Sails.js Node server req.session is always empty, using Passport-local strategy.

Question

Have ember app running on http://localhost:4200.
Sails App is running on http://localhost:1337.

I have a policy set on a pre-signup survey. So on the sails side in/api/controllers/ProcessSurveyController.js I have this:

module.exports = {

    process_survey: function(req, res){
        if(req.body === {} || req.body === null){
            res.status(400);
            return res.send({err: "something bad happened"});
        }
        var params = req.body;
        req.session.user = {};
        if(params.p_1 === '1' && params.p_2 === '1' && params.p_3 === '0' && params.p_4 !== "Bad Param"){
            req.session.user.qualifies = true;
            res.status(200);
            return res.send({message: 'user qualifies', status: 'good'});   
        }else{
            req.session.user.qualifies= false;
            res.status(200);
            return res.send({message: "user fails to qualify", status: "bad"});
        }
    }
};

I then have this policy in api/policies/Qualifies.js

module.exports= function(req, res, next){
    if(req.session.user.qualifies){
        return next();
    }else{
        res.status(400);
        return res.send({status: 400, message: 'User does not qualify.'});
    }
};

Which I apply to my api/UserController.js

Only thing is that whenever I post from Ember to my UserController.create method I get an error from that policy saying cannot read property qualifies of undefined.

And if I sails.log.verbose(req.session) it's always empty at this point. No matter what I do.

I've enabled cors on my server, and my /config/cors.js has these options:

module.exports.cors = {
   allRoutes: true,

   origin: 'http://localhost:4200',

   credentials: true,

   methods: 'GET, POST, PUT, DELETE, OPTIONS, HEAD',

   headers: 'X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept'
};

In my ember adapter I have this:

export default DS.RESTAdapter.extend({
    host: 'http://localhost:1337',
    ajax: function(url, method, hash){
        hash.crossDomain = true;
        hash.xhrFields = {withCredentials: true};
        return this._super(url, method, hash);
    }
});

Clearly I'm missing something important but I just don't know what, and I've run out of ideas for google queries. Why is my req.session always empty?

EDIT: These were asked for in comments:

Contents of /config/http.js:

module.exports.http = {
    middleware: {
        passportInit: require('passport').initialize(),
        passportSession: require('passport').session(),

        order: [
            'startRequestTimer',
            'cookieParser',
            'session',
            'passportInit',
            'passportSession',
            'myRequestLogger',
            'bodyParser',
            'handleBodyParserError',
            'compress',
            'methodOverride',
            'poweredBy',
            '$custom',
            'router',
            'www',
            'favicon',
            '404',
            '500'
        ]
}

And /config/session.js

module.exports.session = {
  secret: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',

  cookie: {
    maxAge: 48 * 60 * 60 * 1000
  }
}

Answer 1

I doubt this is still an issue since it's so old, but there are times in my ExpressJS apps where I use express-session (https://github.com/expressjs/session) and have to explicitly call req.session.save(callback) in order for the session to save back to the store I'm using. If there is an equivalent in passport's session support you might try to call it explicitly after updating values in the session.