为什么使用 Axios 的 MERN 应用程序中的请求不发送 Cookie

Question

我正在尝试使用 passport.js 和 express-session 按照示例 here 实现登录，但我无法持久登录。我注意到会话 cookie 不会在任何路由上发送，除非路由包含 passport.authenticate('local')，它添加了我猜的 cookie。这意味着/getUser 路由始终不返回任何用户，并且每次我登录时都会向 MongoDB 存储添加一个新会话。

我的路线如下：

router.get('/getUser', userController.getCurrentUser);
router.post('/register', userController.register, passport.authenticate('local'), authController.login);
router.post('/login', passport.authenticate('local'), authController.login);
router.post('/logout', authController.logout);

控制功能是：

exports.getCurrentUser = (req, res) => {
  if (req.user) {
    return res.send(req.user);
  } else {
    res.json({ error: 'No user found' });
  };
};

exports.register = async (req, res, next) => {
  const user = new User({ 
    email: req.body.email, 
    name: req.body.name,
  });
  const register = promisify(User.register, User);
  await register(user, req.body.password);
  next();
};

exports.login = (req, res) => {
  req.login(req.user, function(err) {
    if (err) { res.json({ error: err }); }
    return res.send(req.user);
  });
};

exports.logout = (req, res) => {
  if (req.user) {
    req.logout();
    res.send({ msg: 'logged out' });
  } else {
    res.send({ msg: 'no user to log out' })
  };
};

用户模型是：

const mongoose = require('mongoose')
const Schema = mongoose.Schema;
mongoose.Promise = global.Promise;
const validator = require('validator');
const passportLocalMongoose = require('passport-local-mongoose');

const userSchema = new Schema({
  email: {
    type: String,
    unique: true,
    lowercase: true,
    trim: true,
    validate: [validator.isEmail, 'Please enter a valid email'],
    required: 'Please enter an email address'
  },
  name: {
    type: String,
    required: 'Please enter a name',
    trim: true
  },
  resetPasswordToken: String,
  resetPasswordExpires: Date,
  isAdmin: {
    type: Boolean,
    default: false
  },
}, { timestamps: true });

userSchema.plugin(passportLocalMongoose, { usernameField: 'email' });

module.exports = mongoose.model('User', userSchema);

FE 中的 Axios 模块：

import axios from 'axios';

const api = axios.create({
  baseURL: 'http://localhost:8000/api',
});

export const getUser = () => api.get('/getUser');
export const register = payload => api.post('/register', payload);
export const login = payload => api.post('/login', payload);
export const logout = payload => api.post('/logout', payload);

const apis = {
  getUser,
  register,
  login,
  logout,
};

export default apis;

护照配置是：

const mongoose = require('mongoose');
const User = mongoose.model('User');
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;

passport.serializeUser((user, done) => {
    done(null, { _id: user._id });
});

passport.deserializeUser((id, done) => {
    User.findOne({ _id: id },   'username', (err, user) => {
        done(null, user)
    });
});

const strategy = new LocalStrategy(
    {   usernameField: 'email'  },
    function(email, password, done) {
        User.findOne({ email: email }, (err, user) => {
            if (err) {
                return done(err);
            }
            return done(null, user);
        });
    }
);

passport.use(strategy);

module.exports = passport;

最后服务器配置是：

const express = require('express');
const session = require('express-session');
const mongoose = require('mongoose');
const MongoStore = require('connect-mongo')(session);
const cors = require('cors');
const bodyParser = require('body-parser');
const promisify = require('es6-promisify');
//  import all models
require('./models/User');

const passport = require('./handlers/passport');

const db = require('./database');
const router = require('./routes');

const app = express();

//  enable CORS for all origins to allow development with local server
app.use(cors({credentials: true}));

// use bodyParser to allow req.params and req.query
app.use(bodyParser.urlencoded({ extended: false }));
app.use(bodyParser.json());

app.use(session({
  secret: process.env.SECRET,
  key: process.env.KEY,
  resave: false,
  saveUninitialized: false,
  store: new MongoStore({ mongooseConnection: mongoose.connection })
}));

// passport.js to handle logins
app.use(passport.initialize());
app.use(passport.session());

// pass variables on all requests
app.use((req, res, next) => {
  res.locals.user = req.user || null;
  res.locals.session = req.session;
  next();
});

// promisify some callback based APIs
app.use((req, res, next) => {
  req.login = promisify(req.login, req);
  next();
});

app.use('/api', router);

app.get('/', (req, res) => {
    res.send('This is the Hely Cosmetics website backend/API');
})

app.set('port', process.env.PORT || 8000);
const server = app.listen(app.get('port'), () => {
  console.log(`Express running on port ${server.address().port}`);
});

我认为这可能是 cors，但我尝试app.use(cors({credentials: true})); 得到相同的结果，并验证了作为 Heroku 应用程序部署的前端和后端的相同问题。

完整的源代码可用here。

我错过了什么？

Answer 1

看一眼完整的源代码，您似乎没有在向后端发出的 Axios 请求中设置 withCredentials: true。护照在高层次上是这样工作的：

1. 您的 /login 和 /register 路由在响应中发回 cookie。这是由您的浏览器存储的，以供将来请求识别会话（根据您的评论，会话似乎工作正常）。

2. 当您想向后端发出经过身份验证的请求时，如果它是跨域的，Axios 必须在请求中显式发送回 cookie — 这就是 withCredentials 的用武之地。没有它，Axios 不会发送 cookie带有识别会话的请求。

通过设置withCredentials: true，Axios 应该在请求中发回 cookie，Passport 和 express-session 将使用它来识别用户。