Passport doesn't save the session

Question

I have read a lot about this issue but any answer doesn't work for me. I am working with React, Express and Passport to manage my authenticate routine. The authentication routine is fine, and it makes the redirect that I want. But, when I refresh any route, it says me that I am not authenticate. It seems that Passport doesn't save the session. Here my code:

Server.js

const lisaApp = express();

lisaApp.use(bodyParser.json())
lisaApp.use(bodyParser.urlencoded({ extended: false }))
lisaApp.use(cookieParser())
lisaApp.use(session({
  secret: config.secret,
  resave: false,
  saveUnitialized: false
}))
lisaApp.use(passport.initialize())
lisaApp.use(passport.session())

passport.use(auth.localStrategy);
passport.serializeUser(auth.serializeUser);
passport.deserializeUser(auth.deserializeUser);

lisaApp.post('/login', (req, res, next) => {
  const validationResult = validateLoginForm(req.body);
  if (!validationResult.success) {
    return res.status(400).json({
      success: false,
      message: validationResult.message,
      errors: validationResult.errors
    });
  }

  return passport.authenticate('local', (err, userData) => {
    if (err) {
      if (err.response.statusText === 'Unauthorized') {
        return res.status(400).json({
          success: false,
          message: 'The password is not right'
        });
      }

      return res.status(500).json({
        success: false,
        message: 'Wrong data'
      });
    }

    console.log('is authenticated?: ' + req.isAuthenticated()) // Here always is false

    return res.json({
      success: true,
      token,
      message: 'Successful Login',
      user: userData.data
    });
  })(req, res, next);
});

// I am using this function as a middleware to check if the user is authenticated, always is false. No matter if I put right data in the login form
function ensureAuth (req, res, next) {
  if (req.isAuthenticated()) {
    return next();
  }

  res.status(401).send({ error: 'not authenticated' })
}

auth/index.js(passport routine)

var LocalStrategy = require('passport-local').Strategy;
var LisaClient = require('pos_lisa-client');
var config = require('../config');

var ClientApi = LisaClient.createClient(config.lisaClient);

exports.localStrategy = new LocalStrategy({
  usernameField: 'username',
  passwordField: 'password',
  session: false,
  passReqToCallback: true
}, (req, username, password, done) => {
  var authData = {
    username,
    password
  }

  // Here is a custom API, I pass the data that I need. This works fine
  ClientApi.authenticate(authData, (err, token) => {
    if (err) {
      return done(err)
    }

    var token = token.data

    ClientApi.getClient(username, (err, user) => {
      if (err) {
        return done(err)
      }

      user.token = token
      return done(null, user)
    })
  })
})


exports.serializeUser = function (user, done) {
// The app never enters here
  done(null, {
    username: user.username,
    token: user.token
  })
}

exports.deserializeUser = function (user, done) {
// The app never enters here
  ClientApi.getClient(user.username, (err, usr) => {
    if (err) {
      return done(null, err)
    } else {
      usr.token = user.token
      done(null, usr)
    }
  })
}

Where I am wrong?

Answer 1

If you're using a custom authentication callback, you have to call req.logIn() to establish a session (or you can create one manually):

// Add this where you are console.log'ing `req.isAuthenticated()`

req.logIn(userData, function(err) {
  if (err) return next(err);

  console.log('is authenticated?: ' + req.isAuthenticated());

  return res.json({
    success: true,
    token,
    message: 'Successful Login',
    user: userData.data
  });
});

This is documented here (scroll down to "Custom Callback"):

Note that when using a custom callback, it becomes the application's responsibility to establish a session (by calling req.login()) and send a response.