ExpressJS SDK working locally, but not hosted, need help with logging
I have run various versions of my kinde-node-express app locally, and authentication and role-based access work fine, allowing me to protect directory paths based on roles.
I tried publishing to vercel first, and then tried fly.io, and still not working as it did locally. I have checked (e.g., running "printenv" fly.io console) and all URLs are correct, so it is not that.
Currently running on fly.io, all my directory paths are protected from access. Accessing "/login" does send me correctly to kinde.com for login and I get the auth code, which I enter but am then redirected to my "unAuthorisedUrl" rather than being able to access the directory paths as I can locally.
I have tried multiple ways to figure out how to log what could be going wrong, but I just can't figure out where to add logging to determine what is different between local and hosted versions.
For example I can't see any logging output in my "kindeMiddleware" class. I can see this data when someone is authenticated. So it seems to be an authentication issue when hosted.
Here is my gist: https://gist.github.com/mashdot/b34cd688b4d95e13fd39191b001cd872
5 Replies
Hey @COACH here's some things you can check. Get back to us if you're till having issues.
Based on your description, this sounds like a state management issue that commonly occurs when deploying Kinde authentication to production. Here are some key points to check:
Configuration Setup
For Express.js, ensure your configuration includes all required fields:
const config = {
clientId: "<YOUR_CLIENT_ID>",
issuerBaseUrl: "https://<YOUR_SUBDOMAIN>.kinde.com",
siteUrl: "http://localhost:3000",
secret: "<YOUR_CLIENT_SECRET>",
redirectUrl: "http://localhost:3000",
scope: "openid profile email",
grantType: GrantType.AUTHORIZATION_CODE,
unAuthorisedUrl: "http://localhost:3000/unauthorised",
postLogoutRedirectUrl: "http://localhost:3000"
};
Callback URLs
-Verify that your callback URLs in the Kinde dashboard match your production domain
-Set the Allowed callback URLs to your production URL
-Set the Allowed logout redirect URLs to your production URL
State Management
The issue could be related to state management during the authentication flow. To debug this:
Implement basic route logging :
app.get("/", (req, res) => {
if (req.session && req.session.kindeAccessToken) {
res.send("You are authenticated!");
} else {
res.send("You are not");
}
});
Protected Routes
Check your protected route implementation :
app.get("/admin", protectRoute, (req, res) => {
res.send("Welcome to the admin area");
});
Debugging Steps
1. Verify your environment variables are correctly set in your fly.io configuration
2. Check that your redirectUrl matches your production domain
3. Ensure your unAuthorisedUrl is correctly configured for production
4. Verify the session is being properly maintained across redirects
For additional debugging, you can check the user object in protected routes :
app.get("/admin", protectRoute, getUser, (req, res) => {
console.log(req.user);
res.send(Hello, ${req.user.given_name});
});
Thanks for your response, I have reduced the app to the bare minimum detailed below, but this is still not working remotely, and I can confirm all URLs are correct.
When running locally everything works with local URLs, but remotely (with remote URLs) I am being redirected to my "unAuthorisedUrl". So I assume this is a fallback URL from kinde.
How can add logging to understand where this is failing?
const kindeClient = setupKinde(kindeConfig, app);
app.get("/", async (req, res) => {
if (await kindeClient.isAuthenticated(req)) {
res.redirect("/admin");
} else {
res.send("No <a href=\"/login\">login</a>");
}
});
app.get("/admin", protectRoute, getUser, (req, res) => {
res.send("Yes <a href=\"/logout\">logout</a>");
});
Hi again @COACH thanks for confirming everything. Our Express engineer is in the UK timezone. Will send him a link to this conversation to see if he can help. Just bear with us, staff are working varied hours between xmas and new year. Thanks for your patience.
No problem, thanks!
resend