Why is my express-session not persisting?

Question

I'm new to express-session. It's not behaving how I would expect, and I'm wondering if someone can point out why. It's likely a basis user-error.

I'm building an app that stores training information for a volunteer k-9 search and rescue team. I'm attempting to authenticate a sign-in using PassportJS. I'm storing the data through Mongo Atlas. I'm at the level where I just want to see that it's basically working so that I can build upon it further.

Here is how I set up the middleware:

router.use(session({
  secret: process.env.SESSION_SECRET,
  resave: false,
  saveUninitialized: true
}))

(I'm not sure if I'm misusing Passport, so I'll show how I'm building that out too):

router.use(passport.initialize()) 

router.use(passport.session())    

authUser = async (username, password, done) => {
  
  const returnedUser = await User.findOne({username: username}, (err, user) => {
    if (err) {
      return err
    } else {
      return user
    }
  })
  .clone()


  if (!returnedUser) {
    return done(null, false) 
  } else if (returnedUser.password != password) {
    return done(null, false) 
  } else {
    return done(null, returnedUser)
  }
}

passport.use(new LocalStrategy (authUser))

passport.serializeUser( (userObj, done) => {
  done(null, userObj)
})

passport.deserializeUser((userObj, done) => {
  done (null, userObj )
})

When I sign in, and console.log() the session...

router.post('/signIn', passport.authenticate('local', {
  // failureRedirect: 'http://localhost:3000/users/signIn'
  failureMessage: 'failure'
}), (req, res) => {
  console.log('req.session:', req.session)
  res.send('finished')
})

...I get what I would expect in the console:

req.session: Session {
  cookie: { path: '/', _expires: null, originalMaxAge: null, httpOnly: true },
  passport: {
    user: {
      _id: new ObjectId("62e5505409d8b098030b70aa"),
      username: 'cap1',
      password: 'America',
      firstName: 'Steve',
      lastName: 'Rogers',
      email: 'cap@notshield.org',
      phoneNumber: 1234567890,
      dateCreated: 2022-07-30T15:37:56.079Z,
      k9s: [Array],
      __v: 0
    }
  }
}

(I'm aware that I need to encrypt this password, but I'm temporarily keeping it visible while I try to understand it.)

But, then when I test it to see if it persists...

router.post('/', async (req, res) =>  {
  console.log(req.session)
  //check all field on the front end
  let postUser = new User({
    "username": req.body.username,
    // "password": await hasher(req.query.password, 10),
    "password": req.body.password,
    "firstName": req.body.firstName,
    "lastName": req.body.lastName,
    "email": req.body.email,
    "phoneNumber": req.body.phoneNumber,
    "dateCreated": new Date(),
    //query must must be formatted like
    //&k9s[]=spike&k9s[]=lucey
    "k9s": req.query.k9s
  })
  postNew(postUser, res)
})

...The session doesn't still contain the passport information in the console.log():

Session {
  cookie: { path: '/', _expires: null, originalMaxAge: null, httpOnly: true }
}

(I realize that it doesn't make sense in practice to need session from a sign in to create a new user. I'm just trying to use two functions that I know work to test it out.)

Why is the session not keeping the Passport JS information between http requests?

Answer 1

This may be because of the version of passport you are using. I recently had a similar issue after migrating from 0.4.1 to 0.6.0, which may have changed how sessions persist when logging in/out to address this vulnerability: https://github.com/advisories/GHSA-v923-w3x8-wh69

If you add the keepSessionInfo: true option to the authenticate and logout methods, it continues to behave like version 0.4.1.

For authentication:
passport.authenticate("local", {keepSessionInfo: true})
For logging out:
passport.logout({keepSessionInfo: true}, (err) => {})

See this GitHub issue: https://github.com/jaredhanson/passport/issues/949