`req.isAuthenticated()` returning false immediately after login

[jamesplease]

StackOverflow question here.

I've been fighting for quite awhile with this bug: immediately after the user authenticates with, say, Google, req.isAuthenticated() is returning false. I'm persisting sessions to a Postgres DB, which seems to be working fine. It's just the call to isAuthenticated which leads me to wonder if my Passport configuration might be wrong, or something.

My code for the callback looks like:

const redirects = {
  successRedirect: '/success',
  failureRedirect: '/failure'
};
app.get('/auth/google/callback', passport.authenticate('google', redirects));

My very last middleware logs the value of req.isAuthenticated(). It logs false when Google redirects back to my page, but if the user manually refreshes then it returns true.

Here are detailed logs of the logging in process:

# this is the first request to the login page. Not logged in yet.
4:59:54 PM web.1 |  -----New request-----
4:59:54 PM web.1 |  route: /login authenticated: false

# they've clicked the link to `/login`, and are immediately forwarded to Google
4:59:59 PM web.1 |  -----New request-----

# they've granted across through Google; Google redirects back to app.
# Using the Google profile, we get the user's account from the user account table
5:00:06 PM web.1 |  -----New request-----
5:00:06 PM web.1 |  about to fetch from DB
5:00:07 PM web.1 |  retrieved user from DB

# redirection to the success page...`authenticated` is false? It should now be true!
5:00:07 PM web.1 |  -----New request-----
5:00:07 PM web.1 |  route: /success authenticated: false

# here's a manual refresh...now they're showing as authenticated
5:05:34 PM web.1 |  successful deserialize
5:05:34 PM web.1 |  -----New request-----
5:05:34 PM web.1 |  route: /success authenticated: true

It looks like deserialize isn't being called when Google redirects back to my app; could that be the source of the issue?

Source code:

• Passport configuration
• Express app configuration

[jamesplease]

Very slowly working my way through the issue. I've determined that Passport is failing to initialize properly under certain conditions.

The furthest back I've tracked the difference between a successful login and a bad one is these lines.

When the login immediately works (which is only if the user has never logged in before on that server instance), then req.session[passport._key].user is set in that conditional.

When the login fails until the user refreshes, then req.session[passport._key].user is undefined.

---

The downstream consequences of this are as follows:

1. the session strategy never finds su
2. because of that, it never sets req[property]
3. and lastly, isAuthenticated() can't find the property, and returns false

The search continues...

---

I've gone a little further back.

The order goes:

1. http.req#logIn
2. authenticate#initialize
3. session#authenticate

Step 1: logIn takes req._passport.session and assigns it to req.session._passport.
Step 2: authenticate takes req.session._passport and assigns it to req._passport.session
Step 3: session searches for req._passport.session.user

I have no idea why 1 and 2 are circular, or where any additional value comes from outside of this loop. @jaredhanson , any guidance on how I can make sense of this? 😛

[jamesplease]

logIn always finds req._passport.session.user in both situations. It then always sets it to req.session._passport. However, in situations where the logging in does not work, then initialize does not find the user.

So something must be intercepting req.session._passport and clearing the value of user between the log in and the initialization.

---

Maybe not. The two objects aren't the same (I used a global variable to test), so there must be some magic going on...not really sure tho'.

---

There are three types of states, when checked in initialize:

1. the req.session._passport set by #logIn is deeply equal to the one accessed by initialize. In this case, logging in works.
2. the req.session_passport set by #logIn is undefined. This seems to happen before logging in.
3. The req.sesion._passport set by #login does not equal the one accessed by initialize, which is an empty obj; in this case, logging in does not work until I load another route.

---

The requests themselves don't seem to be the same between logIn and initialize, which is unexpected...

[TitaneBoy]

Hi.. I have the same issue. isAuthenticated() returns always "false" after authentication successfully, and after a redirect to an URL that needs to verify if the user is connected. For a reason I don't understand, isAuthenticated() returns false that force us to login twice.

