Authentication on different subdomain

[joel]

I am working on existing code base that someone else wrote. it's Angular+Node.js.

I am trying to split it into 2 apps - serving angular with nginx and API service using Node.js.

I have nginx as a reverse proxy. the angular is running on port 3001 and the API on 3000.

The problem is after a successful login (using passport local strategy), the next API is being called with no cookie in the request (I see it in the chrome console).

Afret reading https://github.com/jaredhanson/passport/issues/12 I added .my-site.com to the express session middleware but it's still not working. any tips?

Thanks!

var express = require('express');
var favicon = require('serve-favicon');
var logger = require('morgan');
// var cookieParser = require('cookie-parser')
var bodyParser = require('body-parser');
var session = require('express-session');
var allowCrossDomain = require('./allow_cross_domain.js');
var app = express();

// middelwares

// app.use(cookieParser);   // i am not sure why it's commented. if i uncomment this things don't work.
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(session({secret: 'sBio', cookie: {maxAge: 4320000, domain: '.my-site.com'}, resave:false, saveUninitialized:false}));
app.use(allowCrossDomain);

// routes
...
...

...

[zladuric]

Two things.

1. cookieParser is commented because in the present state it's not a middleware, just a function that returns one (I think, didn't check it).

If you used `app.use(cookieParser());` instead, I believe you would get your cookie.

2. Auth - you have the app.use(session()); in there. This is why your auth works. Basically, session will read it's own cookie, even if you don't parse it for other stuff, like reading data in your request (you shouldn't, anyway).

On a side note, you might want to consider removing cookies completely - just return an auth-token on login response instead of session and cookies. Then the client only has the token and you don't manage client state. There is even passport stuff for this.

[joel]

thanks, but i don't understand why the cookie is not being sent on the ajax request after the user was logged in. 

my angular app is served from foo.my-site.com and the API is served from api-foo.my-site.com so I added domain: '.my-site.com' to the express-session middleware but it's still not working.