passwordless icon indicating copy to clipboard operation
passwordless copied to clipboard
verified publisher icon florianheinemann

Incorrect req.flash for logout()

Open cookie-ag opened this issue 8 years ago • 4 comments

So here is what i am doing:

routes.js

router.get('/logout',security.logoutToken, LogoutController.EmailandLog, LogoutController.DeleteSessions, LogoutController.Redirect);

security.js

exports.logoutToken = passwordless.logout({
    successFlash: 'Hope to see you soon.'
});

//security.restrictedWithoutToken, FYI

exports.restrictedWithoutToken = passwordless.restricted({
    failureRedirect: '/login',
    failureFlash: 'You are not authenticated to view this page. Try again!'
});

LogoutController.js

exports.EmailandLog = function(req, res, next) {

    if (!req.session.email || req.session.email === undefined) {
        res.redirect('/login');
    } else {
        //Send Email
        // next();
    }
};

exports.DeleteSessions = function(req, res, next) {
    req.session.destroy(function(err) {
        if (err) {
            next(err);
        }
        next();
    });
};

exports.Redirect = function(req, res, next) {
    res.redirect('/login');
}

Issue:

  • On successful logging out, logout.options.successFlash but what i see is restricted.options.failureFlash i.e. "You are not authenticated to view this page. Try again!"
  • I am confused on how to fix it?

cookie-ag avatar Jan 27 '17 05:01 cookie-ag

Hey, Are you sure the controller redirects to a page that is not restricted? Cheers

florianheinemann avatar Jan 27 '17 10:01 florianheinemann 

Router.get ('/login',....);
Router.post('/login',...);

Neither of them have any passwordless.restricted ();. So answer is yes I am sure that controller redirects to a page that is not restricted.

cookie-ag avatar Jan 27 '17 11:01 cookie-ag

You're also aware that the success-flashes are stored in a different array? https://passwordless.net/deepdive#success-flashes

florianheinemann avatar Jan 27 '17 18:01 florianheinemann

@florianheinemann I checked and its not related to req.flash. You can see the logs, where the controller triggers /logout, where it should redirect to /login but somehow it redirects to req.url (such as /activity, which is restricted), hence showing the error for restricted module.

  • Logs below for reference
  req-started 14-08-2017 01:52:31:334 GET /logout ::ffff:127.0.0.1 +10s
  req-success req.path /logout
  req-success res.statusCode 302
  req-success  +0ms
  req-isended 14-08-2017 01:52:31:335 GET /logout ::ffff:127.0.0.1 +0ms

  req-started 14-08-2017 01:52:31:347 GET /login ::ffff:127.0.0.1 +5ms
  req-success req.path /login
  req-success res.statusCode 200
  req-success  +0ms
  req-isended 14-08-2017 01:52:31:347 GET /login ::ffff:127.0.0.1 +0ms

  req-started 14-08-2017 01:52:31:396 GET /activity/ ::ffff:127.0.0.1 +49ms
  req-success req.path /activity/
  req-success res.statusCode 302
  req-success  +1ms
  req-isended 14-08-2017 01:52:31:397 GET /activity/ ::ffff:127.0.0.1 +0ms

  req-started 14-08-2017 01:52:31:452 GET /login ::ffff:127.0.0.1 +5ms
  req-success req.path /login
  req-success res.statusCode 200
  req-success  +0ms
  req-isended 14-08-2017 01:52:31:452 GET /login ::ffff:127.0.0.1 +0ms

I am trying to find why it happens and it doesn't seem to make sense, any idea?

cookie-ag avatar Aug 13 '17 18:08 cookie-ag