'Protect Expressjs routes using Session

I don't want to login to /dashboard without logging in, I assigned the user ID to the session by saying req.session.userID. Then I checked this "userid" info via middleware but I can access /dashboard even though I'm not logged in

server.js

const express=require('express')
const session = require('express-session')
const flash = require('express-flash')
const cookieParser = require('cookie-parser')
const cors=require('cors')
const MongoDBStore = require('connect-mongodb-session')(session);
const authRoutes=require('./routes/authRoutes')
const authMiddleware=require('./middlewares/authMiddleware')
const app=express()
const adminController=require('./controllers/adminController')

require('./db')
require('dotenv').config()

app.set('view engine', 'ejs');


app.use(cors());
app.use(express.urlencoded({extended: true}))
app.use(express.json())
app.use(cookieParser())
app.use(require('express-session')({
    secret: 'secret',
    resave: false,
    saveUninitialized: true,
    httpOnly: true,
    store:new MongoDBStore({
        uri:process.env.MONGO_URI,
        collection:'sessions'
    })
  }))


app.use('/admin',express.static('public/admin'))
app.use('/',express.static('public'))
app.use('/admin',authRoutes)

route

router.route('/dashboard',authMiddleware.isAuthentication,(req,res)=>{
        res.render('admin/pages/dashboard')
})

router.route('/login')
    .post(async (req,res)=>{
        try {
            const { email, password } = req.body;

             const user=await AdminModel.findOne({ email });
             if (user) {
                bcrypt.compare(password, user.password, (err, same) => {
                  if (same) {
                    // USER SESSION
                    req.session.userID=user._id
                    return res.status(200).redirect('/admin');
                  }else{
                      res.redirect('/admin/login')
                  }
                });
              }
          } catch (error) {
            return res.status(400).json({
              status: 'fail',
              error,
            });
          }
    })

auth Middleware

 const isAuthentication = (req, res, next) => {
  if (!req.session.userID) {
    return res.redirect("/admin/login");
  } else {
    return next();
  }
};

module.exports = {
  isAuthentication,
};
expressexpress-session


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Request body is empty when posting form-data

How do I debug error ECONNRESET in Node.js?

Stripe webhook error: No signatures found matching the expected signature for payload

exit from express middleware with specific http status

Zip File Download via Axios from Express Server not working in React App

How to use http-auth with Sails

Express and nginx net::ERR_CONTENT_LENGTH_MISMATCH

Express and nginx net::ERR_CONTENT_LENGTH_MISMATCH

express.js - best POST json schema validator [closed]

How to Insert documents to multiple collection in a single query using nodejs

nodejs multer retrieve stored images to the client side

router.get doesn't work but router.get with id works

How to get GET (query string) variables in Express.js on Node.js?

Node.js + Express.js (Connect) - Accessing Session from 'upgrade' event

setupProxy is not working - http-proxy-middleware