Passport isAuthenticated() always returns TRUE

Question

Using passport local authentication, login works, I click getStatus button and it works, then logout works. But after logout, I click BACK in the browser, it can still display the full content of getStatus. The console log in isAuthenticated() still says "you are logged in". This is the simplified code:

var express    = require('express');
var passport   = require('passport');
var net        = require('net');
var bodyParser = require('body-parser');
var http       = require('http');
var multer     = require('multer');
var cp         = require('child_process');
var exec       = require('child_process').exec;
var sys        = require('sys');
var path       = require('path');
var util       = require('util');
var session    = require('express-session');

var crypto     = require('crypto');
var sqlite3    = require('sqlite3');

/////////////////////////////////////////////////
var LocalStrategy = require('passport-local').Strategy;
var db = new sqlite3.Database('./myPassword.db');

passport.use(new LocalStrategy(function(username, password, done)
{
    console.log("step 2: Client sent you user: " + username + " password: " + password);

    db.get('SELECT slat FROM users WHERE username = ?', username, function(err, row)                                  
    {
        if (!row) return done(null, false);
        console.log("step 4");

        db.get('SELECT username, id FROM users WHERE username = ? AND password = ?',
               username, password, function(err, row) 
        {
            console.log("step 6");

            if (!row) return done(null, false);

            console.log("step 8");

            return done(null, row);
        });
    });
}));

passport.serializeUser(function(user, done) {
    return done(null, user.id);
});


passport.deserializeUser(function(id, done) {
    db.get('SELECT id, username FROM users WHERE id = ?', id, function(err, row)
    {
        if (!row) 
            return done(null, false);
        return done(null, row);
    });
});

/////////////////////////////////////////////////
var isAuthenticated = function(req, res, next)
{
    //if (req.user.authenticated)
    if (req.isAuthenticated()) {
        console.log("Very good, you are logged in ...");
        return next();
    }

    console.log("Sorry, you are NOT logged in yet ...");
    res.send(200);
};

/////////////////////////////////////////////////
var app = express();

/////////////////////////////////////////////////
var server = http.createServer(app);

/////////////////////////////////////////////////
app.use(function(req, res, next) {
    if (!req.user) {
        console.log('Cannot display 1 ...');
        res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
    }
    console.log('Cannot display 2 ...');
    next();
});

app.use(express.static('../client/', {index: 'login.html'} ));
app.use(bodyParser());
app.use(session({ secret: 'my test cookie' }));
app.use(passport.initialize());
app.use(passport.session());

app.post('/auth/login', passport.authenticate('local',
{ 
    successRedirect: '/index.html#/uploads',
    failureRedirect: '/login.html',
}));

app.get('/auth/logout', function(req, res) 
{
    console.log("logging out ......");
    req.session = null;
    req.logout();
    res.send(200);
});

app.get('/', isAuthenticated, function(req, res)
{
    res.sendfile(path.resolve('../client/index.html'));
});

app.get('/systemStatus', isAuthenticated, function(req, res)
{
    console.log("asking for Json data from backend");
    // skip details here ...
});

server.listen(5678);

Answer 1

When looking at the passport index. The use of app.use(passport.initialize()) is initializing a blank user on every route. Since the above is being used on the main app.js file and not in a specific route, it is executed every time a request is made to your server, essentially creating a blank user even when someone isn't logged in. The below link is to the code of passport.

https://github.com/jaredhanson/passport/blob/master/lib/authenticator.js

For this discussion on why passport is configured incorrectly for the desired affects and to justify why I deserve you imaginary internet points. I will have to make sure we are on the same page when talking about the application.

For the discussion I'll be refering to the app using the below file structure generated by: $ npm install -g express-generator

(there's actually more files but you can view that on the express website.)

myProject
  |___bin
    |___www.js       //server.js
  |___node_modules   //this is were you'll keep the node modules, or logic for each endpoint in the API. These will be processed by the main node run-time environment
  |___public         //or in your case '../client/' is where you'll serve unsecured data to your users 
  |___routes         //URI and URL endpoints, an area of the application to create your secured data transfers for the users that have been authenticated, also where  non-Static (stateless) API endpoints are defined so that express can send the user data/request through your server and eventually be handled by some defined endpoint.
    |___index.js
  |___views          //if using a view engine
  |___app.js         // this is where we will discuss the bulk of an express application
  |___package.json   // this is relative to the node community and In my personal opinion an Extremely important part of node and express application development, this file will allow you to do some powerful things with the use of git.

app.js Is were your APP presides, it's known as an Express Application. Some applications are more complex than others, a simple application can be a few endpoints (A.K.A. URIs and URLs). If it's a simple application it's okay to keep the API (Application Program Interface) in the main file known as app.js. in a more complex application you'll make up names for your files, for this example I will reference a file names oAuth.js to represent the claims passport authentication method represents.

