NestJS Authenticated sessions documentation has major gaps and is seemingly wrong

[Offlein]

I'm submitting a...

[ ] Regression 
[ ] Bug report
[ ] Feature request
[x] Documentation issue or request
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

"Session" instructions in "Authentication" section of documentation is erroneous and this functionality is otherwise undocumented. (And non-obvious.)

Expected behavior

It should be clear how to implement AuthGuard with a cookie-based sessions.

Please see my comment from Sept. 14 here.

At this point I DO have my browser at least storing a cookie after adding stuff directly to my main.ts, which I think is bad form:

import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import * as session from 'express-session';
import * as passport from 'passport';

async function bootstrap() {
  const app = await NestFactory.create(AppModule);
    app.use(session({
        secret: 'a secret',
        name: 'abcd',
        resave: true,
        saveUninitialized: true
    }));

    app.use(passport.initialize());
    app.use(passport.session());
  await app.listen(3000);
}
bootstrap();

This at least gets me a cookie with key "abcd" in my Chrome Developer Tools "Application" > "Cookies" section, with a long value (s%3Ac1xPblaYplJQL2DLmfIUVoLdLIbkjsYQ.e8Q69kfkdn1Mm96Clk6BMg4Ea0k647RnIkT2bP60Lwc).

In my custom Guard, I can actually inspect the request and see that it has a session property with a Session object in it. The Session object has an id RUHHx_IvcDIPFWt-9MHeZHruw1bSO7-O which is different from what's stored in my cookie -- but that may be normal. The request object also has a sessionID property, with the same ID... And a sessionStore property with a MemoryStore object that has as property of sessions in it, that's just an empty object.

Going back to the documentation's recommended code: just calling super.logIn(theRequestObject) sends me directly to my Google Auth strategy's serializeUser function, which is supposed to callback with the user that gets passed to it and/or an error.

Unfortunately, there is never any user that gets passed to it. I'm not sure how the User is intended to be retrieved from the session memory store, or where it's intended to be set to the memory store...

So there's a ton of stuff missing here. :(

Environment

Nest version: 5.4.0

For Tooling issues:

• Node version: 8.11.3
• Platform: Fedora 25; Windows 10 x64

Other:
@kamilmysliwiec It seems at least 3 other people are confused about this. It's very frustrating. I think NestJS is so cool, but I took a break from it largely because I was spinning my wheels with this very issue. It would be one thing if I felt like I was just confused, but as it stands the docs are clearly wrong (or at least misleading), so I don't feel like I can move forward.

[Dragory]

Hey, I was tackling with this same issue, and after digging around the code, I found out the docs aren't entirely wrong - just misleading. This seems to work (in your custom AuthGuard):

async canActivate(context: ExecutionContext): Promise<boolean> {
  const request = context.switchToHttp().getRequest();
  const result = (await super.canActivate(context) as boolean);
  await super.logIn(request);
  return result;
}

The reason the User never gets passed to serializeUser in your case is because super.canActivate(context) is actually what runs the strategy's authentication function, which results in the User object. Hence calling super.logIn() (which calls request.logIn(), which sets up sessions etc.) before that (like the docs suggest) doesn't work, since it doesn't have the User object yet.

That being said, I think the docs could be clarified around this:

• It's not immediately clear that AuthGuard passes its own callback to passport.authenticate(), thus bypassing a lot of the usual stuff passport does after a successful authentication - like serializing the user to a session (see here for more details)
• Calling super.logIn(request) like the docs suggest will result in an error. The function needs to be called after super.canActivate(context).

[alex88]

@Dragory yours was the only example I've found on how to extend the AuthGuard, however I get

[Nest] 91203   - 2/16/2019, 4:30:02 PM   [ExceptionsHandler] passport.initialize() middleware not in use +5756ms
Error: passport.initialize() middleware not in use

I don't think we need to use passport.initialize() do we?
Btw I'm just trying to make sure that that the user has the active property true, so trying to use request.user after the logIn call

[Dragory]

@alex88 I call both passport.initialize() and passport.session() in my app. I also have 2 guards: 1 for the login itself (which is what's shown above), and 1 for pages that require you to be logged in, which is basically just this:

canActivate(context: ExecutionContext) {
    const req = context.switchToHttp().getRequest();
    if (!req.user) throw new UnauthorizedException();

    return true;
}

[bzsozsy]

Is there any kick off date to this topic? I implemented my app with jwt authentication, but for some reason I have to change it to cookie based one. However based on the above conversation I leave as is for now and don't mess up my code... :/

[ejhayes]

I was able to get this working -- here's the solution I came up with:

configure sessions and passport to use sessions

In main.ts (or wherever you're settting up nest):

app.use(session({
    secret: 'CHANGEME',
    resave: false,
    saveUninitialized: false,
  }));
  app.use(passport.initialize());
  app.use(passport.session());

session from the express-session package.

guards

I'm using passport-local so my LocalAuthGuard class looks like this:

import { Injectable, ExecutionContext, UnauthorizedException, Logger } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';

@Injectable()
export class LocalAuthGuard extends AuthGuard('local') {
    async canActivate(context: ExecutionContext): Promise<boolean> {
        const request = context.switchToHttp().getRequest();
        const result = (await super.canActivate(context) as boolean); // THIS MUST BE CALLED FIRST
        await super.logIn(request);
        return result;
    }

    handleRequest(err, user, info) {
        if (err || !user) {
            throw err || new UnauthorizedException();
        }

        return user;
    }
}

configure the serializer

If you look at the implementation of PassportSerializer (from @nestjs/passport) you'll notice that both serializeUser and deserializeUser are abstract....so they need to be implemented by you. Take a look: https://github.com/nestjs/passport/blob/master/lib/passport/passport.serializer.ts

