This repository contains the fixed version of the "Silent Server" authentication system. The original system had multiple critical bugs that prevented the authentication flow from working. All issues have been identified and resolved.
File: middleware/logger.js
The logger middleware was missing the next() function call, causing requests to hang indefinitely. Without calling next(), Express.js couldn't pass control to the next middleware in the chain.
File: middleware/auth.js
The authentication middleware was missing the next() call after successful token verification, causing authenticated requests to hang.
File: server.js
The /auth/token endpoint was incorrectly reading the session from the authorization header instead of the session cookie that gets set during OTP verification.
File: server.js
The server was trying to read cookies without having the cookieParser() middleware installed, causing req.cookies to be undefined.
File: server.js
The original logging only showed the session ID but not the actual OTP value, making it difficult to test the flow manually.
- Send email and password in request body
- Server generates a random session ID and 6-digit OTP
- Server logs both session ID and OTP to console
- Server responds with session ID
- Send session ID and OTP (from server logs) in request body
- Server validates session and OTP
- Server sets
session_tokencookie - Server responds with success message
- Send request with session cookie (automatically included by browser)
- Server reads
session_tokenfrom cookies - Server generates JWT with user information
- Server responds with JWT access token
- Send request with Authorization header:
Bearer <JWT_TOKEN> - Auth middleware validates JWT
- Server responds with protected resource and success flag
-
Install dependencies:
npm install
-
Create
.envfile with required variables:APPLICATION_SECRET=any_random_string_for_testing
-
Start the server:
npm start
Server runs at:
http://localhost:3000(orhttp://localhost:3001if port 3000 is busy)
Endpoint: POST /auth/login
Request:
curl -X POST http://localhost:3000/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"password123"}'Expected Outcome:
- Server logs the OTP (e.g.,
[OTP] Session abc12345 generated with OTP: 123456). - Response contains
loginSessionId.
Endpoint: POST /auth/verify-otp
Request:
curl -c cookies.txt -X POST http://localhost:3000/auth/verify-otp \
-H "Content-Type: application/json" \
-d '{"loginSessionId":"<loginSessionId>","otp":"<otp_from_logs>"}'Expected Outcome:
cookies.txtis created containing a session cookie.- Response says "OTP verified".
Endpoint: POST /auth/token
Request:
curl -b cookies.txt -X POST http://localhost:3000/auth/tokenExpected Outcome:
- Response contains
{ "access_token": "..." }.
Endpoint: GET /protected
Request:
curl -H "Authorization: Bearer <jwt>" http://localhost:3000/protectedExpected Outcome:
- Response:
{ "message": "Access granted", "user": ..., "success_flag": "FLAG-..." }
Using the email [email protected], the complete authentication flow generates the success flag:
FLAG-eHNoYW5rYXJtaXNocmFAZ21haWwuY29tX0NPTVBMRVRFRF9BU1NJR05NRU5U
server.js- Fixed token endpoint and added cookie parser middlewaremiddleware/logger.js- Added missingnext()callmiddleware/auth.js- Added missingnext()call after successful verification.env.example- Added for referencepackage.json- Dependencies for the working system
- Node.js
- Express.js
- JSON Web Tokens (JWT)
- Cookie parsing
- In-memory session storage
APPLICATION_SECRET- Secret key for token generation (required)JWT_SECRET- Secret key for JWT signing (optional, defaults to "default-secret-key")PORT- Port number for the server (optional, defaults to 3000)
All authentication flow steps now work correctly and the system is ready for use!