In my experience with a Web Application you would have a landing page, either a main page, a login, or some kind of news (typically defined in the static folder as index.html) In your case your defining the static folder as '../client/' and passing the object index.html.

In the most recent version of Express 4.X Serving static files is done under the following prescribed manner.

Serving files, such as images, CSS, JavaScript and other static files is accomplished with the help of a built-in middleware in Express - express.static.

Pass the name of the directory, which is to be marked as the location of static assets, to the express.static middleware to start serving the files directly. For example, if you keep your images, CSS, and JavaScript files in a directory named public, you can do this:

Express generator will create the following app.js file which is configured a very important way. This first part has some very useful node modules that are un-opinionated as express, and eventually where you'll import some of your own node APIs

var express = require('express'),
path = require('path'), //core node module
logger = require('morgan'), //allows you to see the console.logs during development and see incoming and outgoing messages to the server. It also displays `console.log()` defined in any node_module, express route, and express app file.
cookieParser = require('cookie-parser'), //helps when trying to handle cookies
bodyParser = require('body-parser');   //helps when parsing certain types of data 

routes are like mini express applications, remember when we first discussed how some applications can become more complex than others? This is how you manage the complexity so your application can grow and flourish. Assuming you wish to add new features for your loving and wonderful users.

var route = require('.routes/index',// this is importing the the logic of the URI and URL enpoint to this file. It will be referenced as the second argument in the route and configuration references below.
    oAuth = require('.routes/oauth') // this is the file where you'll place all of the passport logic you have previously wrote. Any other authenticated routes need to be defined in this file.

// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'jade'); //alot of people are also using EJS equally if not more

Now setup the basic middlewares provided by express-generator

app.use(logger('dev'));
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(bodyParser.json({ type: 'application/vnd.api+json' }));
app.use(cookieParser());
app.use(express.static(path.join(__dirname, 'public')));  //this style  declaration ensures you hit what ever directory you want to by changing public as long as that directory exists. 

route URI and URL endpoints being defined by you to -->express. It takes the form of strings and a reference to it's route at the top of this file

app.use('/', routes); //unsecured landing page 

this express object usage will allow you to define APIs, authorized and unAuthorized routes. This is where you will declare your reference to the authenticated portion of the Express Application. Any portion of the application declared above app.use('/auth/',oAuth) will NOT be authenticated. Any portion declared below the /auth/ portion of your URIs and URLs. will be authenticated.

app.use('/auth/', oAuth);  

some extras that the express generator will place in the app file which are extremely useful.

// catch 404 and forward to error handler
app.use(function(req, res, next) {
  var err = new Error('Not Found');
  err.status = 404;
  next(err);
});

// development error handler
// will print stacktrace
if (app.get('env') === 'development') {
  app.use(function(err, req, res, next) {
    res.status(err.status || 500);
    res.render('error', {
      message: err.message,
      error: err
    });
  });
}

// production error handler
// no stacktraces leaked to user
app.use(function(err, req, res, next) {
  res.status(err.status || 500);
  res.render('error', {
    message: err.message,
    error: {}
  });
});

Because you are polluting your applications namespace with un-needed complexity it is inadvertently causing you undesired authentication affects. This goes deeper since it's relative to formatting and configuring your application program interface and how javascript files are executed in the Node run-time environment, as well as how the express application framework is meant to be used and configured when building complex applications that require authentication to access.

Now back to your question of why you keep getting an authenticated user although no one is logged in? It's because your use of app.use('some string or some middleware'). To fix the issue remove all of your authentication processing and move it to a route. In the above example it's referenced as oAuth.js. Define any routes that need authentication behind the passport middleware.

Now because your question is also regarding node and you mentioned in the comments that you are part of a scrum it's important to state that all of this information is contained on the express website which is where i initially linked my answer. Despite me telling you that you need a route and that passport was configured incorrectly. So any inflammatory comments "read the manual" are made because I feel that you didn't even investigate the link I sent in my initial answer, nor did you read any other part of the express frame work and their website. If you plan to understand any node_modules and complex frame works its equally important to read about them and do their tutorials, actually go through the node_modules when there is a getting started and/or they have API references. By blasting into application development without trying any portion of the framework basics will just make you spend more time coding bad breakable code. It will slow your development significantly if you aren't understanding how the node_modules function. The best way to understand their functionality is by reading them. That's all for my rant/advice for learning how to develop a web application. Ultimately you'll be able to reuse a lot of your tutorial code in a application.