Setting access token cookie in Loopback?
I got it to work. The cookie wasn't being signed.
I'm pretty much new to Express and lower-level stuff like this. I remembered reading that the cookie had to be signed but it slipped my mind that I had to pass "signed: true".
My issue on Github if that helps anyone else.
Here are the detailed steps:
- Do
npm install --save cookie-parser - And
npm install --save express-session Modify your server.js so that you add cookieParser and define a Cookie Secret,
var cookieParser = require('cookie-parser');
app.use(cookieParser('a random quote'));
This code should appear before
app.set('views', './server/views');app.set('view engine', 'ejs');When you login the user create a signed cookie, it is important that it is a signed cookie because Loopback will not read unsigned cookies. For example:
router.post('/login', function(req, res) { User.login({ email: req.body.email, password: req.body.password }, 'user', function(err, token) { if (err) { if (err.details && err.code === 'LOGIN_FAILED_EMAIL_NOT_VERIFIED') { res.render('reponseToTriggerEmail', { title: 'Login failed', content: err, redirectToEmail: '/api/users/' + err.details.userId + '/verify', redirectTo: '/', redirectToLinkText: 'Click here', userId: err.details.userId }); } else { res.render('response', { title: 'Login failed. Wrong username or password', content: err, redirectTo: '/', redirectToLinkText: 'Please login again', }); } return; } res.cookie('access_token', token.id, { signed: true , maxAge: 300000 }); res.render('engine', { email: req.body.email, accessToken: token.id, redirectUrl: '/api/users/change-password?access_token=' + token.id }); });});And thats it.