Why the req.user is undefined at the production level. Can anyone resolve this issue. I have deploy the frontend on vercel and backend on onrender. #177931

OmkarArdekar12 · 2025-10-24T21:25:06Z

OmkarArdekar12
Oct 24, 2025

Select Topic Area

Question

Feature Area

Issues

Body

Why the req.user is undefined at the production level. Can anyone resolve this issue. I have deploy the frontend on vercel and backend on onrender. I am using the 2FA login system. For login the passportjs local strategy and for verification jwt token based authentication.
At the development level everything works fine. But when the backend is deploy on onrender, req.user is not staying persistent.

This is my Code:

index.js file:

import express from "express";
import session from "express-session";
import MongoStore from "connect-mongo";
import cookieParser from "cookie-parser";
import mongoose from "mongoose";
import path from "path";
import methodOverride from "method-override";
import LocalStrategy from "passport-local";
import { ExpressError } from "./utils/ExpressError.js";
import axios from "axios";
import passport from "passport";
import multer from "multer";
import dotenv from "dotenv";
import cors from "cors";
import http from "http";
import { Server } from "socket.io";
import dbConnect from "./config/dbConnect.js";
import "./config/passportConfig.js";
import authRoutes from "./routes/authRoutes.js";
import profileRoutes from "./routes/profileRoutes.js";
import competitiveProgrammingStatsRoutes from "./routes/competitiveProgrammingStatsRoutes.js";
import developmentProfilesStatsRoutes from "./routes/developmentProfilesStatsRoutes.js";
import connectionRoutes from "./routes/connectionRoutes.js";
import notificationRoutes from "./routes/notificationRoutes.js";
import postRoutes from "./routes/postRoutes.js";
import messageRoutes from "./routes/messageRoutes.js";
import rankingRoutes from "./routes/rankingRoutes.js";
import {
  pageNotFoundMiddleware,
  errorHandlerMiddleware,
} from "./middlewares/errorHandlers.js";

dotenv.config();

//Express App
const app = express();
const PORT = process.env.PORT || 8080;
const FRONTEND_URL = process.env.FRONTEND_URL;
const MONGODB_URL = process.env.MONGODB_URL;
const SESSION_SECRET = process.env.SESSION_SECRET || "codelevate-secret";
const isProduction = process.env.NODE_ENV === "production";

app.set("trust proxy", true);

//HTTP Server for Socket.IO
const server = http.createServer(app);

//Database Connection
dbConnect();

const corsOptions = {
  origin: [FRONTEND_URL, "http://localhost:3000"],
  credentials: true,
  methods: ["GET", "POST", "PUT", "PATCH", "DELETE"],
  allowedHeaders: [
    "Content-Type",
    "Authorization",
    "Cookie",
    "X-Requested-With",
    "Accept",
  ],
  exposedHeaders: ["set-cookie"],
};
app.use(cors(corsOptions));

//Middlewares
app.use(express.json({ limit: "100mb" }));
app.use(express.urlencoded({ limit: "100mb", extended: true }));
app.use(methodOverride("_method"));

const store = MongoStore.create({
  mongoUrl: MONGODB_URL,
  crypto: {
    secret: SESSION_SECRET,
  },
  touchAfter: 3600 * 24,
  ttl: 7 * 24 * 60 * 60,
});
store.on("error", () => {
  console.log("Error in Mongo Session Store", err);
});

const sessionOptions = {
  store,
  secret: SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  cookie: {
    httpOnly: true,
    secure: isProduction ? true : false,
    sameSite: isProduction ? "none" : "lax",
    maxAge: 7 * 24 * 60 * 60 * 1000,
  },
};
app.use(session(sessionOptions));
app.use(cookieParser());
app.use(passport.initialize());
app.use(passport.session());

app.use((req, res, next) => {
  console.log("DEBUG START");
  console.log("Request user: ", req.user);
  console.log("Session user:", req.session);
  console.log("DEBUG END");
});

//Socket.IO
const io = new Server(server, { cors: corsOptions });

let activeUsers = new Map();

io.on("connection", (socket) => {
  //console.log("user connected: ", socket.id);

  socket.on("joinRoom", (roomId) => {
    socket.join(roomId);
    //console.log(`User ${socket.id} joined room ${roomId}`);
  });

  socket.on("leaveRoom", (roomId) => {
    socket.leave(roomId);
    //console.log(`User ${socket.id} left room ${roomId}`);
  });

  socket.on("addUser", (userId) => {
    activeUsers.set(userId, socket.id);
    io.emit("getActiveUsers", Array.from(activeUsers.keys()));
  });

  socket.on("requestActiveUsers", () => {
    socket.emit("getActiveUsers", Array.from(activeUsers.keys()));
  });

  socket.on("disconnect", () => {
    for (const [userId, socketId] of activeUsers.entries()) {
      if (socketId == socket.id) {
        activeUsers.delete(userId);
      }
    }
    //console.log("user disconnected: ", socket.id);
    io.emit("getActiveUsers", Array.from(activeUsers.keys()));
  });
});

app.use((req, res, next) => {
  req.io = io;
  next();
});

