Getting "TypeError: Secret string must be provided." in NodeJS application with Passport.js and Express-Session as middleware

Question

Can someone explain to me where the middleware is requiring a secret string? Also, if I set a secret key/value pair in the passport.session options I am still getting the same error message

This is the code

    // using pug since a view engine is required by express
    app.set('views', __dirname)
    app.set('view engine', 'pug')

    app.use(cookieParser(secretConfig))
    // parse application/json
    app.use(bodyParser.json())

    // parse application/x-www-form-urlencoded
    app.use(bodyParser.urlencoded({ extended: false }))


    app.use(passport.initialize());
    app.use(passport.session({
      resave: false,
      saveUninitialized: true,
      failureFlash: true
    }));

    //app.use(flash());

    // Load the REST endpoints
    app.use('/api', require('./endpoints/whatever/router'))
    app.use('/api', require('./endpoints/login/router'))

    // app.use('/api', require('./users/router'))
    // Repeat the above line for additional model areas ("deals", "vehicles",         etc)


    app.use('/graphql', graphqlHTTP({
        schema: schema,
        rootValue: root,
        graphiql: true
    }));        

Answer 1

This doesn't like right to me:

app.use(passport.session({
    resave: false,
    saveUninitialized: true,
    failureFlash: true
}));

I believe you need something like this:

var session = require('express-session');

app.use(session({
    resave: false,
    saveUninitialized: true,
    secret: 'secret here'
});

app.use(passport.initialize());
app.use(passport.session());

Even though you mention 'Express-Session' in your title the code sample you posted doesn't actually use it. It is not the same passport.session.

Unless you're using it for something else you can also remove the cookie-parser as the latest version of express-session doesn't need it.