@userId not present in the "protected" hook

[mamaremere]

Using Meteor-Files' protected hook does not provide access to @userId unless you're on localhost.

I've pinpointed the issue to the _getUser method here where the x_mtok cookie is never received by the server. The cookie is present in the browser and has the correct value, equal to Meteor.connection._lastSessionId.

Again, an emphasis on the fact that localhost actually works.

Also, @userId is present in the onBeforeUpload or onBeforeRemove hooks.

[dr-dimitru]

1. Quick guess - you forgot to set ROOT_URL env.var to your host value
2. Could you post here the request headers (which includes cookies, and can be obtained on "Network" tab in dev tools) to the files
3. Make sure you're logged in
4. Also cookies must be enabled (sorry if it's obvious)

We're using protected option as Function at https://files.veliov.com - works like charm

[dr-dimitru]

@mamaremere any news on your end?

[mamaremere]

Hi @dr-dimitru. Thanks for the Quick guess point. It did solve the problem on my local machine. Now the dev app works both on localhost and example.dev (which is set to point to localhost).

However, the issue still remains in production where the x_mtok cookie is never set. The ROOT_URL var is properly set to the example.io domain that runs production. I'm positive that I am properly logged in and, indeed, cookies are enabled.

Also, I'm sorry to disappoint, but it seems that the https://files.veliov.com app faces rather the same issue. The x_mtok cookie is never set for authenticated users. Here's what I did on https://files.veliov.com:

• created an account via Facebook (userId: 2AxRNq7G9Tpw7Atby)
• set the upload permissions to "private" (only I can download the files I upload)
• upload a file (fileId: 4FXW7Hg5v7jeQjvmF)
• trying to download the file while being authenticated actually fails with "Needs authorization"
• setting the upload permissions to "public" (everyone can see the files I upload) actually allows me to download the file. Oh, and the x_mtok cookie seems to be created at this point

So, maybe the ostrio:cookies package may be involved in this?

[dr-dimitru]

Confirmed as bug.
Reproduces everywhere but only on first request. I guess this line executes before user is signed it. Needs to be changed to .onLogin().

Anyways it's weird as it passed tests.

Will be solved soon, stay tuned!

[dr-dimitru]

Hi @mamaremere ,

This issue is fixed in v1.7.3
Could you please update and let me know how it works on your end

[mamaremere]

Thanks, @dr-dimitru. The x_mtok cookie is now properly set.

I'm still having some issues with x_mtok cookie's value not being found in Meteor.server.sessions in production, but this is, most likely, a different issue.

[dr-dimitru]

I'm still having some issues with x_mtok cookie's value not being found in Meteor.server.sessions in production

User must be logged in via DDP, and session must be open

[mamaremere]

@dr-dimitru, it seems that meteorhacks:cluster was the issue in production. Disabling it allowed meteor to properly store sessions with userId in Meteor.server.sessions.

So, afterall the issue was comprised of three issues:

• setting ROOT_URL in the local development environment to http://example.dev:3000
• fixing the x_mtok cookie issue, since the cookie was not always present
• eliminating meteorhacks:cluster since it messed up Meteor.server.sessions

Once again, thank you for your hard work! Much appreciated!