can't get the shared cookies from 1 node service to another node backend service using sessionstore

Question

i'm currently developing:

(data distribution service) a backend service that can store and distribute data (product data, transaction data, etc);
(credential service) a backend service that handles user credential

so here is the flow:

user send credential data from client to the credential service
credential service will save the token in the session and store it to the mysql sessionstore
credential service will then response it with the credential data and save it in the client cookies
after that if the user try to fetch data with the data distribution service, the data distribution service will try to fetch the saved session, i tried to fetch it using a simple req.session like the code below
but the req.session.refreshTokens return null

this is the code in the data distribution service where i tried to fetch it and validate it

async function checkAuth(req, res, next) {
  // Check the user session
  if (!req.session) return res.sendStatus(401);
  if (!req.session.refreshTokens)
    return res.status(401).send(SESSION_TOKEN_NOT_FOUND);

  // Check the JWT in the header
  const authHeader = req.headers["authorization"];
  const token = authHeader && authHeader.split(" ")[1];
  if (token === null)
    return res.status(401).send(USER_UNAUTHORIZED);

  // Verify JWT access token
  jwt.verify(
    token,
    process.env.APP_ACCESS_TOKEN_SECRET,
    (err, user) => {
      if (err) return res.status(500).send(err);
      if (!user.OTPVerified)
        return res.status(403).send(PLEASE_VERIFY_OTP);
      req.user = user;
      next();
    }
  );
}

this is the settings in the data distribution service

const AppConfig = (app, express) => {
  // Express app config
  app.locals.pluralize = require("pluralize");
  app.use(logger("dev"));
  app.use(express.json());
  app.use(express.urlencoded({ extended: false }));

  if (
    process.env.APP_STATE === PROD ||
    process.env.APP_STATE === PREPROD
  )
    app.set("trust proxy", 1);
  // CORS establishment
  app.use(
    cors({
      origin: CORSConfiguration(),
      credentials: true,
      optionsSuccessStatus: 200, // some legacy browsers (IE11, various SmartTVs) choke on 204
    })
  );

  // Tool to parse cookie
  app.use(cookieParser());

  // Establish session configuration
  app.use(
    session({
      secret: process.env.APP_SESSION_SECRET,
      name: "FOREFRONT-SESSION",
      cookie: {
        sameSite:
          process.env.APP_STATE === PROD ||
          process.env.APP_STATE === PREPROD
            ? "none"
            : false, // in order to response to both first-party and cross-site requests
        secure:
          process.env.APP_STATE === PROD ||
          process.env.APP_STATE === PREPROD, // it should set automatically to secure if is https.
        httpOnly:
          process.env.APP_STATE === PROD ||
          process.env.APP_STATE === PREPROD,
        maxAge: 3 * 60 * 60 * 1000
      },
      resave: false, // don't save session if unmodified
      rolling: true, // refresh the session max age on every response
      saveUninitialized: false,
      store: sequelizeSessionStore,
    })
  );
  // const csrfProtection = csrf({
  //     cookie: false,
  // });

  // Global Middleware
  app.use((err, req, res, next) => {
    res.status(500).send("Something went wrong!");
  });
  // app.use(csrfProtection);

  return app;
};

this is the setting in the credential service (more or less the same as the data distribution service)

const AppConfig = (app, express) => {
  // Express app config
  app.locals.pluralize = require("pluralize");
  app.use(logger("dev"));
  app.use(express.json());
  app.use(express.urlencoded({ extended: false }));

  if (
    process.env.APP_STATE === PROD ||
    process.env.APP_STATE === PREPROD
  )
    app.set("trust proxy", 1);
  // CORS establishment
  app.use(
    cors({
      origin: CORSConfiguration(),
      credentials: true,
      optionsSuccessStatus: 200, // some legacy browsers (IE11, various SmartTVs) choke on 204
    })
  );

  // Tool to parse cookie
  app.use(cookieParser());

  // Establish session configuration
  app.use(
    session({
      secret: process.env.APP_SESSION_SECRET,
      name: "FOREFRONT-SESSION",
      cookie: {
        sameSite:
          process.env.APP_STATE === PROD ||
          process.env.APP_STATE === PREPROD
            ? "none"
            : false, // in order to response to both first-party and cross-site requests
        secure:
          process.env.APP_STATE === PROD ||
          process.env.APP_STATE === PREPROD, // it should set automatically to secure if is https.
        httpOnly:
          process.env.APP_STATE === PROD ||
          process.env.APP_STATE === PREPROD,
        maxAge: 3 * 60 * 60 * 1000
      },
      resave: false, // don't save session if unmodified
      rolling: true, // refresh the session max age on every response
      saveUninitialized: false,
      store: sequelizeSessionStore,
    })
  );
  // const csrfProtection = csrf({
  //     cookie: false,
  // });

  // Global Middleware
  app.use((err, req, res, next) => {
    res.status(500).send("Something went wrong!");
  });
  // app.use(csrfProtection);

  return app;
};

AND THE QUESTIONS IS:

1.is there something wrong that i did so i can't seem to fetch the token?

2.do i need to xhr request the token to the credential service from the data distribution service to check the token?

TIA :)

i ended up using sid and attach it to my header from the client side, and then fetch the session from db using it, case closed — Fakhri Prayatna Putra, Aug 21 '23 at 11:00

can't get the shared cookies from 1 node service to another node backend service using sessionstore

0 Answers0