Setting access token cookie in Loopback?

Asked 13/3, 2016 at 10:57 Answered 13/9, 2017 at 19:51

I want to use cookies to keep a user logged in.

On this page here they say

To use cookies for authentication, add the following to server.js (before boot):
app.use(loopback.token({ model: app.models.accessToken }));

Seemed simple enough. I figured the cookies were set by Loopback automatically during the login process but it's still not working, I check my cookies in Chrome dev tools and none are set.

Am I missing something? Otherwise, what's the best way to hook into the login method to have set the cookie/header?

I found docs on the loopback.token() method here, which says exactly where it checks for the token.

Hertz answered 13/3, 2016 at 10:57 Comment(1)

I have had success with setting the cookie with 'res.setHeader('Set-Cookie','access_token='+ token.id);' and seeing it in the browser but I must admit I don't know how to actually use the token in loopback. Eventhough the cookie is set, Loopback doesn't grab the User associated with the cookie. – Groceryman 4/5, 2016 at 20:58

I got it to work. The cookie wasn't being signed.

I'm pretty much new to Express and lower-level stuff like this. I remembered reading that the cookie had to be signed but it slipped my mind that I had to pass "signed: true".

My issue on Github if that helps anyone else.

Hertz answered 7/6, 2016 at 22:41 Comment(2)

@anonymouse I replied to a comment on Github with my code snippet: github.com/strongloop/loopback/issues/2142 – Hertz 12/9, 2016 at 20:12

but if we have a in-build user model ,so in which file we can set the cookie. – Ascospore 1/12, 2016 at 7:19

Here are the detailed steps:

Do npm install --save cookie-parser
And npm install --save express-session
Modify your server.js so that you add cookieParser and define a Cookie Secret,

var cookieParser = require('cookie-parser');

app.use(cookieParser('a random quote'));

This code should appear before

app.set('views', './server/views');
app.set('view engine', 'ejs');

When you login the user create a signed cookie, it is important that it is a signed cookie because Loopback will not read unsigned cookies. For example:

router.post('/login', function(req, res) {
        User.login({
            email: req.body.email,
            password: req.body.password
        }, 'user', function(err, token) {
            if (err) {
                if (err.details && err.code === 'LOGIN_FAILED_EMAIL_NOT_VERIFIED') {
                    res.render('reponseToTriggerEmail', {
                        title: 'Login failed',
                        content: err,
                        redirectToEmail: '/api/users/' + err.details.userId + '/verify',
                        redirectTo: '/',
                        redirectToLinkText: 'Click here',
                        userId: err.details.userId
                    });
                } else {
                    res.render('response', {
                        title: 'Login failed. Wrong username or password',
                        content: err,
                        redirectTo: '/',
                        redirectToLinkText: 'Please login again',
                    });
                }
                return;
            }

        res.cookie('access_token', token.id, { signed: true , maxAge: 300000 });

        res.render('engine', {
            email: req.body.email,
            accessToken: token.id,
            redirectUrl: '/api/users/change-password?access_token=' + token.id
        });
    });
});

And thats it.

Reece answered 13/9, 2017 at 19:51 Comment(0)

Recommended topics

Hot tags