Hey all
My question is extremely similar to Oidc middleware issues: ensureAuthenticated() doesn't work and userinfo isn't set
I am using NestJS and trying to add auth to my app. I am using the @okta/oidc-middlewar package and configuring the middleware based on the guide and readme for adding it into an Express app.
NestJS uses express underneath. I have been struggling for the longest time to achieve a protected route and a login.
My main.ts
export const oidc = new ExpressOIDC({
issuer: 'my credentials',
client_id: 'my credentials',
client_secret: 'my credentials-zp1TcWQL4',
redirect_uri: 'http://localhost:3001/my-credentials',
scope: 'openid profile',
appBaseUrl: 'my url'
});
async function bootstrap(oidc) {
const app = await NestFactory.create(AppModule);
// session support is required to use ExpressOIDC
app.use(session({
secret: 'this should be secure',
resave: true,
saveUninitialized: false
}));
// ExpressOIDC attaches handlers for the /login and /authorization-code/callback routes
app.use(oidc.router);
app.use(helmet());
app.use(cookieParser());
app.enableCors();
oidc.on('ready', async () => {
await app.listen(3001, () => console.log(`Started!`));
});
oidc.on('error', err => {
console.log('Unable to configure ExpressOIDC', err);
});
}
bootstrap(oidc);
My middleware function
import { oidc } from 'src/main';
export function ensureAuth(req: Request, res: Response, next: Function) {
oidc.ensureAuthenticated()
next();
}
And then it is applied in my app.module.ts as per how to use middleware in NestJS
Two issues:
-
When I try the
/loginroute i get:
ForbiddenError: invalid csrf token
{
“statusCode”: 500,
“message”: “Internal server error”
} -
The route I wanted protected works as normal and is not protected
Does anyone have suggestions on what I could be doing wrong or any bad assumptions I am making?