Passing authentication token to HTML pages

Question

I have a user authentication system that generates an access token upon successful authentication. I need to pass this token to other pages as the header parameter to allow usage of that page.

    module.exports.authenticate=function(req,res){
        var email=req.body.email;
        var password=req.body.password;
       
       
        connection.query('SELECT * FROM org WHERE email = ?',[email], function (error, results, fields) {
          if (error) {
              res.json({
                status:false,
                message:'query error'
                })
          }else{
           
            if(results.length >0){
                if(bcrypt.compareSync(password, results[0].password)){
                  
                  var access_token = jwt.sign({ id: email }, 'secretpassword123', {expiresIn: 3600});
                  var decoded = jwt.decode(access_token, 'secretpassword123');
                  var expires_in = decoded.exp-decoded.iat;
                  var token_type = "org";
                  console.log(decoded);
                  req.headers.access_token = access_token;
                  res.cookie('access-token', access_token, { expires: new Date(Date.now() + 3600)})
              
res.status(200).send({ auth: true, access_token: access_token, expires_in, token_type});
               }
                else{
                    res.json({
                      status:false,
                      message:"Email or password does not match"
                     });
                }
              
            }
    
            else{
              connection.query('SELECT * FROM client WHERE email = ?',[email], function (error, results, fields) {
                if (error) {
                  res.json({
                    status:false,
                    message:'query error'
                  })
                }else{
                  if(results.length >0){
                    if(bcrypt.compareSync(password, results[0].password)){
                      var access_token = jwt.sign({ id: email }, 'secretpassword123', {expiresIn: 3600});
                      var decoded = jwt.decode(access_token, 'secretpassword123');
                      var expires_in = decoded.exp-decoded.iat;
                      var token_type = "client";
                      //res.status(200).send({ auth: true, access_token: access_token, expires_in, token_type});
                      connection.query('UPDATE client SET fingerprint = ?', access_token, function(error, results, fields){
                                if(error){
                                    console.log(error);
                                }
                                else{
                                    console.log(results);
                                }
                            })
                      return res.redirect('/dashboard.html');
                    }
                    else{
                      res.json({
                        status:false,
                        message:"Email and password does not match"
                      });
                    }
                  }
                  else{
                    res.json({
                      status:false,    
                      message:"Email does not exist"
                    });
                  }
                }
              });
            }
          }
        });}

I want to pass the access-token to other pages and controllers as a way to authorize.

For example, this is my get-user controller:

module.exports.getUser = function(req,res){
    var email = req.body.email;
    req.headers.access_token = authenticate.authenticate.access_token
    connection.query('SELECT clientid, email, orgid, name, phone, type, role, fingerprint, verified FROM client WHERE email = ?', req.body.email, function(error,results, fields){
                if(error){
                    console.log(error)
                    res.redirect('/dashboard.html');
                }
                else{
                    console.log(req.headers)
                    console.log(results)
                    //res.redirect('/dashboard.html');
                    res.status(200).send(results);
                }
            })
}

How should I approach this?

I have added res.cookie to the authentication module, and I can see that the cookie gets stored in the browser. But when I try to read the cookie in another page with req.cookies or req.signedCookies it says undefined.

I ended up using localStorage to store the tokens. This is obviously not secure by oAuth standards, but it works. How can I use cookies to get the same functionality as local storage. I need to use the token generated in the authentication module to verify authorization in other pages.

Answer 1

This is usually achieved using cookies. After a cookie is set, it will be attached to every request the browser makes to the server. E.g. if you're using a framework like express, you could do something like

res.cookie('access-token', access_token, { expires: new Date(Date.now() + 300000), httpOnly: true })

But actually this is just a convenience method to add the "Set-Cookie"-HTTP-Header to your response, which causes the browser to create a cookie: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Btw, for security reasons you should probably set the 'Secure' and the 'HttpOnly' flags, which make sure, that the cookie is only sent using TLS (HTTPS) and cannot be read by JavaScript respectively. The 'SameSite'-Directive is also useful for preventing CSRF attacks.