Core: [Auth] logged user persist on all requests even from other clients

Created on 19 Oct 2016 · 18Comments · Source: adonisjs/core

I noticed that after a user logs in, that user becomes logged in on other browsers, even on Postman !!.

My config:

authenticator: session
session: cookie

So to make reproduction of the issue easier I packaged a minimal Adonis app having the issue

Steps to reproduce:

npm install
./ace migration:run
npm run dev
Browse to http://localhost:3333
Create a user
Login
Browse/request to http://localhost:3333 from other browsers, postman or curl and notice the currentUser username on the top of the page

curl -X GET -H "Cache-Control: no-cache" "http://localhost:3333"

Source

helnokaly

Most helpful comment

It happened even from different domains as well. But change session driver to file may solve this. Not sure why.

kuntapong on 26 Oct 2016

👍3

All 18 comments

Hey @helnokaly !

Thanks for your report! ❤️

@thetutlage and myself will look into it soon!

RomainLanz on 20 Oct 2016

❤1 👍1

It happened even from different domains as well. But change session driver to file may solve this. Not sure why.

kuntapong on 26 Oct 2016

👍3

Thanks for your contribution @kuntapong !

I have tried to debug it this morning but I can't figure out how this is possible (at the moment). The weird thing is I have an application build with Adonis running in production without this problem (https://www.qualitas-helvetica.ch/).

Going to debug deeper this afternoon. 💪

RomainLanz on 26 Oct 2016

@helnokaly Can u please confirm by installing adonis-framework from github? Later I will publish it to npm.

thetutlage on 30 Oct 2016

I think I may have filed a duplicate issue here: https://github.com/adonisjs/adonis-auth/issues/22

howdoicomputer on 1 Nov 2016

Also, that commit seems to break the auth middleware entirely. I used npm to grab the latest commit from GitHub and now it... looks like the CSRF token is stripped before the auth middleware can validate it?

Error: csrf secret missing
    at Shield._validateCsrf (/home/tyler/workspace/work/noc_dashboard/node_modules/adonis-middleware/src/Shield/index.js:162:21)
    at Shield.handle (/home/tyler/workspace/work/noc_dashboard/node_modules/adonis-middleware/src/Shield/index.js:248:12)
    at handle.next (<anonymous>)
    at onFulfilled (/home/tyler/workspace/work/noc_dashboard/node_modules/co/index.js:65:19)
    at process._tickCallback (internal/process/next_tick.js:103:7)

howdoicomputer on 1 Nov 2016

   * @public
   */
  _validateCsrf (request, csrfSecret) {
    /**
     * @description throw error when unable to find csrf secret
     */
    if (!csrfSecret) {
      const error = new Error('csrf secret missing')
      error.status = 403
      error.code = 'EBADCSRFTOKEN'

Another stacktrace. I'm playing around on my fork.

howdoicomputer on 1 Nov 2016

@thetutlage Also, it doesn't seem like the auth middleware supports different session drivers? I've tried the Redis and File driver to back sessions and I get Error: CSRF secret missing when I attempt a login.

Works fine with cookies as the driver but then... everyone can login when a single user is logged in.

howdoicomputer on 1 Nov 2016

I slept and woke up and poked at it some more and my yowling was mostly my fault.

I got session based authentication working using the Redis driver. The problem I was having before was that the secure option was set to true (my bad) in config/session.js and that messed with the CSRF token being received by the backend when serving the website over HTTP. Since I was just running on localhost it _looked_ like everything was broken since everything ran fine with the session being established via the cookie driver - when I switched to the latest code/used a different driver everything broke.

However, I revisited testing out your change @thetutlage and can verify that it works when the secure option for sessions is set to false. I sign in, access an auth middleware controlled route, open an incognito window, and I'm denied access like expected. Thanks for the commit!

howdoicomputer on 1 Nov 2016

Cool, will release it soon with some other changes

thetutlage on 2 Nov 2016

Published as 3.0.4 in adonis-framework

thetutlage on 2 Nov 2016

❤2

@thetutlage sorry for the late reply, I tested it an it's fixed but is there a possibility that concurrent requests may share the same session before it is cleared?

helnokaly on 6 Nov 2016

@helnokaly Seems correct. Since drivers are singleton this will cause issue with Cookie driver.

Let me add a concept of singleton and non-singleton drivers since drivers like Redis should not open a new connection on each request and should be singleton, whereas drivers like Cookie should have a new instance tied to each request.

Thanks for bringing this up

thetutlage on 7 Nov 2016

👍2

@helnokaly What about something like this
https://github.com/adonisjs/adonis-framework/commit/c784fbb5a70d189957e27885ec49fc6d4e7f8159

In short drivers can decide whether they need a fresh instance per request or not. If they want they should implement fresh method, which will return the instance to be treated as a valid driver.

thetutlage on 7 Nov 2016

@thetutlage looks good and reasonable to me, thanks.
I'm curious if there is a big performance hit with one instance per request approach.

helnokaly on 7 Nov 2016

Nope as soon as request finishes GC will clear it

thetutlage on 7 Nov 2016

👍1

Great :+1:

helnokaly on 7 Nov 2016

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] on 11 Mar 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

How do you return the old exception handler?

codingphasedotcom · 3Comments

Why there is no MongoDB!????

dezashibi · 4Comments

535 node_modules?

Extarys · 4Comments

Is it possible using function selectRaw in Adonis?

umaams · 3Comments

parse error while filtering data by created_at

krunaldodiya · 3Comments