Validate User IP and User Session in ExpressJS
Here's an example of an express middleware that retrieves the IP address and user agent from a Mongoose collection called "Session" and compares it with the incoming request's user IP and user agent:
const mongoose = require('mongoose');
const Session = mongoose.model('Session');
const verifySession = async (req, res, next) => {
try {
const session = await Session.findOne({ _id: req.sessionID });
if (!session) {
return res.status(401).send('Session not found');
}
const ipAddress = req.headers['x-forwarded-for'] || req.socket.remoteAddress;
const userAgent = req.headers['user-agent'];
if (session.ipAddress !== ipAddress || session.userAgent !== userAgent) {
return res.status(401).send('Unauthorized access');
}
next();
} catch (err) {
console.error(err);
res.status(500).send('Server Error');
}
};
module.exports = verifySession;
Explanation:
- First, we import the Mongoose model for "Session".
- Then we define a middleware function called "verifySession" that takes in the "req", "res", and "next" parameters.
- Inside the "verifySession" function, we use the "findOne" method of the "Session" model to find the session corresponding to the "req.sessionID" value.
- If the session is not found, we return a 401 Unauthorized status code with the message "Session not found".
- We then retrieve the IP address and user agent from the request headers using the "x-forwarded-for" and "user-agent" properties, respectively.
- Next, we compare the retrieved IP address and user agent with the corresponding values in the session document.
- If they don't match, we return a 401 Unauthorized status code with the message "Unauthorized access".
- If everything checks out, we call the "next" function to pass control to the next middleware in the chain.
- If there's an error while retrieving the session, we catch it and return a 500 Internal Server Error status code with the message "Server Error".
- Finally, we export the middleware function for use in our application.