cookie-based session with express

Author: Jan Goebel

.gitignore

@@ -0,0 +1,22 @@
+*.css
+# See https://help.github.com/ignore-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+
+# testing
+/coverage
+
+# production
+/build
+
+# misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*

README.md

@@ -0,0 +1,62 @@
+# Express Session with Redis
+
+This repository contains sample code on how to use [Redis](https://redis.io) for a cookie-based session implementation with [Redis](https://redis.io) and the Node.js [express](https://expressjs.com/) framework.
+
+This repository is part of the *[Sessions in  express.js tutorial series on YouTube](https://www.youtube.com/playlist?list=PL1Nml43UBm6fPP7cW9pAFTdZ_9QX2mBn2) provided by [productioncoder.com](https://productioncoder.com/)*.
+
+For updates, please reach out to [@productioncoder](https://twitter.com/productioncoder) on Twitter or leave a comment in the [Youtube playlist](https://www.youtube.com/playlist?list=PL1Nml43UBm6fPP7cW9pAFTdZ_9QX2mBn2).
+
+<h3 align="center">Please help this repo with a ⭐️ if you find it useful! 😁</h3>
+
+## Session implementation with express.js and express-session
+
+This repository illustrates how to create a session-based authentication system in [Express.js](https://expressjs.com/) and what configurations you need to perform for you server to also accept cookies from cross origins - a scenario that is typical for Single Page Applications (SPAs) written in modern frameworks such as [React](https://reactjs.org/) or [Vue](https://vuejs.org/).
+
+## Running this project
+
+### 1. Installing Redis
+
+Make sure that you have _[Redis](https://redis.io) running locally_ on your machine on its _default_ port `6379`.
+
+This project assumes that your [Redis](https://redis.io) instance does _not require a password_ (which is the default).
+
+If your local [Redis](https://redis.io) requires a password, please update the `db/redis.js` file to include the password field:
+
+```
+const redisClient = redis.createClient({
+    port: 6379,
+    host: 'localhost',
+    password: 'your-password'
+});
+```
+
+If you are on macOS, the easiest way to start up a [Redis](https://redis.io) instance is by using [Homebrew](https://brew.sh/)
+
+```
+brew install redis
+brew services start redis
+```
+
+To stop [Redis](https://redis.io), you can run
+
+```
+brew services  stop redis
+```
+
+### 2. Install dependencies
+
+Run
+
+```
+npm install
+```
+
+to install the project's dependencies.
+
+### 3. Run project
+
+Execute the `dev` script to start up your server.
+
+```
+npm run dev
+```

controller/auth.js

@@ -0,0 +1,27 @@
+const authService = require('../service/auth');
+
+async function login(req, res) {
+    const {email, password} = req.body;
+
+    // perform payload validation
+    // in prod, always use a validation library like joi
+    // for this tutorial, we only do basic validation
+    if (!email || !password) {
+        return res.status(400).json('Bad request params - you need to provide an email and a password');
+    }
+
+    try {
+        const user = await authService.login(email, password);
+        req.session.user = user;
+        res.sendStatus(204);
+    } catch(err) {
+        // in prod, do not use console.log or console.error
+        // use a proper logging library like winston
+        console.error(err);
+        res.status(401).json(err);
+    }
+}
+
+module.exports = {
+    login
+};

controller/profile.js

@@ -0,0 +1,5 @@
+function profile(req, res) {
+    res.json(req.session);
+}
+
+module.exports = {profile};

dao/user.js

@@ -0,0 +1,23 @@
+const bcrypt = require('bcrypt');
+
+const users = {
+    '[email protected]': {
+        pwHash: bcrypt.hashSync('user1pw', 10),
+        roles: ['ADMIN'],
+        id: '41c514f4-7288-4199-80c0-e0be7e4353d7'
+    },
+    '[email protected]': {
+        pwHash: bcrypt.hashSync('user2pw', 10),
+        roles: ['ACCOUNT_MANAGER'],
+        id: 'fa54f8ac-6ed7-49d5-b242-64b793da816a'
+    }
+}
+
+// this call would be async and would return a promise
+// if we were to use a real database
+async function findUserByEmail(email) {
+    const user = users[email];
+    return user ? user : Promise.reject('user not found');
+}
+
+module.exports = {findUserByEmail};

db/redis.js

@@ -0,0 +1,8 @@
+const redis = require('redis');
+// 1 configure our redis
+const redisClient = redis.createClient({
+    port: 6379,
+    host: 'localhost'
+});
+
+module.exports = redisClient;

index.js

@@ -0,0 +1,17 @@
+const express = require("express");
+const router = require("./routes");
+const session = require("./middleware/session");
+const corsMw = require("./middleware/cors");
+
+const app = express();
+app.use(express.json());
+// if you run behind a proxy (e.g. nginx)
+// app.set('trust proxy', 1);
+
+// setup CORS logic
+app.options("*", corsMw);
+app.use(corsMw);
+
+app.use(session);
+app.use(router);
+app.listen(8080, () => console.log("server is running on port 8080"));

middleware/authenticate.js

@@ -0,0 +1,10 @@
+function authenticate(req, res, next) {
+    if (!req.session || !req.session.user) {
+        const err = new Error('You shall not pass');
+        err.statusCode = 401;
+        next(err);
+    }
+    next();
+}
+
+module.exports = authenticate;

middleware/cors.js

@@ -0,0 +1,16 @@
+const cors = require("cors");
+
+const whitelist = new Set(["https://example1.com", "https://example2.com"]);
+const corsOptions = {
+  optionsSuccessStatus: 200,
+  origin: function(origin, callback) {
+    if (whitelist.has(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error("Not allowed by CORS"));
+    }
+  },
+  credentials: true
+};
+
+module.exports = cors(corsOptions);

middleware/session.js

@@ -0,0 +1,18 @@
+const session = require('express-session');
+const connectRedis = require('connect-redis');
+const redisClient = require('../db/redis');
+
+const RedisStore = connectRedis(session);
+
+module.exports = session({
+    store: new RedisStore({client: redisClient}),
+    secret: 'mySecret',
+    saveUninitialized: false,
+    resave: false, 
+    name: 'sessionId',
+    cookie: {
+        secure: false, // if true: only transmit cookie over https, in prod, always activate this
+        httpOnly: true, // if true: prevents client side JS from reading the cookie
+        maxAge: 1000 * 60 * 30 // session max age in milliseconds
+    }
+});