//Routes
app.use("/api/auth", authRoutes);
app.use("/api/profiles", profileRoutes);
app.use(
  "/api/stats/competitive-programming",
  competitiveProgrammingStatsRoutes
);
app.use("/api/stats/development-profiles", developmentProfilesStatsRoutes);
app.use("/api/users", connectionRoutes);
app.use("/api/notifications", notificationRoutes);
app.use("/api/posts", postRoutes);
app.use("/api/messages", messageRoutes);
app.use("/api/rankings", rankingRoutes);

//Index Route
app.get("/", (req, res) => {
  return res.send("Welcome to CodeElevate");
});

//Error handlers
app.use((req, res, next) => {
  pageNotFoundMiddleware(req, res, next);
});
app.use(errorHandlerMiddleware);

//Listen App
server.listen(PORT, () => {
  console.log(`Server is listening to port ${PORT}`);
});

passportConfig file:

import passport from "passport";
import { Strategy as LocalStrategy } from "passport-local";
import bcrypt from "bcryptjs";
import User from "../models/user.js";

passport.use(
  new LocalStrategy(async (username, password, done) => {
    try {
      const user = await User.findOne({ username });
      if (!user) {
        return done(null, false, { message: "User not found!" });
      }

      const isMatch = await bcrypt.compare(password, user.password);
      if (isMatch) {
        return done(null, user);
      } else {
        return done(null, false, { message: "Incorrect password!" });
      }
    } catch (err) {
      return done(err);
    }
  })
);

passport.serializeUser((user, done) => {
  //console.log("We are inside serializeUser");
  done(null, user._id); //only userID saved in session
});

passport.deserializeUser(async (_id, done) => {
  try {
    //console.log("We are inside deserializeUser");
    const user = await User.findById(_id);
    done(null, user); //full user object is attached to req.user
  } catch (error) {
    done(error);
  }
});

authRoutes.js file:

import { Router } from "express";
import passport from "passport";
import {
  register,
  login,
  logout,
  authStatus,
  setup2FA,
  verify2FA,
  reset2FA,
} from "../controllers/authController.js";
import auth from "../middlewares/auth.js";

const router = Router();

//Registration Route
router.post("/register", register);

//Login Route
router.post("/login", passport.authenticate("local"), login);

//Authentication Route
router.get("/status", authStatus);

//Logout Route
router.post("/logout", logout);

//2FA Setup Route
router.post("/2fa/setup", auth, setup2FA);

//2FA Verify Route
router.post("/2fa/verify", auth, verify2FA);

//2FA Reset Route
router.post("/2fa/reset", auth, reset2FA);

export default router;

Guidelines

I have read the above statement and can confirm my post is relevant to the GitHub feature areas Issues and/or Projects.

Pieter-Cawood · 2025-10-26T00:33:41Z

Pieter-Cawood
Oct 26, 2025

@OmkarArdekar12 , In production your session cookie isn’t surviving the round-trip, so Passport can’t rehydrate the session and req.user ends up undefined. This is usually a mix of cookie flags, proxy trust, and frontend credentials.
Backend (Express on Render)

You can fix like so:

Backend, you can tell Express you’re behind one proxy and tell express-session to honor it:

// BEFORE sessions
app.set("trust proxy", 1); // was `true`; use 1

const sessionOptions = {
  store,
  secret: SESSION_SECRET,
  resave: false,
  saveUninitialized: false,
  proxy: true,                      // ADD THIS proxty true  !!!!
  cookie: { 
    httpOnly: true,
    secure: process.env.NODE_ENV === "production", // true in prod
    sameSite: process.env.NODE_ENV === "production" ? "none" : "lax",
    maxAge: 7 * 24 * 60 * 60 * 1000,
  },
};
app.use(session(sessionOptions));

Frontend, send cookies on cross-site requests:

Axios (global):

axios.defaults.withCredentials = true;

or per-request:

axios.post(API_URL + "/api/auth/login", data, { withCredentials: true });
axios.get(API_URL + "/api/auth/status", { withCredentials: true });

1 reply

OmkarArdekar12 Oct 26, 2025
Author

I have already tried it, and still req.user is not persistent after login route

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Why the req.user is undefined at the production level. Can anyone resolve this issue. I have deploy the frontend on vercel and backend on onrender. #177931

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

GitHub Community

Why the req.user is undefined at the production level. Can anyone resolve this issue. I have deploy the frontend on vercel and backend on onrender. #177931

Uh oh!

Uh oh!

OmkarArdekar12 Oct 24, 2025

Select Topic Area

Feature Area

Body

Guidelines

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

Pieter-Cawood Oct 26, 2025

Uh oh!

OmkarArdekar12 Oct 26, 2025 Author

OmkarArdekar12
Oct 24, 2025

Replies: 1 comment 1 reply

Pieter-Cawood
Oct 26, 2025

OmkarArdekar12 Oct 26, 2025
Author