.js ————

app.use(stormpath.init(app, {
apiKey: {
id: appConfig.stormpath.id,
secret: appConfig.stormpath.secret
},
application: {
href: appConfig.stormpath.href
},
web: {
register: {
enabled: false
},
accessTokenCookie: {
domain: "localhost",
httpOnly: true,
path: "/",
secure: null
},
refreshTokenCookie: {
domain: "localhost",
httpOnly: true,
path: "/",
secure: null
}
}
}));

index.js (router)

router.get('/', stormpath.loginRequired , function (req, res) {
res.render('index', { });
});

about.js (router)

router.get('/', stormpath.loginRequired , function (req, res) {
res.render('about', { });
});

Initial Launch Request gives access to the index page,

request({
Url: https://localhost:8000/index,
method: 'GET',
auth: {
'bearer': 'eyJraWQiOiI2R1lVQ1BHTkROM0FYNEpRWkVKVjRTSlJOIiwiYWxnIjoi'
},
rejectUnauthorized: false
}, function (err, response) {
res.send(response.body);
});

Subsequent Page Access (getting redirected to the login page)

https://localhost:8000/about

Note: From the StormPath documentation , I assume the cookies get created only for https sessions, so I created self signed certs with common name 'localhost' and running the requests with 'https://localhost:8000'.

Answer 1

Had a call with Robert and resolved this issue by creating the cookie for access token.

var cookies = new Cookies(req, res);

    if (!accesstoken) {
        res.status(401).send('Unauthorized');
        return;
    };
    cookies.set('access_token', accesstoken, {
        expires: new Date(new Date().getTime() + (1000 * 60 * 60 * 8)), // 8 hours
        httpOnly: true,
        path: '/',
        secure: false // https or http
    });