Reputation: 7549
How to pass data along with redirect using express?
I am attempting to set up SAML Single Sign On with my React application. The backend is an express / passport setup. Front end is Reactjs.
I load the initial Reactjs SPA and it notices I don't have a username set. ... so then it redirects to the SSO page. I enter my information (as needed) and then after success I am to point where the identity provider forwards my client back to the /login/callback route. This route, in turn, is supposed to forward the user back to their original URL (as defined by req.body.RelayState).
The callback route looks like this:
samlRouter.use(session(config.session));
samlRouter.use(passport.initialize());
samlRouter.use(passport.session());
samlRouter.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', req.header('origin'));
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-Width, Content-Type, Accept, Authorization');
res.header('Access-Control-Allow-Credentials', 'true'); //SAML
if (req.method == 'OPTIONS') {
res.header('Access-Control-Allow-Methods', 'PUT, POST, GET');
return res.status(200).json({})
}
next();
})
samlRouter.post('/login/callback',
(req, res, next) => {
passport.authenticate('saml', config.saml.options)(req, res, next)
},
(req, res, next) => {
console.log('req.user.nameID :>> ', req.user?.nameID); // ***THIS IS CORRECT**
req.session.user = req.user;
return res.redirect(`${req.body.RelayState}`);
});
The problem is - I need to tell the front-end reactjs application who the req.user.nameID is. I can't just put it in a query string on the redirect because it's the login (and thus anyone that wanted to just type in xxxx.com/privatePage?myusername could pretend to be me).
How can I securely pass data to my front end after authentication?
Upvotes: 0
Views: 2854
Answers (2)
Reputation: 11
One possible solution depending on the type and quantity of data you want to pass:
Make another get route e.g.
router.get('samepage/:some param',
(req,res)=>{
///get data with param or use param as the data !
res.render('samepage',{data})
})
////redirect to that route with param you need
Upvotes: 0
Reputation: 707218
There are a number of ways to pass data with a redirect.
- Put data in a query string that is part of the redirect URL so that data will be available in the URL when the redirect URL is rendered.
- Put data into a cookie that will be present when the redirected URL is rendered.
- Put data into a server-side user session that will be present when the redirected URL is rendered.
Both options 2 and 3 have potential concurrency issues or race conditions if the same user is very involved in multiple redirects at the same time. These options 2 and 3 also need to clean up the data after it is used so it isn't left hanging around.
Options 2 and 3 are more private than option 1 if that is desired. If this data is involved in authentication (e.g. who the user is and needs to be secure), then it really ought to be in the server-side session (which is indexed by the session cookie). This would typically be saved in the session so it's available as req.session.user to future requests.
Upvotes: 1
Related Questions
- how to pass data and redirect in express
- Pass req.user.username as a parameter to successRedirect in Passport.js
- How to pass data with a session or cookie while redirecting with express / nodejs / passport?
- Sending data from Express to React through a redirect
- how to 'redirect' with react after login with passport.js?
- How do I redirect into react-router from express?
- NodeJS Express pass values during redirect
- redirect before loading URL
- Express redirect and locals
- PassportJS and Redirects