1

I would like to redirect to the login page with an error message, when someone tried to access my admin page without authenticating, ie when someone tries to bypass the login page.

this is my admin end point:

server.get('/admin', isLoggedIn, function (req, res) {
    console.log('Trying to access admin section')
    res.render('admin', {
        user: req.user //get the user out of session and pass to template
    })
});

which contains the following isLoggedIn middleware:

function isLoggedIn(req, res, next) {
    if (req.isAuthenticated())
        return next();
   console.log('Someone is trying to access this page without being authenticated')
    req.flash('loginMessage', 'You need to be authenticated to access this page');
    console.log(req.flash('loginMessage'))
    res.redirect('/login')
}

the login access point is defined as the following:

server.get('/login', function (req, res) {
    console.log('Using login route');
    res.render('login',
        {message: req.flash('loginMessage')}
        );
});

My problem is, when someone tries to access the admin page directly, the flash message doesn't show up. However when trying to login with fake credentials, the error messages do show up in the login page. For information, this is how my post login route is set up:

server.post('/login', passport.authenticate('local-login', {
    successRedirect:'/admin', // redirect to the secure profile section
    failureRedirect:'/login', //redirect back to the login page if there is an error
    failureFlash: true //allow Flash messages
}));

And I get the following messages in the terminal:

Someone is trying to access this page without being authenticated
[ 'You need to be authenticated to access this page' ]
GET /admin 302 8.859 ms - 68
Using login route
GET /login 200 79.373 ms - 1930
ki9
  • 5,183
  • 5
  • 37
  • 48
Bondifrench
  • 1,272
  • 1
  • 20
  • 35
  • Right now, can a user not authenticated can access the admin page ? – limekin Jun 05 '15 at 04:07
  • No, a user not authenticated can not access the admin page. My problem is not with the authentication, it's with passing a connect-flash message to my redirect. – Bondifrench Jun 05 '15 at 04:31
  • Are you able to display flashes by using other simple routes ? For example set a flash at '/setflash' and redirect it to '/flash' and view it there. – limekin Jun 05 '15 at 07:59
  • Not sure I understand your comment, when I put a wrong password in the login page or i login with a user name that is not already in the db (ie registered), I do have the correct flash messages being displayed, same for instance if i am on the register page and I use an already used login, flash messages are being displayed. – Bondifrench Jun 05 '15 at 08:36
  • Okay I just wanted to know if you have setup flash properly, since there wasn't any other places where you are using it in the code (except passport's, thought it had a different flash, but i was wrong when I checked it). – limekin Jun 05 '15 at 08:53
  • That did the trick! I tend to use `console.log` a lot to debug my applications, did not think of this possibility. Do you want to answer the post instead of commenting, so I can give you the stackoverflow points for it? – Bondifrench Jun 06 '15 at 01:11
  • Yeah sure ! Glad that you cared to :). – limekin Jun 06 '15 at 11:38
  • Okay I'm deleting the answer parts from the comments. – limekin Jun 06 '15 at 11:48

2 Answers2

2

In connect-flash, when you are retrieving the flash messages set on a key with req.flash(<key>), it copies the messages of the <key> to a temp array, DELETES the messages for that <key> from the connect-flash's internal flash message store and then returns that temp array.

So the flash('loginMessage') returns empty at route '/login', because you have previously retrieved it at isLoggedIn's console.log(req.flash('loginMessage')).

I found it when I checked the sources of connect-flash. Its here : flash.js of connect flash. The exmples in there should give you the idea quickly.

limekin
  • 1,934
  • 1
  • 12
  • 15
0

In case anyone is coming to this and the selected answer doesn't work, consider trying the following. I've had the same issue but wasn't "consuming" the key at any stage using console.log etc.

The problematic version of the code was as follows. I called these instructions in a POST route:

req.flash('errorMessage', errors.array().map(err => err.msg););
res.redirect('/profile');

Where the GET route for 'profile' renders an EJS template with errorMessage: req.flash('errorMessage') among its inputs.

What worked for me was assigning my error messages (errors.array().map(err => err.msg)) to a variable and passing that variable to connect-flash, like so:

var errMsgs = errors.array().map(err => err.msg);
req.flash('errorMessage', errMsgs);
res.redirect('/profile');

Hope this helps.

GroomedGorilla
  • 920
  • 2
  • 10
  • 30