serializeUser and deserializeUser never called about koa-passport HOT 10 CLOSED

Is there something wrong with the way I have worded the question?

from koa-passport.

Hi @dagda1, your question is fine, I just was on vacation. What version of koa-passport are you using?

from koa-passport.

Thank you for responding.

I am using koa-passport@^3.0.0-rc.1

from koa-passport.

Does adding a return ctx.login(user) at the end of passport.authenticate help?

from koa-passport.

Yes that ensures serializeUser is called. What I am looking to do is have ctx.user set on the server for the session so that I don't have to pass the id back to the client.

How can I ensure that it set?

from koa-passport.

Looking at your example (considering you have added the ctx.login) it should actually already work. The user should be at ctx.state.user. Is this the case?

from koa-passport.

yes, it works. Brilliant, thanks!

from koa-passport.

I really apologise about reopening but deserializeUser is not called. I am confused as to when this should be called.

What I want to get away from is having the id in the jwt that is returned to the client.

When should I set ctx.state.user and how can I then ensure it is in the session on each request that has a valid jwt without storing the id in the jwt on the client.

from koa-passport.

I cannot spot an error in your implementation, yet. ctx.state.user should be set automatically once a user is logged in. Passport should set a cookie containing the information you returned in serializerUser. If such a cookie is found, the deserializeUser is called with this information, which is the user id in you case. That is, you do not need to have the user id in the jwt, because it is saved in the cookie (in a encrypted way).

I've updated koa-passport-example to make use of async/await and in this example, deserialzeUser is called properly and I don't really see a difference to your implementation.

Something else: a goal of using JWTs is to do not have to use sessions (sessions in terms of restoring the user on each request). So you are maybe mixing up two different approaches. If you are doing this on purpose, this is of course fine. If you are just going to use JWT for authentication, I would actually ditch the koa-passport dependency. Because all you need is a route the checks username and password and creates a JWT accordingly. If you need to restore a user from a cookie, you can also save the JWT to a cookie (but make sure to save it using HttpOnly and Secure flags; and very important, take means to protect the token against CSRF!).

from koa-passport.

Thank you for the advice. I removed koa-passport

from koa-passport.