passport's req.isAuthenticated always returning false, even when I hardcode done(null, true)

Question

I\'m trying to get my Passport local strategy working.

I\'ve got this middleware set up:

passport.use(new LocalStrategy(function(username, password,         


        

Answer 1

I also faced the same problem even though logging in was happening. The mistake I did was calling the middleware isLoggedIn before initializing the passport. So the sequence in which you write the code is quite important.Please see to it that the sequence is written in the right order. I had written in the following sequence

app.use(require('express-session')({
    secret:'short' ,
    resave:false,
  saveUninitialized:false,
  cookie:{secure:false}
}))
app.use(passport.initialize())
app.use(passport.session())
passport.use(new localstrategy(function(username, password, done) {
    User.findOne({ username: username }, function (err, user) {
      if (err) { return done(err); }
      if (!user) { return done(null, false); }
      if (user.password!=password) { return done(null, false); }
      return done(null, user);
    });
  }
))
passport.serializeUser(User.serializeUser())
passport.deserializeUser(User.deserializeUser())
app.use(isLoggedIn); 

Answer 2

Resolved in my case, I also faced the same problem, but resolved just by reordering the code as mentioned below:

//--------------------------------

previous code :

app.use(flash())
app.use(session({
    secret: 'somesecret',
    resave: false,
    saveUninitialized: false
}))
// using the custom middleware for storing variable in response
app.use((req, res, next) => {
    res.locals.isAuthenticated = req.isAuthenticated()
    next()
})
app.use(passport.initialize())
app.use(passport.session())

//--------------------------------

Refactored code : (which fixed the problem):

app.use(flash())
app.use(session({
    secret: 'somesecret',
    resave: false,
    saveUninitialized: false
}))
app.use(passport.initialize())
app.use(passport.session())

// using the custom middleware for storing variable in response
app.use((req, res, next) => {
    res.locals.isAuthenticated = req.isAuthenticated()
    next()
})

//--------------------------------

Answer 3

I also had the same problem, could not find any solution on the web but i figured it out.

app.use(require("express-session")({
secret: "This is the secret line",
resave: false,
saveUninitialized: false
}));
app.use(passport.initialize());
app.use(passport.session());
app.use(bodyParser.urlencoded({extended: true}));

express-session requirement and use should be before any other use. Try this i am sure this would work, worked for me!!

Answer 4

I know its late, but I face this issue with FB login strategy. It was working fine, until suddenly it stopped working and that too just in Safari. I broke my head around all of the above solutions and nothing seemed to work. Finally chrome web console gave away a clue, wherein it still worked on chrome, then. The warning was this:

A cookie associated with a cross-site resource at http://www.facebook.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.

Only then i realized that i shouldn't set Samesite: true in the express session as it will not set the facebook cookie for login. After days of hacking, I fixed this issue by changing the samesite to "none".

Hope it helps someone, who encounters this issue in the future.

Answer 5

I had a similar issue. Could be due to the express-session middleware needed for passport. Fixed it by using middlewares in the following order: (Express 4)

var session = require('express-session');

// required for passport session
app.use(session({
  secret: 'secrettexthere',
  saveUninitialized: true,
  resave: true,
  // using store session on MongoDB using express-session + connect
  store: new MongoStore({
    url: config.urlMongo,
    collection: 'sessions'
  })
}));

// Init passport authentication 
app.use(passport.initialize());
// persistent login sessions 
app.use(passport.session());

Answer 6

There's a kink in passport.js that nobody really mentions but I found out. This is why you can create an account or sign in and it authenticates fine at first but later on you find out req.user is undefined or req.isAuthenticated() is false throughout the app.

After authenticating, passport.js requires you to reroute/redirect. That's how passport initializes the actual session.

  signIn(req, res, next) {
    passport.authenticate("local")(req, res, function() {
      if (!req.user) {
        console.log("User not found!");
      } else {
        res.redirect("/")
        console.log("signed in")
      }
    })
  }

If you don't reroute after authenticating, it won't even start your session as a req.user and req.isAuthenticated() will be false.

My app is a React and Node app but this is true for both Node apps and React/Node apps.