Search code examples
node.jsember.jsember-cli

Ember send session id to Node on api calls

I have a node/express app with an ember front end. I'm new to the all of it, so please excuse the (hopefully) simple question.

I have ember talking to node (with cors properly set up). I am able to log a user in and create a session on the server, and return the session ID to ember. I then store the session ID in a cookie using the same cookie name that the server would set. I'm aware that ember and node are using different ports, so the cookies can no be read by the other party. I'm using ember-simple-auth for the authorization middleware. That part is all working as it should currently.

My problem is on subsequent api calls, the server isn't able to get the session ID to identify the user. I need to know how I can pass the session ID back to the server via ajax api calls. I've tried a few things with trying to pass it in the header, but I'm doing something wrong as its not registering. What's the proper way to send the session via the header?

//app/authorizers/custom.js

import Ember from 'ember';
import Base from 'ember-simple-auth/authorizers/base';

export default Base.extend({
   authorize(sessionData, block) {
    if (!Ember.isEmpty(sessionData.access_token)) {
      block('X-Authorization', 'Token: ' + this.get('sessionData.access_token'));
    }
  }
});

//app/controllers/application.js

this.get('session').authorize('authorizer:custom', (headerName, headerValue) => {
    $.ajax({
      dataType: "json",
      method: 'GET',
      url: ENV.APP.apiHost,
      data: {p: 'logout'},
      beforeSend: function(xhr){
        xhr.setRequestHeader(`${headerName}`, headerValue);
      },
      success: function( response ){
      if( response.success ){
        this.get('session').invalidate();
        this.transitionToLoginRoute();
      } else {
        console.log('something went wrong with server log out. json returned: ', response );
      }
        }
    });
        });
Solution

  • For others having a hard time with same issue, here is what I did to solve it:

    1.) on the client side (Ember) ajax call, add

    beforeSend: function(xhr){
    xhr.setRequestHeader(`${headerName}`, headerValue);
},

    where header name is 'Authorization' and headerValue is the session ID

    On the server side (Node) in your main above all other app.get/post/etc, add

    // CORS && client session id magic for API calls
app.all('/api/*', function( req, res, next ){
    corsIndex = $.inArray( req.headers.origin, config.CORS_WHITELIST );
    if( corsIndex > -1 ){
        res.header( 'Access-Control-Allow-Origin', config.CORS_WHITELIST[ corsIndex ]);
        res.header( 'Access-Control-Allow-Headers', 'Authorization');
    }

    // check for session id in authorize header. if true, set headers.cookie with signed session id
    var sid = req.headers.authorization;
    if(sid){
        var cookie = require('cookie'),
        signature = require('cookie-signature');
        var signed = 's:' + signature.sign(sid, config.SESS_SECRET);
        var data = cookie.serialize(config.SESS_COOKIE_NAME, signed);
        req.headers.cookie = data;
    }
    next();
});

    You'll need to update '/api/*' if you're using a different path for your api. You'll also want to swap out the config.CORS_WHITELIST for an array of white listed clients, and the config.SESS_SECRET for your session secret.