Here is my code:

var sequelizeStore = require('connect-session-sequelize')(session.Store);
var path = require('path');
var customFunctions = require(path.join(process.cwd() + '/scripts/custom.js'));
var bodyParser = require('body-parser');
var auth = require(path.join(process.cwd(), 'scripts/auth.js'));

var strategy = 'local';
var passport = auth.configurePassportLocalBasicDigestStrategy(strategy);
var SequelizeVar = customFunctions.MySequelize();
SequelizeVar.import(path.join(process.cwd() , '/models/Sessions.js'));
var mystore = new sequelizeStore({db: SequelizeVar,
                                  table: "Sessions",
                                  checkExpirationInterval: 30000,
                                  expiration: 300000}); //3600000 for 1 hour
var app = express();

mystore.sync();
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({extended:true}));
app.use(session({genid: function(req){return customFunctions.genuuid()},
                 secret: 'keyboard cat',
                 resave: false,
                 saveUninitialized: true,
                 store: mystore,
                 cookie: {maxAge: 300000}})); //3600000 for 1 hour

app.use(passport.initialize());
app.use(passport.session());

app.get('/loginFailure', function(req, res, next) {
    res.sendFile(require('path').join(process.cwd(), '/views/failureLogin.html'));
    next();
});
app.get('/login', function(req, res, next) {
    res.sendFile(require('path').join(process.cwd(), '/views/login.html'));
    next();
});
app.post('/login', function(req, res, next) {
  passport.authenticate(strategy, function(err, user, info) {
    if (err) {
      console.log("Error: " + err); 
      return next(err); 
    }
    if (!user) {
      console.log("Error: User does not exist"); 
      return res.redirect('/loginFailure'); 
    }
    req.logIn(user, function(err_login) {
      if (err_login) {
        console.log("Error while login: " + err_login); 
        return next(err_login); 
      }

      req.session.messages = "Login successfull";
      req.session.authenticated = true;
      req.authenticated = true;

      if (req.session.returnTo){
        return res.redirect(req.session.returnTo);
      }
      return res.redirect('/');
    });
  })(req, res, next);
});

Here is a part of my routes:

api_user.get("/", auth.isAuthenticated, function(req, res, next){
  res.send("Welcome to my API"); 
  next();
}, customFunctions.storeReadedDataPerSession);

Here is the definition of MY "auth.isAuthenticated()" function:

exports.isAuthenticated = function (req, res, next) {
  if (req.isAuthenticated()){
    console.log("Authenticated");
    return next();
  }

  console.log("Not Authenticated");
  req.session.returnTo = req.originalUrl;
  // IF A USER ISN'T LOGGED IN, THEN REDIRECT THEM SOMEWHERE
  res.redirect('/login');
}

So even if the user has a successfull authentication, it has to login twice before being redirected correctly.

Did you find any solution or any workaround to solve the bad "isAuthenticated()" returned value ?

Thank you in advance for your answer.

[Marak]

@TitaneBoy @jmeas

Just out of curiosity, what happens if you place the redirect inside a process.nextTick block? Maybe there is bug where you need to let the event loop process once before session sticks.

[jamesplease]

@Marak since logging is in asynchronous, nothing. It needs to wait for the request to complete. still haven't had time o set up an isolated case though :)

[Marak]

Are you sure the request needs to complete?

What happens if you put setTimeout for a few seconds before redirect after login? Does that affect it all?

[jamesplease]

A carefully placed setTimeout of a few seconds did fix it for me.

[Marak]

Yeah, I think perhaps one process.nextTick in the right place might fix it for you. Even a setTimeout of 1 or 0.

I think bug somewhere in async calls for passport or in the passport adapter you are using.

[Marak]

Also possible bug in your implementation code of passport. I didn't really read the code too much.

[TitaneBoy]

The "setTimeout" worked for me only once...and it was after 10s. I am not able anymore to reproduce it, event after 15 sec. I am not sure that setTimeout is a solution, even it looks a good idea. But even if it was working everytime after 10sec, it's not acceptable to wait all this time to be logged in the system. What do you think ?

[Marak]

It's not a solution...it's way to diagnosis problem. Is race condition with async calls. Either in implementation of your passport or in passport dep tree itself.

[jamesplease]

I've got it on my todo to spend more time trying to figure this out. I'll post an update when I've got one ✌️

Yeah, I think perhaps one process.nextTick in the right place might fix it for you. Even a setTimeout of 1 or 0.

That'd be great.

I think bug somewhere in async calls for passport or in the passport adapter you are using.

Yeah, that might be.

Also possible bug in your implementation code of passport. I didn't really read the code too much.

Npnp. Yeah, that's definitely a possibility. I've tried a few different configurations based on existing projects. They all had the same problem.

[arzavj]

Hey @jmeas! Curious to know if you figured it out, I'm running into the same issue. Thanks a bunch!

[jamesplease]

No updates, but it's still on my todo. It's been a pretty nasty issue to debug when I did look into it. Trust me -- I'll be sure to check back in here once I figure out more. I admit I've turned my attention toward other parts of the project (auth is just one small piece), so it might be some time before I look back into it (weeks or more 🤐)

Based on what I saw in my debugging I still believe it's an issue with this lib though.