javascript - Node.js POST login request doesn't return authenticated cookie

Question

I am making a private API wrapper (Edit: I don't have the server-side code since I'm making this for another website, sort of like the Instagram-private-API module) with Node.js and currently, I'm working on the authentication part. When I send the POST request from Postman I get an authenticated JSESSIONID cookie in the response eg.

Request:

POST /Login.do HTTP/1.1
Host: awebsite.com
Content-Type: application/x-www-form-urlencoded
Content-Length: x
username=myusername&password=mypassword

And the response contains a JSESSIONID, the HTML website content with the logged-in user's information, and a status of 200.

But for some reason when I run the same exact request with Axios (I've tried many alternative modules too) the response HTML I get doesn't contain the user's info, nor does the JSESSIONID cookie return that information when I try it on an alternative endpoint from postman.

Node.js code:

...
const data = qs.stringify({
    'username': 'myusername',
    'password': 'mypassword' 
});

const config = {
    method: 'post',
    url: 'https://awebsite.com/Login.do',
    headers: { 
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    data
};

axios(config)
    .then(function (response) {
        console.log(JSON.stringify(response.data));
    })
    .catch(function (error) {
        console.log(error);
    });

I have no idea what the problem may be. This question had a similar issue to mine, but instead of the response not containing the user data or correct JSESSIONID, the problem resided in the redirect to the user's dashboard.

Answer 1

I had to take a few steps back to just take a look at everything a user does to login. The most important bit here was the initial GET request to the server which renders the login form.

I usually skip over that, but this time I thought about it deeper and looked at the cookies that my browser had before and after the login. I noticed that the session id (which is needed for all future requests) always stayed the same, so I made a function that GET's the website and stores the session id cookie to a variable. After that I was able to authenticate that cookie and get the logged in version of the website with the same code I was using before with an added 'Cookie' header.

The full request function:

const data = qs.stringify({ username, password });

const config = {
    method: 'post',
    url: 'https://awebiste.com/Login.do',
    headers: {
        Cookie: this.cookie,
        'Content-Type': 'application/x-www-form-urlencoded',
    },
    data,
};

const res = await axios(config);

The JSESSIONID generator:

const { headers } = await axios.get('https://awebiste.com');

const JSESSIONID = headers['set-cookie']
    .find((c) => c.startsWith('JSESSIONID'))
    .split(/(?<=;)/)[0];

return JSESSIONID;