My barebones serializer looks like this:

import { PassportSerializer } from '@nestjs/passport';
import { Injectable } from '@nestjs/common';

@Injectable()
export class CookieSerializer extends PassportSerializer {
    serializeUser(user: any, done: (err: any, id?: any) => void): void {
        done(null, user);
    }

    deserializeUser(payload: any, done: (err: any, id?: any) => void): void {
        done(null, payload);
    }
}

update auth module

Then in the module (for example I'm using AuthModule), this needs to be included. So my AuthModule class looks like this:

import { Module } from '@nestjs/common';
import { AuthService } from './auth.service';
import { AuthController } from './auth.controller';
import { LocalStrategy } from './strategies/local.strategy';
import { PassportModule } from '@nestjs/passport';
import { CookieSerializer } from './cookie.serializer';

@Module({
    imports: [
        PassportModule.register({session: true}),
    ],
    providers: [AuthService, LocalStrategy, CookieSerializer],
    controllers: [AuthController],
    exports: [PassportModule],
})
export class AuthModule { }

session guard

Create a guard to check to see if the user is in the session.

import { CanActivate, ExecutionContext, UnauthorizedException } from '@nestjs/common';

export class SessionGuard implements CanActivate {
    canActivate(context: ExecutionContext): boolean | Promise<boolean> {
        const httpContext = context.switchToHttp();
        const request = httpContext.getRequest();

        try {
            if (request.session.passport.user) {
                return true;
            }
        } catch (e) {
            throw new UnauthorizedException();
        }

    }
}

putting it all together

Here is how this can be used in a controller:

import { Controller, Get, Post, Param, Body, UseGuards, HttpCode, HttpStatus, Req } from '@nestjs/common';
import { CreateUserDto } from './dto/createUser';
import { AuthGuard } from '@nestjs/passport';
import { LoginCredentialsDto } from './dto/login.dto';
import { LocalAuthGuard } from './guards/local.guard';
import { SessionGuard } from './session.guard';
import { SessionUser } from './sessionuser.decorator';

@Controller('auth')
export class AuthController {
    @Get('me')
    @UseGuards(SessionGuard)
    getMetadataArgsStorage(@SessionUser() user: any) {
        return user;
    }

    @Post('login')
    @HttpCode(HttpStatus.OK)
    @UseGuards(LocalAuthGuard)
    login(@Body() login: LoginCredentialsDto, @Req() req): Promise<any> {
        return;
    }
}

You can test this out with cURL/Postman:

Logging in:

$ curl -X POST http://localhost:3000/auth/login -d "username=jdoe&password=1" -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 3000 (#0)
> POST /auth/login HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 23 out of 23 bytes
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Set-Cookie: connect.sid=s%3ADuKdgMobTzL7pHXa9oszUqYRy2J85Eiv.11yD1Gq3NwgdSASUfBYU%2B7sxBIwLH9bqwv1pGtq2T%2BU; Path=/; HttpOnly
< Date: Thu, 25 Apr 2019 21:44:25 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact

Then to test it out:

$ curl -X GET http://localhost:3000/auth/me -H 'Cookie: connect.sid=s%3AfBdKLAFybLq6xh13NeET3LDEQjfxv7cD.XyZanjMKgAq9SlBUVcDsCdZxJn0auKCgWZCnczaLczQ' -v
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 3000 (#0)
> GET /auth/me HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.54.0
> Accept: */*
> Cookie: connect.sid=s%3ADuKdgMobTzL7pHXa9oszUqYRy2J85Eiv.11yD1Gq3NwgdSASUfBYU%2B7sxBIwLH9bqwv1pGtq2T%2BU
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Type: text/html; charset=utf-8
< Content-Length: 43
< ETag: W/"2b-p23HHgfkAEp1vHx70BYS/ngFWwQ"
< Date: Thu, 25 Apr 2019 21:51:04 GMT
< Connection: keep-alive
<
* Connection #0 to host localhost left intact
{"firstName":"John","lastName":"Doe"}

Thanks @kamilmysliwiec for all your work on NestJS -- seems very slick!

[Abrissirba]

@ejhayes You don't happen to have this example in a public git repo? I don't understand where CookieSerializer is used

[Insidexa]

@Abrissirba add to providers array in module

[johnbiundo]

@Abrissirba This repo implements sessions with a similar pattern: https://github.com/johnbiundo/test-auth-chapter-sample

[NormySan]

The solutions provided in the issue make absolutely zero sense to me as a new user of NestJS.

It would be great if someone could update the documentation with how sessions work together with NestJS, express, express-session, and passport with the local guard.

[Insidexa]

@NormySan The solutions provided in the issue works fine. Its problem not of NestJS its problem people how works sessions.

[johnbiundo]

This article covers sessions in detail. Has been reviewed by the NestJS core team.
https://dev.to/nestjs/authentication-and-sessions-for-mvc-apps-with-nestjs-55a4

I'll wait a few days to see if there are any further comments before closing.

[Insidexa]

Example project how to use session in NestJS https://github.com/Insidexa/nestjs-session-example