rkusa/koa-passport

Error in Passport-Azure-Ad cookieContentHandler.js when using cookies instead of sessions

bhedge opened this issue · 1 comments

bhedge commented

When using the OIDCStrategy in passport-azure-ad, looking to use cookies instead of sessions to retain the security token and to go completely stateless. Receiving an error in the Passport-Azure-Ad file cookieContentHandler.js when it attempts to set the cookie on the response. The request is populated with the Koa context object and can be utilized when the code is changed like below:

`// modified code in passport-azure-ad cookieContentHandler.js:
req.cookies.set('passport-aad.' + Date.now() + '.' + encrypted, 0, { maxAge: this.maxAge * 1000, httpOnly: true } );

// original code in passport-azure-ad cookieContentHandler.js:
// res.cookie('passport-aad.' + Date.now() + '.' + encrypted, 0, { maxAge: this.maxAge * 1000, httpOnly: true });`

Is it possible to have the res object be passed in to this module by the caller? I am new to Koa and may be making a mistake in my call or possibly have something out of order in the middlewares.

Here is the section of code that calls this one:

app.use(authRouter.post('/auth/openid/return', async function (ctx, next) { await next(); await passport.authenticate('azuread-openidconnect', { session: false, response: ctx, successRedirect: '/index.html', failureRedirect: '/auth/login.html' })(ctx, next) }));

Even when setting the response explicitly to ctx or ctx.response the res object is not populated in CookieContentHandler.prototype.add = function(req, res, tupleToAdd) { ...

Is it possible to have the res object be passed in to this module by the caller? I am new to Koa and may be making a mistake in my call or possibly have something out of order in the middlewares. Thank you for maintaining this package... if I could figure out how to fix it I would submit a PR. The problem may very well be in passport-azure-ad and cannot be fixed by the calls made by koa-passport but wanted to reach out and ask.

Thank you!

er-v commented

I've had the same problem.
The problem is not in koa-passport
find

await passport.authenticate('azuread-openidconnect', 
      { 
        response: ctx.response, //<-this is response object that does not have cookie function
        failureRedirect: '/' 
      }
    )(ctx, next);

It should be somewhere in your code

Just add this line

ctx.response.cookie = function(name, value, params){ctx.cookies.set(name, value, params)};

In our case you are passing ctx as responce, so you should modify the line above to
ctx.cookie = function(name, value, params){ctx.cookies.set(name, value, params)};

  • 👍2