login is success? I am using passportjs
check the response from server 😕
So you mean to say for login route when successful send user object in response?? Note: I am using express session passportjs local strategy
yes, simply you can send object like this { success : true user , token //optional }
Ok now if this object is sent after login is success and if we have redirected to profile page then from profile if he wants to go to about, contact, settings page all are protected how will that work?
me usually do this first user will login and the the response will be back with set cookie header then token from response will be saved in my browser cookie and save user object in global state then user object will be available untill page refresh then in react or vue I will write a middleware that first on page load will requests to server just for getting logged in user data again (just for security reason I wont keep user data in cookie or localstorage) and then if data successfully got back then save it again in global state if not redirect to login . (cookie is httponly and dont forget to refresh jwt token) simply explained the whole jwt auth :)
Yes i am using http only cookie but when login is success user redirected to profile page and at this point user object is stored in redux state. Now user navigates to protected page user object is passed to auth route using useAuth hook. Now if session is expired then how to remove user object I mean set it to null/undefined? In react router docs I could not find where did they added this check for user object
Here auth.user is used in our case when login is success that user object will be stored in auth.user is that right? https://reactrouter.com/web/example/auth-workflow If above is right then I cannot see how auth.user is set to null if session is expired?? If logout button is clicked then user object is set to null but what about session expiry case?
on server you (should) have auth middlware and in that you check every request and when session is expired you will return for example 403 error and when that error receives on browser the you can set user object to null and redirect to login page
Oh ok got it. One more question user object should be stored in redux state and not local state is that right?
yeah , global state
but there is one problem here. Lets say there are 2 protected routes i.e contact us and about page on these 2 pages API call is not made to server all the data is hardcoded on both the pages. In such cases if user just keeps switching between both these 2 pages then how will your solution work?
What ? Once user token is invalidate and your user try to navigate to another protected route he will redirected always
So you mean to say on frontend I have to check if session is valid or invalid??
I am frontend developer . I can say that you need to do this in the fronted to protect your routed .
Also you should do this in the backend, protect your endpoints
where will you add that logic in case of react router ?? link: https://reactrouter.com/web/example/auth-workflow
you mean backend all should have auth middleware and on frontend also I have do something for auth?? Backend part is clear to me. I am not getting client side routing
Well , the snippet is very clear
I can't say nothing about backend 😂
So only frontend how to validate session? I am using http only cookie which cannot be accessed by client side JS
These pages don't require login, so I don't see the problem
Ok but as Masoud mentioned return from auth middleware from backend if session expired then set user object state on frontend to null and logout user is that correct implementation?
Whether you care about user object on the client is up to you, but once the backend sends a 401 error, you can safely log the user out
So without user object also auth on frontend is possible??
Weren't you using httpOnly cookies?
Yes httponly cookie
That means auth is a backend problem
But react router docs maintain some user object thats why I asked so got confused
Doesn't apply to you
calling api is in middleware and middleware will called before entering every route 😕
yes that is on backend but on frontend routes lets say I am navigating to protectedRoute which does not make an API call in that case what will you do?
NOOOO I mean the routes middleware in react 😐😑
if I am not calling API and route is protected how will you handle it?
2 modes will happen : 1- you load page directly go to for example contact us in this case you should get user data from api 2- you already got data from other routes in this case you have data abd does not need to call api
Обсуждают сегодня